| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.3) Part Number E21032-07 |
|
|
PDF · Mobi · ePub |
This chapter describes how to install and configure the Identity Management database repositories.
This chapter contains the following topics:
Section 5.1, "Overview of Preparing the Databases for an Identity Management Enterprise Deployment"
Section 5.2, "Verifying the Database Requirements for an Enterprise Deployment"
Section 5.3, "Installing the Database for an Enterprise Deployment"
Section 5.5, "Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU"
The Identity Management components in the enterprise deployment use database repositories. This chapter describes how to perform the following steps:
Verify the database requirements as described in Section 5.2, "Verifying the Database Requirements for an Enterprise Deployment."
Install and configure the Oracle database repositories. See the installation guides listed in the "Related Documents" section of the Preface and Section 5.3, "Installing the Database for an Enterprise Deployment."
Create database services, as described in Section 5.4, "Creating Database Services."
Create the required Oracle schemas in the database using the Repository Creation Utility (RCU). See Section 5.5, "Loading the Identity Management Schemas in the Oracle RAC Database by Using RCU."
Before loading the metadata repository into your databases, check that they meet the requirements described in these subsections:
For Oracle Identity management, a number of separate databases are recommended. Table 5-1 provides a summary of these databases. Which database or databases you use depends on the topology that you are implementing.
The Oracle Metadata Services (MDS) Repository is a particular type of repository that contains metadata for some Oracle Fusion Middleware components. It can also include custom Java EE applications developed by your organization.
Table 5-1 Mapping between Topologies, Databases and Schemas
| Topology Type | Database Names | Database Hosts | Service Names | Schemas in Database |
|---|---|---|---|---|
|
Oracle Access Manager 11g and Oracle Identity Manager 11g (OAM11g/OIM11g) |
OIDDB |
OIDDBHOST1 OIDDBHOST2 |
|
|
|
IDMDB |
IDMDBHOST1 IDMDBHOST2 |
|
|
|
|
Oracle Identity Federation 11g (OIF11g/OAM11g) |
OIDDB |
OIDDBHOST1 OIDDBHOST2 |
|
|
|
IDMDB |
IDMDBHOST1 IDMDBHOST2 |
|
|
Footnote 1 The SOA and Oracle Identity Manager components share the MDS repository.
Notes:
If you are using Oracle Internet Directory to store both your identity and policy information, and separating this information across two Oracle Internet Directory instances, then two databases are required for the ODS schema.
The following sections apply to all the databases listed in Table 5-1.
The database used to store the metadata repository should be highly available in its own right, for maximum availability Oracle recommends the use of an Oracle Real Application Clusters (RAC) database.
Ideally the database should use Oracle Automatic Storage Management (ASM) for the storage of data, however this is not necessary.
If using ASM, then ASM should be installed into its own Oracle home and have two disk groups:
One for the Database Files
One for the Flash Recovery Area
If you are using Oracle ASM, best practice is to also use Oracle Managed Files.
To check if your database is certified or to see all certified databases, refer to the "Certified Databases" section in the Certification Document:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
To determine the version of your installed Oracle Database, execute the following query at the SQL prompt:
select version from sys.product_component_version where product like 'Oracle%';
Patches are required for some versions of Oracle Database.
Table 5-2 lists patches required for Oracle Identity Manager configurations that use Oracle Database 11g (11.1.0.7). Before you configure Oracle Identity Manager 11g, be sure to apply the patches to your Oracle Database 11g (11.1.0.7) database.
Table 5-2 Required Patches for Oracle Database 11g (11.1.0.7)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
UNIX / Linux |
7614692: BULK FEATURE WITH 'SAVE EXCEPTIONS' DOES NOT WORK IN ORACLE 11G |
|
7000281: DIFFERENCE IN FORALL STATEMENT BEHAVIOR IN 11G |
|
|
8327137: WRONG RESULTS WITH INLINE VIEW AND AGGREGATION FUNCTION |
|
|
8617824: MERGE LABEL REQUEST ON TOP OF 11.1.0.7 FOR BUGS 7628358 7598314 |
If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 10259620. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 5-3 lists the patches required for Oracle Identity Manager configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 5-3 Required Patches for Oracle Database 11g (11.2.0.2.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 (32-bit) Linux x86 (64-bit) |
RDBMS Interim Patch#10259620. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Note:
Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.
In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the metalink note "Wrong Results on 11.2.0.2 with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.
The databases must have the following minimum initialization parameters defined:
Table 5-4 Minimum Initialization Parameters for Oracle RAC Databases
| Parameter | Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Footnote 1 OAM requires a minimum of 800 open cursors in the database. When OIM and OAM are available, the number of open cursors should be 1500.
