This chapter describes how to create a domain using the Configuration Wizard, Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control. The topology you are creating dictates the number of domains you need to create. Once the initial domain has been created, it can be extended with other products as described later on in this book.
Note:
Oracle strongly recommends that you read the release notes for any additional installation and deployment considerations prior to starting the setup process.
This chapter contains the following sections.
Section 8.4, "Running the Configuration Wizard to Create a Domain"
Section 8.6, "Testing Manual Failover the WebLogic Administration Server"
Table 8-1 lists the steps for creating a WebLogic domain, including post-configuration tasks.
Table 8-1 Steps for Creating a WebLogic Domain
| Step | Description | More Information | 
|---|---|---|
| Create a WebLogic Domain | Run the Configuration Wizard to create WebLogic domain. | Section 8.4, "Running the Configuration Wizard to Create a Domain" | 
| Post-Configuration and Verification Tasks | Follow the instructions for post-configuration and validation tasks. | |
| Back Up the Domain | Back up the newly configured WebLogic domain. | 
Once this domain is created and configured you can extend the domain to include other Identity Management components, as described in the next chapters.
As described in Section 4.4, "About Recommended Locations for the Different Directories," you install Oracle Fusion Middleware software in at least two storage locations for redundancy.
You must install the following components of Oracle Fusion Middleware to create a Middleware home (MW_HOME):
Oracle WebLogic Server: Section 8.2.1, "Installing Oracle WebLogic Server and Creating the Fusion Middleware Home"
One or more of the Oracle Fusion Middleware components
Oracle Fusion Middleware for Identity Management
This section describes how to obtain and install Oracle WebLogic Server.
Download the version of JRockit for your platform from:
http://www.oracle.com/technetwork/middleware/jrockit/downloads/index.html
Add execute permissions to JRockit. For example:
chmod +x jrockit-1.6.0_29-R28.2.0-4.0.1-linux-x64.bin
Start the JRockit installer by issuing the command:
./jrockit-version.bin
For example:
./jrockit-1.6.0_29-R28.2.0-4.0.1-linux-x64.bin
On the Welcome Screen, click Next.
On the Choose Product Installation Directories screen, enter the Product Installation Directory, which is inside your Middleware Home.
On the Optional Components Screen, click Next.
On the Installation Complete screen, click n the Installation Complete screen - Click Done.
Download the Oracle WebLogic Server Generic Installer from: http://edelivery.oracle.com
Add JRockit to your path. For example, on Linux, issue the command:
export PATH=IAM_MW_HOME/jrockit-jdk1.6.0_29-R28.2.0-4.0.1/bin:$PATH
Check the version of java by issuing the command:
java -version
Ensure that the 64-bit version is displayed if you are using a 64-bit operating system.
Start the WebLogic installer using the appropriate command:
64-Bit Operating System
java -d64 -jar wls1036_generic.jar
32-Bit Operating System
java -jar wls1036_generic.jar
On the Welcome screen, click Next.
On the Choose Middleware Home screen, select: Create a New Middleware Home
For the Middleware Home directory enter the path to IAM_MW_HOME, for example:
/u01/oracle/products/access
Click Next.
A warning is displayed, informing you that the directory is not empty and asking if you want to proceed.
Click Yes.
On the Register for Security Updates screen, enter your My Oracle Support username and password so that you can be notified of security updates.
Click Next.
On the Choose Install Type screen, select Typical.
Note:
Oracle WebLogic Server and Oracle Coherence are installed.
On the JDK Selection screen, select the JRockit JDK that you installed earlier. It should be listed by default.
Note:
The examples documented in this guide use JRockit. Any certified version of Java can be used for this procedure and is fully supported unless otherwise noted.
On the Choose Product Installation Directories screen, accept the following:
Middleware Home Directory: IAM_MW_HOME
Product Installation Directories for WebLogic Server: IAM_MW_HOME/wlserver_10.3
Oracle Coherence: IAM_MW_HOME/wlserver_10.3/coherence_3.6
Click Next.
On the Installation Summary screen, click Next to start the install process
On the Installation complete screen, deselect Run Quickstart.
Click Done to exit the WebLogic Server Installer.
Oracle Identity and Access Management includes the following products:
Oracle Access Management Access Manager
Oracle Identity Manager
Perform the steps in this section to install Oracle Identity and Access Management on the hosts identified in Table 2-2, "Software Versions Used".
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management in the Oracle Fusion Middleware documentation library for the platform and version you are using.
