Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
This chapter describes how to create a domain using the Configuration Wizard, Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control. The standard Identity Management deployment topology uses a single domain for all components. You can extend the domain to add Oracle Fusion Middleware components such as Oracle Internet Directory and Oracle Virtual Directory.
You might find it desirable, however, to move the Oracle Identity Manager components into a separate domain so that they can be managed and patched independently.
Note:
Oracle strongly recommends that you read the release notes for any additional installation and deployment considerations prior to starting the setup process.
This chapter contains the following sections.
Table 8-1 lists the steps for creating a WebLogic domain, including post-configuration tasks.
Table 8-1 Steps for Creating a WebLogic Domain
Step | Description | More Information |
---|---|---|
Enabling VIP ADMINVHN in IDMHOST1 |
Enable ADMINVHN for the IDMHOST1 hostname. |
|
Create a WebLogic Domain |
Run the Configuration Wizard to create WebLogic domain. |
|
Post-Configuration and Verification Tasks |
Follow the instructions for post-configuration and validation tasks. |
|
Configure the Oracle HTTP Server with the WebLogic domain |
Configure the Oracle HTTP Server with the WebLogic domain and validate the configuration. |
Section 8.7, "Configuring Oracle HTTP Server for the WebLogic Domain" |
Back Up the Domain |
Back up the newly configured WebLogic domain. |
Once this domain is created and configured you can extend the domain to include other Identity Management components, as described in the next chapters.
Before starting to create your topology, you must determine whether to create a single domain topology, with all components in one domain, or creating a split domain topology, with Oracle Identity Manager in its own dedicated domain.
For a single domain topology, create one domain, IDMDomain.
For a split domain topology, you must create two domains. Specifically:
A domain for most components, including directories, the HTTP server, Oracle Access Manager, Fusion Middleware Control, and WebLogic console. This is called IDMDomain.
A domain for Oracle Identity Manager components, including OIM managed servers and separate WebLogic console and Fusion Middleware Control. This is called OIMDomain.
At this point, the following URLs are available:
Table 8-2 URLs Available Before Creating the Domain
Domain | Component | URL |
---|---|---|
IDMDomain |
WebLogic Console |
http://adminvhn.mycompany.com:7001/console |
OIMDomain |
WebLogic Console |
http://oimadminvhn.mycompany.com:7001/console |
After you have completed the tasks in the following URLs will be available.
Table 8-3 URLs Available Prior to Web Tier Integration
Domain | Component | URL |
---|---|---|
IDMDomain |
WebLogic Console |
http://admin.mycompany.com/console |
IDMDomain |
Fusion Middleware Control |
http://admin.mycompany.com/em |
OIMDomain |
WebLogic Console |
http://oimadmin.mycompany.com/console |
OIMDomain |
Fusion Middleware Control |
http://oimadmin.mycompany.com/em |
This section contains the following topics:
Note that this step is required for failover of the WebLogic Administration Server, regardless of whether other Oracle Fusion Middleware components are installed later or not.
You associate the Administration Server with a virtual IP address, ADMINVHN.mycompany.com
. Check that ADMINVHN.mycompany.com
is enabled on IDMHOST1.
Note:
This is the DNS name associated with the floating IP address. It is not admin.mycompany.com
, which is the virtual host configured on the load balancer.
Linux
To enable the virtual IP address, run the following commands as root
:
/sbin/ifconfig interface:index IPAddress netmask netmask /sbin/arping -q -U -c 3 -I interface IPAddress
where interface
is eth0
, eth1
, and so forth, and index
is 0
, 1
, 2
, and so forth.
For example:
/sbin/ifconfig eth0:1 100.200.140.206 netmask 255.255.255.0
Enable your network to register the new location of the virtual IP address:
/sbin/arping -q -U -c 3 -I eth0 100.200.140.206
Validate that the address is available by ping
ing it from another node, for example:
/bin/ping 100.200.140.206
Windows
To enable the virtual IP address, run the following command:
netsh interface ip add address interface IP_Address netmask
where IP_Address
is the virtual IP address and the netmask
is the associated netmask.
In the following example, the IP address is enabled on the interface Local Area Connection
.
netsh interface ip add address "Local Area connection" 100.200.140.206 255.255.255.0
The Identity Management domain uses virtual host names as the listen addresses for the Oracle Identity Manager and SOA managed servers. You must enable two virtual IP addresses mapping each of these host names on each of the two Oracle Identity Manager machines. Specifically, enable OIMVHN1 and SOAVHN1 on OIMHOST1 and enable OIMVHN2 and SOAVHN2 on OIMHOST2. If you are using a split domain topology, also ensure that OIMADMINVHN.mycompany.com is enabled on OIMHOST1. These virtual addresses must correctly resolve to the virtual host names in the network system used by the topology, either by DNS Server or by hosts resolution.To enable the virtual IP addresses, follow the steps described in Section 8.4.1, "Enabling Virtual IP Addresses on IDMHOST1." These virtual IP addresses and virtual host names are required to enable server migration for the Oracle Identity Manager and SOA servers. Server migration must be configured for the Oracle Identity Manager and SOA managed servers for high availability purposes.
See Also:
Chapter 18, "Configuring Server Migration for an Enterprise Deployment" for more details about configuring server migration for the Oracle Identity Manager and SOA Managed servers.
Run the Configuration Wizard from the Oracle common home directory to create a domain containing the Administration Server and managed servers. This domain supports Oracle Identity Manager and Oracle Access Manager. Later, you will extend the domain to contain other components.
If you are using a single domain topology, you run the Configuration Wizard once, on IDMHOST1, to create the IDMDomain.
If you are using a split domain topology, you must run the Configuration Wizard twice, to create two domains. You run it on IDMHOST1 when creating the IDMDomain and on OIMHOST1 when creating the OIMDomain.
