This chapter describes how to install and configure the Identity and Access Management database repositories.
This chapter contains the following topics:
Section 10.2, "Verifying the Database Requirements for an Enterprise Deployment"
Section 10.3, "Installing the Database for an Enterprise Deployment"
The Identity and Access Management components in the enterprise deployment use database repositories. This chapter describes how to perform the following steps:
Verify the database requirements as described in Section 10.2, "Verifying the Database Requirements for an Enterprise Deployment."
Install and configure the Oracle database repositories. See the installation guides listed in the "Related Documents" section of the Preface and Section 10.3, "Installing the Database for an Enterprise Deployment."
Create database services, as described in Section 10.4, "Creating Database Services."
Prepare the database for the Repository Creation Utility (RCU). See Section 11.2, "Creating an Oracle Identity and Access Management Software Repository."
Create the required Oracle schemas in the database using the Repository Creation Utility (RCU). See Section 10.5, "Loading the Identity and Access Management Schemas in the Oracle RAC Database by Using RCU."
Before loading the metadata repository into your databases, check that they meet the requirements described in these subsections:
Oracle Identity and Access Management data can be placed into one or more databases. Table 10-1 shows a single database with multiple database services accessing it. If desired, you can configure these services to point to a different database if necessary. Utilizing separate database services at the start allows data to be segregated into different databases at a later date, with minimum application configuration.
The Oracle Metadata Services (MDS) Repository is a particular type of repository that contains metadata for some Oracle Fusion Middleware components. It can also include custom Java EE applications developed by your organization.
For this release of IAM you must use a separate RCU schema prefix each domain. This allows different products to use a different database if required.
Table 10-1 Mapping between Databases and Schemas
Database Names | Database Hosts | Scan Address | Service Names | RCU Prefix | Schemas in Database |
---|---|---|---|---|---|
IAMDB |
IAMDBHOST1 IAMDBHOST2 |
|
|
EDGIAD |
OAM, IAU, MDS, OPSS |
|
EDGIGD |
OIM, SOAINFRA, MDS, OPSS, ORASDPM |
|||
|
EDGIAD |
OAAM |
The following sections apply to all the databases listed in Table 10-1.
The database used to store the metadata repository should be highly available in its own right, for maximum availability Oracle recommends the use of an Oracle Real Application Clusters (RAC) database.
Ideally the database should use Oracle Automatic Storage Management (ASM) for the storage of data, however this is not necessary.
If using ASM, then ASM should be installed into its own Oracle home and have two disk groups:
One for the Database Files
One for the Flash Recovery Area
If you are using Oracle ASM, best practice is to also use Oracle Managed Files.
The Deployment Tools require that you have Oracle Database 11.2.0.0 or newer for Oracle RAC deployments.
To check if your database is certified or to see all certified databases, refer to the "Certified Databases" section in the Certification Document:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
To determine the version of your installed Oracle Database, execute the following query at the SQL prompt:
select version from sys.product_component_version where product like 'Oracle%';
If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 10259620. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 10-2 lists the patches required for Oracle Identity Manager configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 10-2 Required Patches for Oracle Database 11g (11.2.0.2.0)
Platform | Patch Number and Description on My Oracle Support |
---|---|
Linux x86 (32-bit) Linux x86 (64-bit) |
RDBMS Interim Patch#10259620. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Note:
Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.
In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the note "Wrong Results on 11.2.0.2 with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" at http://support.oracle.com
for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.
The Oracle Database must meet some minimum requirements.
Character Set–The character set must be Unicode compliant, for example: AL32UTF8.
Database Options–The following database options must be installed into the database:
Oracle JVM
Oracle Text
Database Views–The following Database view must be created on the database:
XAVIEWS
Database Packages–The following Database package must exist in the database:
DBMS_SHARED_POOL
The databases must have the following minimum initialization parameters defined:
Table 10-3 Minimum Initialization Parameters for Oracle Databases
Parameter | Value |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It is recommended that you set these parameters in the database configuration assistant when creating the database. If you have not done this, you can adjust them after creation by using the alter system
database command. For example:
sqlplus / as sysdba alter system set aq_tm_processes=1 scope=spfile;
After making changes in the spfile
, restart the database. For example
srvctl stop database -d iamdb srvctl start database -d iamdb
Note:
For guidelines on setting up optimum parameters for the Database, see Oracle Fusion Middleware Performance and Tuning Guide.Install and configure the database repository as follows.