To start the Oracle Fusion Middleware 11g Installer for Oracle Identity and Access Management, change directory to Disk1 of the installation media and enter the command:
./runInstaller
When the installer prompts you for a JRE/JDK location, enter the Oracle SDK location created in the Oracle WebLogic Server installation, for example:
IAM_MW_HOME/jrockit_version
Then perform these installation steps:
On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:
Specify the Inventory Directory: /u02/oracle/oraInventory
Operating System Group Name: oinstall
A dialog box appears with the following message:
Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u02/oracle/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option.
Log in as root and run:
/u02/oracle/oraInventory/createCentralInventory.sh
This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.
Note:
The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, check the following:
The /etc/oraInst.loc file exists.
The Inventory directory listed is valid.
The user performing the installation has write permissions for the Inventory directory.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates or search for updates locally.
Click Next.
On the Welcome screen click Next.
On the Prerequisite Checks screen, verify that the checks complete successfully, then click Next.
On the Specify Installation Location screen, enter the following values:
Oracle Middle Ware Home: Select a previously installed Middleware Home from the drop-down list. For example: IAM_MW_HOME
Oracle Home Directory: Enter iam as the Oracle home directory name.
Click Next.
On the Application Server Screen select WebLogic Server and click Next.
On the Installation Summary screen, click Install.
On the Installation Progress screen, click Next.
On the Installation Complete screen, click Finish.
Perform these steps to install the Oracle SOA Suite.
Ensure that the system, patch, kernel and other requirements are met. These are listed in the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite in the Oracle Fusion Middleware documentation library for the platform and version you are using.
To start the Oracle Fusion Middleware 11g SOA Suite Installer, change directory to Disk1 of the installation media and enter the appropriate command.
On Linux systems the command is:
./runInstaller
When the installer prompts you for a JRE/JDK location, enter the Oracle SDK location created in the Oracle WebLogic Server installation, for example:
IAM_MW_HOME/jrockit_version
Then perform these installation steps:
On the Specify Inventory Directory screen, enter values for the Oracle Inventory Directory and the Operating System Group Name. For example:
Specify the Inventory Directory: /u02/oracle/oraInventory
Operating System Group Name: oinstall
A dialog box appears with the following message:
Certain actions need to be performed with root privileges before the install can continue. Please execute the script /u02/oracle/oraInventory/createCentralInventory.sh now from another window and then press "Ok" to continue the install. If you do not have the root privileges and wish to continue the install select the "Continue installation with local inventory" option.
Log in as root and run:
/u02/oracle/oraInventory/createCentralInventory.sh
This sets the required permissions for the Oracle Inventory Directory and then brings up the Welcome screen.
Note:
The Oracle Inventory screen is not shown if an Oracle product was previously installed on the host. If the Oracle Inventory screen is not displayed for this installation, check the following:
The /etc/oraInst.loc file exists.
The Inventory directory listed is valid.
The user performing the installation has write permissions for the Inventory directory.
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to register with Oracle Support for updates or search for updates locally.
Click Next.
On the Prerequisite Checks screen, verify that the checks complete successfully, and then click Next.
On the Specify Installation Location screen, enter the following values:
Oracle Middleware Home: Select a previously installed Middleware Home from the drop-down list. For example: IAM_MW_HOME
Oracle Home Directory: Enter soa as the Oracle home directory name.
Note:
You must use the same Oracle home directory name for Oracle SOA Suite on all hosts.
Click Next.
On the Application Server screen, choose your Application Server, for example: Web Logic Server.
Click Next.
On the Installation Summary screen, click Install.
On the Installation Process screen, click Next.
On the Installation Complete screen, click Finish.
The component URLs related to the domains, and the user names used to access them, are listed in the following table.
Run the WebLogic Configuration Wizard on IDMHOST1 once for each domain to be created. In later chapters you will extend these domains to include the components of your topology.
To create a domain:
Ensure that the database where you installed the repository is running. For Oracle RAC databases, all instances should be running, so that the validation check later in the procedure is more reliable.
Change directory to the location of the Configuration Wizard. This is within ORACLE_COMMON_HOME.
cd ORACLE_COMMON_HOME/common/bin
Start the Oracle Fusion Middleware Configuration Wizard
On Linux, type:
config.sh
On the Welcome screen, select Create a New WebLogic Domain, and click Next.
On the Select Domain Source screen, select the following products:
Oracle Enterprise Manager [oracle_common]
Oracle Platform Security Service [iam]
Oracle Directory Services Manager [oud] (if using Oracle Unified Directory)
Oracle JRF [oracle_common]
Click Next.
On the Specify Domain Name and Location screen, enter
Domain name: IDMDomain
Domain location:
/u01/oracle/config/domains
Application location:
ASERVER_HOME/applications 
Ensure that the domain directory matches the directory and shared storage mount point recommended in Section 4.4, "About Recommended Locations for the Different Directories."