As you proceed through the following steps, follow the procedures specified for the topology and domain that you are creating:
Single domain topology, IDMDomain
Split domain topology, IDMDomain
Split domain topology, OIMDomain
To create IDMDomain and, optionally, OIMDomain, proceed as follows:
Ensure that the database where you installed the repository is running. For Oracle RAC databases, all instances should be running, so that the validation check later in the procedure is more reliable.
Change directory to the location of the Configuration Wizard. This is within the Oracle Common Home directory (created in Chapter 6, "Installing the Software for an Enterprise Deployment").
cd ORACLE_BASE/product/fmw/oracle_common/common/bin
Start the Oracle Fusion Middleware Configuration Wizard
On Linux, type:
./config.sh
On Windows, type:
config.cmd
On the Welcome screen, select Create a New WebLogic Domain, and click Next.
On the Select Domain Source screen, do the following:
Select Generate a domain configured automatically to support the following products.
Select the following products for a single or split domain topology.
For single domain creation, select:
Oracle Identity Manager 11.1.1.3.0 [iam]
Oracle SOA Suite - 11.1.1.0 [soa]
Oracle Enterprise Manager [oracle_common]
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [iam]
Oracle WSM Policy Manager - 11.1.1.0 [oracle_common]
Oracle JRF [oracle_common] (This should be selected automatically.)
For a split domain topology, when creating IDMDomain, select the following products:
Oracle Enterprise Manager [oracle_common]
Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [iam] IDMDomain only
Oracle JRF [oracle_common] (This should be selected automatically.)
For a split domain topology, when creating OIMDomain, select the following products:
Oracle Identity Manager 11.1.1.3.0 [iam] OIMDomain only
Oracle Enterprise Manager - 11.1.1.0 [iam]
Oracle SOA Suite - 11.1.1.0 [soa] OIMDomain only. This should be selected automatically.
Oracle JRF [oracle_common] (This should be selected automatically.)
Oracle WSM Policy Manager - 11.1.1.0 [oracle_common]
Click Next.
On the Specify Domain Name and Location screen, enter the domain name for the domain you are creating, either IDMDomain or OIMDomain.
Ensure that the domain directory matches the directory and shared storage mount point recommended in Section 4.4.4, "Directory Structure."
Enter
ORACLE_BASE/admin/domain_name/aserver/
for the domain directory and
ORACLE_BASE/admin/domain_name/aserver/applications
for the application directory, where domain_name
is either IDMDomain or OIMDomain. The application directory should be in shared storage.
Click Next.
On the Configure Administrator Username and Password screen, enter the username (default is weblogic
) and password to be used for the domain's administrator. For example:
Name: weblogic
User Password: password for weblogic user
Confirm User Password: password for weblogic user
Description:This user is the default administrator.
Click Next.
On the Configure Server Start Mode and JDK screen, do the following:
For WebLogic Domain Startup Mode, select Production Mode.
For JDK Selection, select JRockit SDK
Click Next.
On the Configure JDBC Component Schemas screen, select all the data sources listed on the page. The list will vary depending on whether you're setting up a single or a split domain.
SOA Infrastructure
User Messaging Service
OIM MDS Schema
OWSM MDS Schema
SOA MDS Schema
OAM Infrastructure
OIM Schema
Under RAC configuration for component schemas, select Convert to RAC multi data source.
Click Next.
On the Configure RAC Multi Data Source Component Schema page, select each of the schemas for your components, one by one. (Do not select schemas listed for previously configured components.) After you select a schema, enter its information into the appropriate fields, based on the following table:
Schema Name | Service Name | Host Names | Instance Names | Port | Schema Owner | Password |
---|---|---|---|---|---|---|
|
|
|
oimedg1 |
|
EDG_SOAINFRA |
|
|
oimedg2 |
|
||||
|
|
|
oimedg1 |
|
EDG_ORASDPM |
|
|
oimedg2 |
|
||||
|
|
|
oimedg1 |
|
EDG_MDS |
|
|
oimedg2 |
|
||||
|
|
|
idmedg1 |
|
EDG_MDS |
|
|
idmedg2 |
|
||||
|
|
|
oimedg1 |
|
EDG_MDS |
|
|
oimedg2 |
|
||||
|
|
|
oimedg1 |
|
EDG_OIM |
|
|
oimedg2 |
|
||||
|
|
|
oimedg1 |
|
EDG_OAM |
|
|
oimedg2 |
|
If you are using Oracle Database 11.2, replace the vip
address and port with the 11.2 SCAN address and port.
Click Next.
On the Test JDBC Component Schema screen, the Configuration Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.
Click Next.
On the Select Optional Configuration screen, select the following:
Administration Server
JMS Distributed Destination (required only on the domain that has OIM)
Managed Servers, Clusters and Machines
JMS File Store (required only on the domain that has OIM)
Click Next.
On the Configure the Administration Server screen, enter the following values:
Name: AdminServer
Listen Address:
ADMINVHN.mycompany.com
(when creating IDMDomain).
OIMADMINVHN.mycompany.com
(when creating OIMDomain)
Listen Port: 7001
SSL listen port: N/A
SSL enabled: unchecked
Click Next.
When creating IDMDomain for a single domain topology or OIMDomain for a split domain topology, the next screen is the JMS Distributed Destination screen. This screen does not appear when your are creating IDMDomain for a split domain topology.
On the JMS Distributed Destination screen, ensure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD from the drop down box. Ensure that the entries look like this:
JMS System Resource | Uniform/Weighted Distributed Destination |
---|---|
UMSJMSSystemResource |
|
BPMJMSModule |
|
SOAJMSModule |
|
OIMJMSModule |
|
Click Next.