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
When you run the installer, select the Configure Automatic Storage Management option in the Select Configuration screen to create a separate Automatic Storage Management home.
Oracle Real Application Clusters
For 11g Release 1 (11.1), see Oracle Real Application Clusters Installation Guide.
Oracle Real Application Clusters Database
Create a Real Applications Clusters Database with the following characteristics:
Database must be in archive log mode to facilitate backup and recovery.
Optionally, enable the Flashback database.
Create UNDO tablespace of sufficient size to handle any rollback requirements during the Oracle Identity Manager reconciliation process.
Database is created with ALT32UTF8 character set.
This section describes how to configure the database for Oracle Fusion Middleware 11g metadata. It contains the following topics:
Use srvctl
to create the database services for the components in your topology. The lists of services to be created are listed in Table 10-1, "Mapping between Databases and Schemas".
Create service using the command srvctl add service
, as follows.
srvctl add service -d iamdb -s OAMEDG.mycompany.com -r iamdb1,iamdb2 -q FALSE -m NONE -e SELECT -w 0 -z 0
The meanings of the command-line arguments are as follows:
Option | Argument |
---|---|
-d | Unique name for the database |
-s | Service name |
-r | Comma separated list of preferred instances |
-q | AQ HA notifications (TRUE or FALSE) |
-e | Failover type (NONE, SESSION, or SELECT) |
-m | Failover method (NONE or BASIC) |
-w | Failover delay (integer) |
-z | Failover retries (integer) |
Start the Service using srvctl start service
srvctl start service -d iamdb -s OAMEDG.mycompany.com
Validate the service started by using srvctl status service
, as follows:
srvctl status service -d iamdb -s OAMEDG.mycompany.com Service OAMEDG.mycompany.com is running on instance(s) iamdb1,iamdb2
Validate that the service was created correctly by using srvctl config service
:
srvctl config service -d iamdb -s OAMEDG.mycompany.com Service name: OAMEDG.mycompany.com Service is enabled Server pool: IAMDB_OAMEDG.mycompany.com Cardinality: 2 Disconnect: false Service role: PRIMARY Management policy: AUTOMATIC DTP transaction: false AQ HA notifications: false Failover type: SELECT Failover method: NONE TAF failover retries: 0 TAF failover delay: 0 Connection Load Balancing Goal: LONG Runtime Load Balancing Goal: NONE TAF policy specification: NONE Edition: Preferred instances: iamdb1,iamdb2 Available instances:
Note:
For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.The database parameters defined in Section 10.2.5.2, "Minimum Initialization Parameters" are only a guide. You might need to perform additional tuning after the system is in use. For more information, see Database Performance Tuning Guide.
Refresh the database statistics after you initially load the database, and on an ongoing basis. To do that, issue a SQL*Plus command for each schema. The following example is for the schema EDGIGD_OIM:
exec DBMS_STATS.GATHER_SCHEMA_STATS(OWNNAME=> 'EDGIGD_OIM', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, DEGREE=>8, OPTIONS=>'GATHER AUTO', NO_INVALIDATE=>FALSE);
You must run the Repository Creation Utility to seed your database(s) with the schemas required for Identity and Access Management. You need to run the Repository Creation Utility twice, once for each domain specifying a different Prefix each time.
Start RCU by issuing this command:
RCU_ORACLE_HOME/bin/rcu &
On the Welcome screen, click Next.
On the Create Repository screen, select the Create operation to load component schemas into a database. Then click Next.