If the database is being used for Oracle Internet Directory, it must have the following minimum initialization parameters defined:
Table 5-5 Minimum Initialization Parameters for Oracle RAC Oracle Internet Directory Databases
| Parameter | Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2G |
|
|
|
|
|
|
|
|
|
Install and configure the database repository as follows.
Oracle Clusterware
For 10g Release 2 (10.2), see the Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for your platform, listed in "Related Documents".
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
Automatic Storage Management
For 10g Release 2 (10.2), see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for your platform, listed in "Related Documents".
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
When you run the installer, select the Configure Automatic Storage Management option in the Select Configuration screen to create a separate Automatic Storage Management home.
Oracle Real Application Clusters
For 10g Release 2 (10.2), see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for your platform, listed in "Related Documents".
For 11g Release 1 (11.1), see Oracle Real Application Clusters Installation Guide.
This section describes how to configure the database for Oracle Fusion Middleware 11g metadata. It contains the following topics:
Section 5.4.1, "Creating a Real Applications Clusters Database"
Section 5.4.2, "Creating Database Services for 10.x and 11.1.x Databases"
Section 5.4.3, "Creating Database Services for 11.2.x Databases"
Create a Real Applications Clusters Database with the following characteristics:
Database must be in archive log mode to facilitate backup and recovery.
Optionally, enable the Flashback database.
Create UNDO tablespace of sufficient size to handle any rollback requirements during the Oracle Identity Manager reconciliation process.
Database is created with ALT32UTF8 character set.
For complete instructions on creating database services, see the chapter on Workload Management in the Oracle Database Oracle Clusterware and Oracle Real Application Clusters Administration and Deployment Guide. Oracle recommends that a specific database service be used for a product suite, even when product suites share the same database. It is also recommended that the database service used is different than the default database service.
Use the CREATE_SERVICE subprogram to create the database services for the components in your topology. The lists of services to be created are listed in Section 5.2.1, "Mapping between Topologies, Databases and Schemas."
Log on to SQL*Plus as the sysdba user by typing:
sqlplus "sys/password as sysdba"
Then run the following command to create a service called oamedg.mycompany.com for Oracle Access Manager:
EXECUTE DBMS_SERVICE.CREATE_SERVICE (SERVICE_NAME => 'oamedg.mycompany.com', NETWORK_NAME => 'oamedg.mycompany.com');
Add the service to the database and assign it to the instances using srvctl:
srvctl add service -d idmdb -s oamedg.mycompany.com -r idmdb1,idmdb2
Start the service using srvctl:
srvctl start service -d idmdb -s oamedg.mycompany.com
When creating a service in the database for Oracle Internet Directory, ensure that the service is enabled for high-availability notifications and configured with the proper server-side Transparent Application Failover (TAF) settings. Use the DBMS_SERVICE package to create the service to enable high availability notification to be sent through Advanced Queuing (AQ) by setting the AQ_HA_NOTIFICATIONS attribute to TRUE and configure server-side Transparent Application Failover (TAF) settings, as follows:
Use the CREATE_SERVICE subprogram to both create the database service and enable high-availability notification and configure server-side Transparent Application Failover (TAF) settings.
Log on to SQL*Plus as the sysdba user by typing:
sqlplus "sys/password as sysdba"
Then execute this command:
EXECUTE DBMS_SERVICE.CREATE_SERVICE( SERVICE_NAME => 'oidedg.mycompany.com', NETWORK_NAME => 'oidedg.mycompany.com', AQ_HA_NOTIFICATIONS => TRUE, FAILOVER_METHOD => DBMS_SERVICE.FAILOVER_METHOD_BASIC, FAILOVER_TYPE => DBMS_SERVICE.FAILOVER_TYPE_SELECT, FAILOVER_RETRIES => 5, FAILOVER_DELAY => 5);
Note:
The EXECUTE DBMS_SERVICE command shown must be entered on a single line to execute properly.
For more information about the DBMS_SERVICE package, see the Oracle Database PL/SQL Packages and Types Reference.
Add the service to the database and assign it to the instances using srvctl:
srvctl add service -d oiddb -s oidedg.mycompany.com -r oiddb1,oiddb2
Start the service using srvctl:
srvctl start service -d oiddb -s oidedg.mycompany.com
Note:
For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.
Use srvctl to create the database services for the components in your topology. The lists of services to be created are listed in Table 5-1, "Mapping between Topologies, Databases and Schemas".