An Override Warning box with the following message is displayed:
CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This conversion will take place only if the JMS System resource is assigned to a cluster
Click OK on the Override Warning box.
The next screen is the Configure Managed Servers screen.
If you are creating IDMDomain for a single domain topology, when you first enter the Configure Managed Servers screen, three managed servers called oam_server1, oim_server1 and soa_server1 are created automatically. Rename oam_server to WLS_OAM1, soa_server1 to WLS_SOA1, and oim_server1 to WLS_OIM1 and update their attributes as shown in the following table.
Then, add three new managed servers called WLS_OAM2, WLS_OIM2 and WLS_SOA2 with the following attributes.
Name | Listen Address | Listen Port | SSL Listen Port | SSL Enabled |
---|---|---|---|---|
WLS_OAM1 |
IDMHOST1 |
|
N/A |
No |
WLS_OAM2 |
IDMHOST2 |
|
N/A |
No |
WLS_SOA1 |
SOAVHN1 |
|
N/A |
No |
WLS_SOA2 |
SOAVHN2 |
|
N/A |
No |
WLS_OIM1 |
OIMVHN1 |
|
N/A |
No |
WLS_OIM2 |
OIMVHN2 |
|
N/A |
No |
Leave all the other fields at the default settings.
When you are creating a split domain topology, during creation of IDMDomain, one managed server, oam_server1, is created automatically. Change it to WLS_OAM1 and update its attributes as shown in the table. Also create WLS_OAM2 with the attributes shown in the table.
During creation of OIMDomain, only two managed servers, oim_server1 and soa_server1 are created automatically. Change them to WLS_OIM1 and WLS_SOA1, respectively, and update their attributes as shown in the table. Also add WLS_OIM2 and WLS_SOA2, with the attributes shown in the table.
Notes:
Do not change the configuration of the managed servers that were configured as a part of previous deployments.
Do not delete the default managed servers that are created. Rename them as described.
The next screen is the Configure Clusters screen.
If you are creating IDMDomain for a single domain topology, on the Configure Clusters screen, create three clusters, by clicking Add. Supply the following information:
OAM Cluster:
Name: cluster_oam
Cluster Messaging Mode: unicast
OIM Cluster:
Name: cluster_oim
Cluster Messaging Mode: unicast
SOA Cluster:·
Name: cluster_soa
Cluster Messaging Mode: unicast
If you are creating IDMDomain for a split domain topology, on the Configure Clusters screen, create one cluster, by clicking Add. Supply the following information:
OAM Cluster:
Name: cluster_oam
Cluster Messaging Mode: unicast
If you are creating OIMDomain for a split domain topology, on the Configure Clusters screen, create two clusters, by clicking Add. Supply the following information:
OIM Cluster:
Name: cluster_oim
Cluster Messaging Mode: unicast
SOA Cluster:·
Name: cluster_soa
Cluster Messaging Mode: unicast
Leave all other fields at the default settings and click Next.
Note:
Do not change the configuration of the clusters that were configured as a part of previous deployments.
On the Assign Servers to Clusters screen, associate the managed servers with the cluster. Click the cluster name in the right pane. Click the managed server under Servers, then click the arrow to assign it to the cluster.
The cluster_oam
has the Managed Servers WLS_OAM1 and WLS_OAM2.
The cluster_oim has the managed servers WLS_OIM1 and WLS_OIM2 as members.
The cluster_soa has the managed servers WLS_SOA1 and WLS_SOA2 as members.
Click Next.
Note:
Do not make any changes to clusters that already have entries defined.
On the Configure Machines screen, click the Unix Machine tab (for Linux and UNIX machines) or the Machines tab (for Windows machines) and then click Add to add the following machine. The machine name does not need to be a valid host name or listen address, it is just a unique identifier of a node manager location.
Then create a machine for each host in the topology
Click the tab UNIX Machine if your hosts use Linux or a UNIX-based operating system. Otherwise, click Machines.
Name: Name of the host. Best practice is to use the DNS name.
Node Manager Listen Address: DNS name of the machine.
Node Manager Port: Port for Node Manager
Provide the information shown in the following table.
If you are creating IDMDomain for a single domain topology, create all the hosts shown in the table.
If you are creating IDMDomain for a split domain topology, create IDMHOST1, IDMHOST2, and ADMINHOST.
If you are creating OIMDomain for a split domain topology, create OIMHOST1, OIMHOST2, and OIMADMINHOST.
Name | Node Manager Listen Address | Node Manager Listen Port |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Leave the default values for all other fields.
Delete the default local machine entry under the Machines tab.
Click Next.
Click Next.
On the Assign Servers to Machines screen, indicate which Managed Servers to run on each of the machines you created.
Click a machine in the right pane.
Click the Managed Servers you want to run on that machine in the left pane.
Click the arrow to assign the Managed Servers to the machines. Repeat until all Managed Servers are assigned to machines. For example:
ADMINHOST: AdminServer
OIMADMINHOST: AdminServer
OIMHOST1: WLS_OIM1
and WLS_SOA1
OIMHOST2: WLS_OIM2
and WLS_SOA2
IDMHOST1: WLS_OAM1
IDMHOST2: WLS_OAM2
If you are creating IDMDomain for a single domain deployment, the following hosts appear.
ADMINHOST: AdminServer
OIMHOST1: WLS_OIM1
and WLS_SOA1
OIMHOST2: WLS_OIM2
and WLS_SOA2
IDMHOST1: WLS_OAM1
IDMHOST2: WLS_OAM2
If you are creating IDMDomain for a split domain deployment, ADMINHOST, IDMHOST1 and IDMHOST2 appear.
If you are creating OIMDomain for a split domain deployment, OIMADMINHOST, OIMHOST1, and OIMHOST2 appear.