On the Database Connection Details screen, provide the information required to connect to an existing database. For example:
Database Type: Oracle Database
Host Name: Enter the VIP address of one of the RAC database nodes or the database SCAN address, for example: IAMDBSCAN.mycompany.com
Port: The port number for the database listener (DB_LSNR_PORT). For example: 1521
Service Name: The service name of the database. For example OAMEDG.mycompany.com
.
Use the service names for the components you will select from the table in Step 6.
Username: sys
Password: The sys user password
Role: SYSDBA
Click Next.
On the Check Prerequisites screen, click OK
after the prerequisites have been validated.
On the Select Components screen, provide the following values:
Create a New Prefix: Enter a prefix to be added to the database schemas. Note that all schemas are required to have a prefix. See Table 10-1, "Mapping between Databases and Schemas" or the following table for RCU prefixes.
Components: Select the appropriate components from the following table for the topology you are using.
RCU Prefix | Product | RCU Option | Comments |
---|---|---|---|
EDGIAD | Oracle Platform Security Services for IAMAccessDomain | AS Common Schemas–Oracle Platform Security Service | Audit and Metadata Services are also selected. |
EDGIAD | Oracle Access Management Access Manager | Identity Management–Oracle Access Manager | Audit Services will also be selected. |
EDGIAD | Oracle Adaptive Access Manager | Oracle Identity Management–Oracle Adaptive Access Manager | If required. |
EDGIGD | Oracle Platform Security Services for IAMGovernanceDomain | AS Common Schemas–Oracle Platform Security Service | Audit and Metadata Services are also selected. |
EDGIGD | Oracle Identity Manager | Identity Management–Oracle Identity Manager | Metadata Services, SOA infrastructure, and User Messaging will also be selected. |
Click Next.
Notes:
If your topology requires more than one database, the following important considerations apply:Be sure to install the correct schemas in the correct database.
You might have to run the RCU more than once to create all the schemas for a given topology.
Table 10-1 in this chapter provides the recommended mapping between the schemas and their corresponding databases. Refer to this table to ensure that the correct details are entered in this screen.
On the Check Prerequisites screen, click OK after the prerequisites have been validated.
On the Schema Passwords screen, enter the passwords for the schemas. You can choose to use either the same password for all the schemas or different passwords for each of the schemas. The deployment wizard requires that all passwords for a given prefix be the same.
Click Next.
On the Map Tablespaces screen, accept the defaults and click Next.
On the confirmation screen, click OK to allow the creation of the tablespaces.
On the Creating tablespaces screen, click OK to acknowledge creation of the tablespaces.
On the Summary screen, the summary and verify that the details provided are accurate. Click Create to start the schema creation process.
On the Completion summary screen, verify that the schemas were created.
Repeat these steps for the remaining service names.
Click Close to exit.
If your Database is on an Exadata machine, you can opt to connect to the database either through TCP or SDP. Even if using SDP, a TCP connection to the database must exist as the TCP connection is used for the provisioning process. Later, during post-provisioning, the TCP connection can optionally be changed to an SDP connection. The following two sub-sections describe prerequisites for the SDP connection.
Create an SDP listener on the Exadata machine by following the instructions in "Configuring SDP InfiniBand Listener for Exalogic Connections" in Oracle Fusion Middleware Exalogic Enterprise Deployment Guide, Release EL X2-2 and EL X3-2.
As described in My Oracle Support Note 1588546.1, having SDP and APM enabled can result in database hangs. As a result, Oracle recommends disabling APM on both the Exalogic and Exadata nodes.
To disable APM:
Add the argument sdp_apm_enable=0
to the infiniband options in the file /etc/modprobe.conf
.
After editing, the entry should look like this:
options ib_sdp sdp_zcopy_thresh=0 recv_poll=0 sdp_apm_enable=0
Reload the ib_sdp
driver:
modprobe -r ib_sdp modprobe ib_sdp
Validate that change by running the following command:
[root@xxx03cn05 ~]# cat /sys/module/ib_sdp/parameters/sdp_apm_enable 0 [root@xxx03cn05 ~]#
The result should be 0
.
After you have prepared your database, back it up as described in Section 20.5.3.3, "Backing Up the Database."