Create service using the command srvctl add service, as follows.
srvctl add service -d oiddb -s oidedg.mycompany.com -r idmdb1,idmdb2 -q TRUE -m BASIC -e SELECT -w 5 -z 5
The meanings of the command-line arguments are as follows:
| Option | Argument |
|---|---|
|
-d |
Unique name for the database |
|
-s |
Service name |
|
-r |
Comma separated list of preferred instances |
|
-q |
AQ HA notifications (TRUE or FALSE) |
|
-e |
Failover type (NONE, SESSION, or SELECT) |
|
-m |
Failover method (NONE or BASIC) |
|
-w |
Failover delay (integer) |
|
-z |
Failover retries (integer) |
Note:
Transparent Application Failover (TAF) settings are only required when creating a service for Oracle Internet Directory.
Start the Service using srvctl start service
srvctl start service -d oiddb -s oidedg.mycompany.com
Validate the service started by using srvctl status service, as follows:
srvctl status service -d oiddb -s oidedg.mycompany.com Service oidedg.mycompany.com is running on instance(s) idmdb1,idmdb2
Validate that the service was created correctly by using srvctl config service:
srvctl config service -d oiddb -s oidedg.mycompany.com Service name: oidedg.mycompany.com Service is enabled Server pool: oiddb_oidedg.mycompany.com Cardinality: 2 Disconnect: false Service role: PRIMARY Management policy: AUTOMATIC DTP transaction: false AQ HA notifications: true Failover type: SELECT Failover method: BASIC TAF failover retries: 5 TAF failover delay: 5 Connection Load Balancing Goal: LONG Runtime Load Balancing Goal: NONE TAF policy specification: NONE Edition: Preferred instances: idmdb1,idmdb2 Available instances:
Note:
For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.
The database parameters defined in Section 5.4.1, "Creating a Real Applications Clusters Database" are only a guide. You might need to perform additional tuning after the system is in use. For more information, see Database Performance Tuning Guide.
Refresh the database statistics after you initially load the database, and on an ongoing basis. To do that, issue the following SQL*Plus command:
exec DBMS_STATS.GATHER_SCHEMA_STATS(OWNNAME=> '<OIM_SCHEMA>', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, DEGREE=>8, OPTIONS=>'GATHER AUTO', NO_INVALIDATE=>FALSE);
You run RCU to create the collection of schemas used by Identity Management and Management Services.
Start RCU by issuing this command:
RCU_HOME/bin/rcu &
On the Welcome screen, click Next.
On the Create Repository screen, select the Create operation to load component schemas into a database. Then click Next.
On the Database Connection Details screen, provide the information required to connect to an existing database. For example:
Database Type: Oracle Database
Host Name: Enter one of the Oracle RAC nodes. Specify the Virtual IP name. For example: oiddbhost1-vip.mycompany.com.
Port: The port number for the database listener. For example: 1521
Service Name: The service name of the database. For example oidedg.mycompany.com.
Username: sys
Password: The sys user password
Role: SYSDBA
Click Next.
On the Check Prerequisites screen, click OK after the prerequisites have been validated.
On the Select Components screen, provide the following values:
Create a New Prefix: Enter a prefix to be added to the database schemas. Note that all schemas except for the ODS schema are required to have a prefix. For example, enter EDG.
Components: Select the schemas shown in Table 5-6.
Table 5-6 Component Schemas
| Product | RCU Option | Comments |
|---|---|---|
|
Oracle Internet Directory |
Identity Management–Oracle Internet Directory |
|
|
Oracle Access Manager |
Identity Management–Oracle Access Manager |
Audit Services will also be selected. |
|
Oracle Identity Manager |
Identity Management–Oracle Identity Manager |
Metadata Services, SOA infrastructure, and User Messaging will also be selected. |
|
Oracle Identity Federation |
Identity Management–Oracle Identity Federation |
Click Next.
Notes:
If your topology requires more than one database, the following important considerations apply:
Be sure to install the correct schemas in the correct database.
You might have to run the RCU more than once to create all the schemas for a given topology.
Table 5-1 in this chapter provides the recommended mapping between the schemas and their corresponding databases. Refer to this table to ensure that the correct details are entered in this screen.
On the Check Prerequisites screen, click OK after the prerequisites have been validated.
On the Schema Passwords screen, enter the passwords for the schemas. You can choose to use either the same password for all the schemas or different passwords for each of the schemas. Oracle recommends choosing different passwords for different schema's to enhance security
Click Next.
On the Map Tablespaces screen, accept the defaults and click Next.
On the confirmation screen, click OK to allow the creation of the tablespaces.
On the Creating tablespaces screen, click OK to acknowledge creation of the tablespaces.
On the Summary screen, the summary and verify that the details provided are accurate. Click Create to start the schema creation process.
On the Completion summary screen, verify that the schemas were created.
Click Close to exit.
|
 Copyright © 2004, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|