Click Next to continue.
If you are creating OIMDomain for a split domain deployment, the Configure JMS File Stores screen appears. On the Configure JMS File Stores screen, update the directory locations for the JMS file stores. Provide the following information.
Name | Directory |
---|---|
UMSJMSFileStore_auto_1 |
|
UMSJMSFileStore_auto_2 |
|
BPMJMSServer_auto_1 |
|
BPMJMSServer_auto_2 |
|
SOAJMSFileStore_auto_1 |
|
SOAJMSFileStore_auto_2 |
|
OIMJMSFileStore_auto_1 |
|
OIMJMSFileStore_auto_2 |
|
If you are creating IDMDomain for a split domain deployment, the Configure JMS File Stores screen does not appear.
Click Next.
Notes:
Use /u01/app/oracle/admin/
IDMDomain
/soa_cluster/jms/
as the directory location for the UMSJMSFileStore_auto_1
, UMSJMSFileStore_auto_2
, BPMJMSServer_auto_1
, BPMJMSServer_auto_2
, SOAJMSFileStore_auto_1
, and SOAJMSFileStore_auto_2
JMS file stores
Use /u01/app/oracle/admin/
IDMDomain
/oim_cluster/jms/
as the directory location for the OIMJMSFileStore_auto_1
and OIMJMSFileStore_auto_2
JMS file stores
The locations /u01/app/oracle/admin/
IDMDomain
/soa_cluster/jms/
and /u01/app/oracle/admin/
IDMDomain
/oim_cluster/jms/
are on shared storage and must be accessible from OIMHOST1
and OIMHOST2
On the Configuration Summary screen, validate that your choices are correct, then click Create.
On the Create Domain screen, click Done.
After configuring the domain with the configuration Wizard, follow these instructions for post-configuration and verification.
This section includes the following topics:
Section 8.6.1, "Creating boot.properties for the WebLogic Administration Server on IDMHOST1"
Section 8.6.2, "Creating boot.properties for the WebLogic Administration Server on OIMHOST1"
Section 8.6.5, "Validating the WebLogic Administration Server"
Section 8.6.10, "Disabling Host Name Verification for the Oracle WebLogic Administration Server"
Section 8.6.11, "Stopping and Starting the WebLogic Administration Server"
Create a boot.properties
file for the Administration Server on IDMHOST1. If the file already exists, edit it. The boot.properties
file enables the Administration Server to start without prompting you for the administrator username and password.
For the Administration Server:
Create the following directory structure.
mkdir -p ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security
In a text editor, create a file called boot.properties in the last directory created in the previous step, and enter the username and password in the file. For example:
username=weblogic
password=password for weblogic user
Save the file and close the editor.
Note:
The username and password entries in the file are not encrypted until you start the Administration Server, as described in Section 8.6.4, "Updating the Node Manager Credentials." For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.
If you are using a split domain topology, create a boot.properties
file for the Administration Server on OIMHOST1. If the file already exists, edit it. The boot.properties
file enables the Administration Server to start without prompting you for the administrator username and password.
For the Administration Server:
Create the following directory structure.
mkdir -p ORACLE_BASE/admin/OIMDomain/aserver/OIMDomain/servers/AdminServer/security
In a text editor, create a file called boot.properties in the last directory created in the previous step, and enter the username and password in the file. For example:
username=weblogic
password=password for weblogic user
Save the file and close the editor.
Note:
The username and password entries in the file are not encrypted until you start the Administration Server, as described in Section 8.6.4, "Updating the Node Manager Credentials." For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.
Perform these steps to start Node Manager on IDMHOST1. If you are using a split domain topology, also perform these steps on OIMHOST1:
Run the startNodeManager.sh
script located under the ORACLE_BASE
/product/fmw/wlserver_10.3/server/bin/
directory.
Run the setNMProps.sh
script to set the StartScriptEnabled
property to true
:
cd MW_HOME/oracle_common/common/bin
./setNMProps.sh
Note:
You must use the StartScriptEnabled
property to avoid class loading failures and other problems.
Stop the Node Manager by killing the Node Manager process, or stop the service in Windows.
Start Node Manager for the Administration Server as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
You start the Administration server by using wlst
and connecting to Node Manager. The first start of the Administration Server with Node Manager, however, requires that you change the default username and password that the Configuration Wizard sets for Node Manager. Therefore you must use the start script for the Administration Server for the first start. Follow these steps to start the Administration Server using Node Manager. Steps 1-4 are required for the first start operation, but subsequent starts require only Step 4.
Start the Administration Server using the start script in the domain directory.
cd ORACLE_BASE/admin/domain_name/aserver/domain_name/bin ./startWebLogic.sh
Use the Administration Console to update the Node Manager credentials on IDMDomain.
In a browser, go to:
http://ADMINVHN.mycompany.com:7001/console
.
Log in as the administrator.
Click Lock and Edit.
Click Domain_name->Security->General and expand Advanced at the bottom.
Select Security tab then General tab.
Expand Advanced Options.
Enter a new username for Node Manager or make a note of the existing one and update the Node Manager password.
Save and activate the changes.
If you are using a split domain topology, also update the Node Manager credentials on OIMDomain. Go to
http://OIMADMINVHN.mycompany.com:7001/console
and perform the same steps.
Stop the WebLogic Administration Server by issuing the command stopWebLogic.sh
located under the ORACLE_BASE
/admin/
domain_name
/aserver/
domain_name
/bin
directory.
Start WLST and connect to the Node Manager with nmconnect
and the credentials you just updated. Then start the WebLogic Administration Server using nmstart
.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
On Windows, the command is:
wlst.cmd
Once in the wlst
shell, execute the following commands:
nmConnect('Admin_User','Admin_Pasword', 'IDMHOST1','5556', 'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain') nmStart('AdminServer')
where Admin_user
and Admin_Password
are the Node Manager username and password you entered in Step 2.
If you are using a split domain topology, also execute the following commands:
nmConnect('Admin_User','Admin_Pasword', 'OIMHOST1','5556', 'OIMDomain','/u01/app/oracle/admin/OIMDomain/aserver/OIMDomain') nmStart('AdminServer')
where Admin_user
and Admin_Password
are the Node Manager username and password you entered in Step 2.
Note:
Admin_user
and Admin_Password
are only used to authenticate connections between Node Manager and clients. They are independent from the server administration ID and password and are stored in the ORACLE_BASE
/admin/domain_name/aserver/domain_name/config/nodemanager/nm_password.properties
file.
Perform these steps to ensure that the Administration Server is properly configured:
In a browser, go to http://ADMINVHN.mycompany.com:7001/console
.
Log in as the WebLogic administrator, for example: weblogic
.
Check that you can access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em
.
Log in to Oracle Enterprise Manager Fusion Middleware Control as the WebLogic administrator, for example: weblogic
.
If you are using a split domain topology, perform these steps as well:
In a browser, go to http://OIMADMINVHN.mycompany.com:7001/console
.
Log in as the WebLogic administrator, for example: weblogic
.
Check that you can access Oracle Enterprise Manager Fusion Middleware Control at http://OIMADMINVHN.mycompany.com:7001/em
.
Log in to Oracle Enterprise Manager Fusion Middleware Control as the WebLogic administrator, for example: weblogic
.
By default, the IDMDomain Agent provides single sign-on capability for administration consoles. In enterprise deployments, WebGate handles single sign-on, so you must remove the IDMDomain agent. Remove the IDMDomain Agent as follows:
Log in to the WebLogic console at the URL listed in Section 21.2, "About Identity Management Console URLs."
Then:
Select Security Realms from the Domain Structure Menu
Click myrealm.
Click the Providers tab.
Click Lock and Edit from the Change Center.
In the list of authentication providers, select IAMSuiteAgent.
Click Delete.
Click Yes to confirm the deletion.
Click Activate Changes from the Change Center.
Restart WebLogic Administration Server and ALL running Managed Servers, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Use the pack
and unpack
commands to separate the domain directory used by the Administration Server from the domain directory used by the managed server in IDMHOST as recommended in Chapter 4, "Preparing the File System for an Enterprise Deployment." If you are using a split domain topology, also use the pack
and unpack
commands on OIMHOST.
Before running the unpack script, be sure the following directory exists as explained in Chapter 4, "About Recommended Locations for the Different Directories."
ORACLE_BASE/admin/domain_name/mserver
To create a separate domain directory on IDMHOST1:
Run the pack command to create a template pack as follows:
cd ORACLE_COMMON_HOME/common/bin ./pack.sh -managed=true -domain=ORACLE_BASE/admin/domain_name/aserver/domain_name -template=domaintemplate.jar -template_name=domain_template
Run the unpack command to unpack the template in the managed server domain directory as follows:
cd ORACLE_COMMON_HOME/common/bin ./unpack.sh -domain=ORACLE_BASE/admin/domain_name/mserver/domain_name -template=domaintemplate.jar -app_dir=ORACLE_BASE/admin/domain_name/mserver/applications
If you are using a split domain topology, also perform Steps 1 and 2 on OIMHOST1.
Note:
You must have write permissions on the following directory before running the unpack command:
/ORACLE_BASE/admin/domain_name
For example:
ORACLE_BASE/admin/IDMDomain/
Note:
The configuration steps provided in this enterprise deployment topology are documented with the assumption that a local (per node) domain directory is used for each managed server.
Before you can start managed servers on remote hosts, you must first perform an unpack on those servers. Proceed as follows.
Single Domain
Using the file domaintemplate.jar
created in Section 8.6.7, "Creating a Separate Domain Directory for Managed Servers in the Same Node as the Administration Server," perform an unpack on the hosts: IDMHOST2, OIMHOST1 and OIMHOST2 by using the following commands:
cd ORACLE_COMMON_HOME/common/bin ./unpack.sh -domain=ORACLE_BASE/admin/domain_name/mserver/domain_name-template=domaintemplate.jar -app_dir=ORACLE_BASE/admin/domain_name/mserver/applications
Split Domain
Using the file domaintemplate.jar
created for the domain IDMDomain in Section 8.6.7, "Creating a Separate Domain Directory for Managed Servers in the Same Node as the Administration Server," perform an unpack on the host IDMHOST2 by using the following commands:
cd ORACLE_COMMON_HOME/common/bin ./unpack.sh -domain=ORACLE_BASE/admin/domain_name/mserver/domain_name-template=domaintemplate.jar -app_dir=ORACLE_BASE/admin/domain_name/mserver/applications
Using the file domaintemplate.jar
created for the domain OIMDomain in Section 8.6.7, "Creating a Separate Domain Directory for Managed Servers in the Same Node as the Administration Server," perform an unpack on the host OIMHOST2 by using the following commands:
cd ORACLE_COMMON_HOME/common/bin ./unpack.sh -domain=ORACLE_BASE/admin/domain_name/mserver/domain_name-template=domaintemplate.jar -app_dir=ORACLE_BASE/admin/domain_name/mserver/applications
Perform this step on the following hosts:
Single Domain: IDMHOST2, OIMHOST1, OIMHOST2
Split Domain: IDMHOST2, OIMHOST2
If the Node Manager is not already started, perform the following steps to start it:
Start the Node Manager to create the nodemanager.properties file by using the startNodemanager.sh
script located under the MW_HOME
/wlserver_10.3/server/bin
directory.
Before you can start the Managed Servers by using the console, node manager requires that you set the property StartScriptEnabled
to true
. You set it by running the setNMProps.sh
script located under the MW_HOME
/oracle_common/common/bin
directory, as follows.
cd MW_HOME/oracle_common/common/bin
./setNMProps.sh
Stop and Start the Node Manager as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components" so that the properties take effect.
This step is required if you have not set up the appropriate certificates to authenticate the different nodes with the Administration Server. (See Chapter 17, "Setting Up Node Manager for an Enterprise Deployment.") If you have not configured the server certificates, you will receive errors when managing the different WebLogic Servers. To avoid these errors, disable host name verification while setting up and validating the topology, and enable it again once the EDG topology configuration is complete as described in Chapter 17, "Setting Up Node Manager for an Enterprise Deployment."
Perform these steps to disable host name verification:
Go to the Oracle WebLogic Server Administration Console at:
http://adminvhn.mycompany.com:7001/console
Log in as the user weblogic
, using the password you specified during the installation.
Click Lock and Edit.
Expand the Environment node in the Domain Structure window.
Click Servers. The Summary of Servers page appears.
Select AdminServer(admin) in the Name column of the table. The Settings page for AdminServer(admin) appears.
Click the SSL tab.
Click Advanced.
Set Hostname Verification to None.
Click Save.
Click Activate Changes.
Stop the Administration Server as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components"
Start WLST and connect to the Node Manager with nmconnect and the credentials set previously described. Then start the Administration Server using nmstart
.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Once in the wlst
shell, execute the following commands:
nmConnect('Admin_User','Admin_Pasword', 'IDMHOST1','5556', 'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain') nmStart('AdminServer')
where Admin_user
and Admin_Password
are the Node Manager username and password you entered in Step 2 of Section 8.6.4, "Updating the Node Manager Credentials."
Note:
Admin_user
and Admin_Password
are only used to authenticate connections between Node Manager and clients. They are independent from the server administration ID and password and are stored in the ORACLE_BASE
/admin/domain_name/aserver/domain_name/config/nodemanager/nm_password.properties
file.
This section describes tasks for configuring Oracle HTTP Server for the WebLogic Domain, and for verifying the configuration.
This section includes the following topics:
Section 8.7.1, "Configuring Oracle HTTP Server for the WebLogic Administration Server"
Section 8.7.2, "Configuring Oracle HTTP Server for the Oracle Identity Manager Domain"
Section 8.7.4, "Registering Oracle HTTP Server with WebLogic Server"
Section 8.7.5, "Setting the Front End URL for the Administration Console"
Section 8.7.9, "Manually Failing Over the WebLogic Administration Server"
To enable Oracle HTTP Server to route to the Administration Server, you must set the the corresponding mount points in your HTTP Server configuration.
On each of the web servers on WEBHOST1 and WEBHOST2 create a file called admin_vh.conf
in the directory:
ORACLE_INSTANCE/config/OHS/component/moduleconf
This file has the following entries:
NameVirtualHost *:7777 <VirtualHost *:7777> ServerName admin.mycompany.com:80 RewriteEngine On RewriteOptions inherit RewriteRule ^/console/jsp/common/logout.jsp /oamsso/logout.html [PT] RewriteRule ^/em/targetauth/emaslogout.jsp /oamsso/logout.html [PT] ServerAdmin you@your.address # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WeblogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WeblogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WeblogicPort 7001 </Location> </VirtualHost>
Notes:
Values such as admin.mycompany:80
and you@youraddress
that are noted in this document serve as examples only. Enter values based on the actual environment.
If you are not using a virtual host for your Administration Server host (single instance), replace ADMINVHN.mycompany.com
with IDMHOST1.mycompany.com
.
If you are placing your Oracle Identity Manager components into a separate domain, you must add a separate virtual host configuration into your Oracle HTTP Server configuration as follows:
On each of the web servers on WEBHOST1 and WEBHOST2 create a file called oimadmin_vh.conf
in the directory:
ORACLE_INSTANCE/config/OHS/component/moduleconf
This file has the following entries:
<VirtualHost *:7777> ServerName oimadmin.mycompany.com:80 RewriteEngine On RewriteOptions inherit RewriteRule ^/console/jsp/common/logout.jsp /oamsso/logout.html [PT] RewriteRule ^/em/targetauth/emaslogout.jsp /oamsso/logout.html [PT] ServerAdmin you@your.address # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost OIMADMINVHN.mycompany.com WeblogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost OIMADMINVHN.mycompany.com WeblogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost OIMADMINVHN.mycompany.com WeblogicPort 7001 </Location> </VirtualHost>
Note:
Values such as oimadmin.mycompany:80
and you@youraddress
that are noted in this document serve as examples only. Enter values based on the actual environment.
Restart OHS on WEBHOST1 as follows:
ORACLE_BASE/admin/instance_name/bin/opmnctl restartproc ias-component=ohs1
Restart OHS on WEBHOST2:
ORACLE_BASE/admin/instance_name/bin/opmnctl restartproc ias-component=ohs2
For Oracle Enterprise Manager Fusion Middleware Control to be able to manage and monitor the Oracle HTTP server, you must register the Oracle HTTP server with IDMDomain. Even when using a split domain topology, register the Oracle HTTP Server with IDMDomain only. To do this, you must register Oracle HTTP Server with WebLogic Server using the following command:
cd ORACLE_BASE/admin/instance_name/bin
./opmnctl registerinstance -adminHost ADMINVHN.mycompany.com \
-adminPort 7001 -adminUsername weblogic
You must also run this command from WEBHOST2 for OHS2.
Oracle WebLogic Server Administration Console tracks changes that are made to ports, channels and security using the console. When changes made through the console are activated, the console validates its current listen address, port and protocol. If the listen address, port and protocol are still valid, the console redirects the HTTP request, replacing the host and port information with the Administration Server's listen address and port. When the Administration Console is accessed using a load balancer, you must change the Administration Server's front end URL so that the user's browser is redirected to the appropriate load balancer address. To make this change, perform the following steps:
Log in to Oracle WebLogic Server Administration Console.
Click Lock and Edit.
Expand the Environment node in the Domain Structure window.
Click Servers to open the Summary of Servers page.
Select Admin Server in the Names column of the table. The Settings page for AdminServer(admin) appears.
Click the Protocols tab.
Click the HTTP tab.
Set the Front End Host field to admin.mycompany.com
(your load balancer address).
Set FrontEnd HTTP Port to 80
Save and activate the changes.
To eliminate redirections, best practice is to disable the Administration console's Follow changes
feature. To do this, log in to the administration console and click Preferences->Shared Preferences. Deselect Follow Configuration Changes and click Save.
If you have Oracle Identity Manager in a separate domain, perform the same steps, but set the Front End Host field to oimadmin.mycompany.com
.
In Enterprise deployments, Oracle WebLogic Server is fronted by Oracle HTTP servers. The HTTP servers are, in turn, fronted by a load balancer, which performs SSL translation. In order for internal loopback URLs to be generated with the https
prefix, Oracle WebLogic Server must be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in.
The plug-in can be set at either the domain, cluster, or Managed Server level. Because all requests to Oracle WebLogic Server are through the Oracle OHS plug-in, set it at the domain level.
To do this perform the following steps:
Log in to the Oracle WebLogic Server Administration Console at:
http://ADMINVHN.mycompany.com:7001/console
Click Lock and Edit.
Click IDMDomain in the Domain Structure Menu.
Click the Configuration tab.
Click the Web Applications sub tab.
Select WebLogic Plugin Enabled.
Click Save and Activate the Changes.
Restart WebLogic Administration Server, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
If you are using a split domain topology, also log in to the Oracle WebLogic Server Administration Console at http://OIMADMINVHN.mycompany.com:7001/console
and perform the same steps. In Step 3, click OIMDOMAIN in the Domain Structure Menu.
Verify that the server status is reported as Running
in the Administration Console. If the server is shown as Starting
or Resuming
, wait for the server status to change to Started
. If another status is reported (such as Admin
or Failed
), check the server output log files for errors. See Section 21.9, "Troubleshooting" for possible causes.
Validate Administration Console and Oracle Enterprise Manager Fusion Middleware Control through Oracle HTTP Server using the following URLs:
http://admin.mycompany.com/console
http://admin.mycompany.com/em
For information on configuring system access through the load balancer, see Section 3.3, "Configuring the Load Balancers."
Note:
After registering the Oracle HTTP Server as described in Section 8.7.4, "Registering Oracle HTTP Server with WebLogic Server," the Oracle HTTP Server should appear as a manageable target in Oracle Enterprise Manager Fusion Middleware Control. To verify this, log in to Fusion Middleware Control. The WebTier item in the navigation tree should show that Oracle HTTP Server has been registered.
Verify that the server status is reported as Running
in the Administration Console. If the server is shown as Starting
or Resuming
, wait for the server status to change to Started
. If another status is reported (such as Admin
or Failed
), check the server output log files for errors. See Section 21.9, "Troubleshooting" for possible causes.
Validate Administration Console and Oracle Enterprise Manager Fusion Middleware Control through Oracle HTTP Server using the following URLs:
http://oimadmin.mycompany.com/console
http://oimadmin.mycompany.com/em
For information on configuring system access through the load balancer, see Section 3.3, "Configuring the Load Balancers."
This section discusses how to fail over the Administration Server to IDMHOST2 and how to fail it back to IDMHOST1.
If you are using a split domain topology, follow the same procedures to fail over the Administration Server to OIMHOST2 and how to fail it back to OIMHOST1.
This section contains the following topics:
Section 8.7.9.1, "Failing over the Administration Server to IDMHOST2"
Section 8.7.9.2, "Starting the Administration Server on IDMHOST2"
Section 8.7.9.3, "Validating Access to IDMHOST2 Through Oracle HTTP Server"
Section 8.7.9.4, "Failing the Administration Server Back to IDMHOST1"
If a node fails, you can fail over the Administration Server to another node. This section describes how to fail over the Administration Server from IDMHOST1 to IDMHOST2.
If you are using a split domain topology, follow the same procedures to fail over the Administration Server from OIMHOST1 to OIMHOST2.
Assumptions:
The Administration Server is configured to listen on ADMINVHN.mycompany.com
, and not on ANY
address. See step 10 in
The Administration Server is failed over from IDMHOST1 to IDMHOST2, and the two nodes have these IP addresses:
IDMHOST1: 100.200.140.165
IDMHOST2: 100.200.140.205
ADMINVIP: 100.200.140.206
This is the Virtual IP address where the Administration Server is running, assigned to interface:index (for example, eth1:2), available in IDMHOST1 and IDMHOST2.
The domain directory where the Administration Server is running in IDMHOST1 is on a shared storage and is mounted also from IDMHOST2.
Note:
NM in IDMHOST2 does not control the domain at this point, since unpack
/nmEnroll
has not been run yet on IDMHOST2. But for the purpose of AdminServer failover and control of the AdminServer itself, Node Manager is fully functional
Oracle WebLogic Server and Oracle Fusion Middleware Components have been installed inIDMHOST2 as described in previous chapters. That is, the same path for IDM_ORACLE_HOME
and MW_HOME
that exists in IDMHOST1 is available in IDMHOST2.
The following procedure shows how to fail over the Administration Server to a different node, IDMHOST2.
Linux
Stop the Administration Server as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Migrate the IP address to the second node.
Run the following command as root on IDMHOST1 (where x:y is the current interface used by ADMINVHN.mycompany.com
):
/sbin/ifconfig x:y down
For example:
/sbin/ifconfig eth0:1 down
Run the following command on IDMHOST2:
/sbin/ifconfig interface:index IP_Address netmask netmask
For example:
/sbin/ifconfig eth0:1 10.0.0.1 netmask 255.255.255.0
Note:
Ensure that the netmask and interface to be used match the available network configuration in IDMHOST2.
Update routing tables by using arping
, for example:
/sbin/arping -b -A -c 3 -I eth0 10.0.0.1
Windows
Stop the Administration Server as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Migrate the IP address to the second node.
Run the following command as root on IDMHOST1
netsh interface ip delete address interface netmask
In the following example, the IP address is disabled on the interface Local Area Connection:
netsh interface ip delete address "Local Area connection" 100.200.140.206
Run the following command on IDMHOST2:
netsh interface ip add address interface IP_Address netmask
In the following example, the IP address is enabled on the interface Local Area Connection:
netsh interface ip add address "Local Area connection" 100.200.140.206 255.255.255.0
Perform the following steps to start Node Manager on IDMHOST2.
If you are using a split domain topology, follow the same procedures to start the Node Manager on OIMHOST2.
On IDMHOST1, unmount the Administration Server domain directory. For example:
umount /u01/app/oracle/admin/IDMDomain/aserver/
On IDMHOST2, mount the Administration Server domain directory. For example:
mount /u01/app/oracle/admin/IDMDomain/aserver/
Start Node Manager by using the following commands:
cd ORACLE_BASE/product/fmw/wlserver_10.3/server/bin
./startNodeManager.sh
Stop the Node Manager by killing the Node Manager process, or stop the service in Windows.
Note:
Starting and stopping Node Manager at this point is only necessary the first time you run Node Manager. Starting and stopping it creates a property file from a predefined template. The next step adds properties to that property file.
Run the setNMProps.sh script to set the StartScriptEnabled
property to true
before starting Node Manager:
cd MW_HOME/oracle_common/common/bin
./setNMProps.sh
Note:
You must use the StartScriptEnabled
property to avoid class loading failures and other problems.
Start the Node Manager as described in Section 21.1.5.3, "Starting Node Manager for an Administration Server."
Start the Administration Server on IDMHOST2.
cd ORACLE_COMMON_HOME/common/bin ./wlst.sh
Once in the wlst
shell, execute the following commands:
nmConnect('Admin_User','Admin_Password', 'IDMHOST2','5556', 'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain') nmStart('AdminServer')
Test that you can access the Administration Server on IDMHOST2 as follows:
Ensure that you can access the Oracle WebLogic Server Administration Console at http://ADMINVHN.mycompany.com:7001/console.
Check that you can access and verify the status of components in the Oracle Enterprise Manager at http://ADMINVHN.mycompany.com:7001/em
.
Perform the same steps as in Section 8.7.7, "Validating Access to IDMDomain." This is to check that you can access the Administration Server when it is running on IDMHOST2.
If you are using a split domain topology, perform the same steps to check that you can Access the Administration Server when it is running on OIMHOST2.
This step checks that you can fail back the Administration Server, that is, stop it on IDMHOST2 and run it on IDMHOST1. To do this, migrate ADMINVHN back to IDMHOST1 node as described in the following steps.
If you are using a split domain topology, follow the same procedures to migrate OIMADMINVHN back to OIMHOST1.
Ensure that the Administration Server is not running. If it is, stop it from the WebLogic console, or by running the command stopWeblogic.sh
from DOMAIN_HOME
/bin
.
On IDMHOST2, unmount the Administration server domain directory. For example:
umount /u01/app/oracle/admin/IDMDomain/aserver/
On IDMHOST1, mount the Administration server domain directory. For example:
mount /u01/app/oracle/admin/IDMDomain/aserver/
Disable the ADMINVHN.mycompany.com
virtual IP address on IDMHOST2 and run the following command as root
on IDMHOST2:
/sbin/ifconfig x:y down
where x
:
y
is the current interface used by ADMINVHN.mycompany.com
.
Run the following command on IDMHOST1:
/sbin/ifconfig interface:index 100.200.140.206 netmask 255.255.255.0
Note:
Ensure that the netmask and interface to be used match the available network configuration in IDMHOST1
Update routing tables by using arping. Run the following command from IDMHOST1
.
/sbin/arping -b -A -c 3 -I interface 100.200.140.206
If Node Manager is not already started on IDMHOST1
, start it, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Start the Administration Server again on IDMHOST1
.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Once in the wlst
shell, execute
nmConnect(Admin_User,'Admin_Pasword, IDMHOST1,'5556', 'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain' nmStart('AdminServer')
Test that you can access the Oracle WebLogic Server Administration Console at http://ADMINVHN.mycompany.com:7001/console
.
Check that you can access and verify the status of components in the Oracle Enterprise Manager at http://ADMINVHN.mycompany.com:7001/em
.
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.
For information about database backups, refer to the Oracle Database Backup and Recovery User's Guide.
To back up the installation at this point, complete these steps:
Back up the web tier as described in Section 7.7, "Backing up the Web Tier Configuration."
Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager.
Stop Node Manager and all the processes running in the domain, as described in Section 21.1, "Starting and Stopping Oracle Identity Management Components."
Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE
/admin/
domainName
/aserver
directory. On Linux, type:
tar -cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver
For information about backing up the application tier configuration, see Section 21.6, "Performing Backups and Recoveries."