Click Next.
On the Configure Administrator Username and Password screen, enter the username (default is weblogic) and password to be used for the domain's administrator. For example:
Name: weblogic
User Password: password for weblogic user
Confirm User Password: password for weblogic user
Description: This user is the default administrator.
Click Next.
On the Configure Server Start Mode and JDK screen, do the following:
For WebLogic Domain Startup Mode, select Production Mode.
For JDK Selection, select JRockit SDK
Click Next.
Note:
The next step and all steps through Step 12, "On the Test Component Schema," are only relevant if the domain being created is IDMDomain or OIMDomain.
On the Configure JDBC Component Schema screen, select the following:
OPSS Schema
For the Oracle RAC configuration for component schemas, select Convert to GridLink.
Click Next.
The Gridlink RAC Component Schema screen appears. In this screen, enter values for the following fields, specifying the connect information for the Oracle RAC database that was seeded with RCU.
Driver: Select Oracle's driver (Thin) for GridLink Connections,Versions:10 and later.
Select Enable FAN.
Do one of the following:
If SSL is not selected for ONS notifications to be encrypted, deselect SSL.
Select SSL and provide the appropriate wallet and wallet password.
Service Listener: Enter the SCAN address and port for the RAC database being used. You can identify this address by querying the parameter remote_listener in the database:
SQL>show parameter remote_listener; NAME TYPE VALUE ------------------------------------------------------------- remote_listener string DB-SCAN.mycompany.com:1521
Note:
For Oracle Database 11g Release 1 (11.1), use the virtual IP and port of each database instance listener, for example: DBHOST1-VIP.mycompany.com (port 1521) and DBHOST2-VIP.mycompany.com (port 1521), where 1521 is DB_LSNR_PORT
For Oracle Database 10g, use multi data sources to connect to an Oracle RAC database. For information about configuring multi data sources see Appendix A, "Using Multi Data Sources with Oracle RAC."
ONS Host: Enter the SCAN address for the Oracle RAC database and the ONS remote port, as reported by the database when you invoke the following command:
srvctl config nodeapps -s ONS exists: Local port 6100, remote port 6200, EM port 2016
Note:
For Oracle Database 11g Release 1 (11.1), use the hostname and port of each database's ONS service, for example: DBHOST1.mycompany.com (port 6200) and DBHOST2.mycompany.com (port 6200)
Enter the following RAC component schema information:
| Schema Name | Service Name | Schema Owner | Password | 
|---|---|---|---|
| OPSS Schema | OESEDG.mycompany.com | EDG_OPSS | password | 
If you prefer to use RAC Multi Data Sources, see Appendix A, "Using Multi Data Sources with Oracle RAC."
Click Next.
In the Test JDBC Data Sources screen, confirm that all connections are successful. The connections are tested automatically. The Status column displays the results. If all connections are not successful, click Previous to return to the previous screen and correct your entries.
Click Next when all the connections are successful.
On the Test Component Schema screen, the Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.
On the Select Optional Configuration screen, select the following:
Administration Server
Managed Servers, Clusters and Machines
Click Next.
On the Configure the Administration Server screen, enter the following values:
Name: AdminServer
Listen Address: ADMINVHN.mycompany.com
Listen Port: 7001 (WLS_ADMIN_PORT)
SSL Listen Port: 7002 (WLS_ADMIN_SSL_PORT)
SSL Enabled: Selected
Click Next.
On the Configure Managed Servers screen, click Next.
On the Configure Clusters screen, click Next.
On the Configure Machines screen, click the Unix Machine tab and then click Add to add the following machine. The machine name does not need to be a valid host name or listen address, it is just a unique identifier of a node manager location:
Name: ADMINHOST
Node manager listen address: LOCALHOST
Note:
The virtual host machine must point to LOCALHOST because LOCALHOST is the relative internal address for whatever machine is active. The node manager associated with the Administration Server changes when the Administration Server fails over because the Administration Server uses the localhost attribute in conjunction with the first host and then again, after failover, in conjunction with the second host.
Click Next.
On the Assign Servers to Machines screen, assign servers to machines as follows:
ADMINHOST: AdminServer
where ADMINHOST is the name value entered in Step 17, for example:
ADVINVHN.mycompany.com
Click Next.
On the Configuration Summary screen, validate that your choices are correct, then click Create.
On the Create Domain screen, click Done.
After configuring the domain with the configuration Wizard, follow these instructions for post-configuration and verification.
This section includes the following topics:
Section 8.5.2, "Creating boot.properties for the WebLogic Administration Servers"
Section 8.5.3, "Associate the Domain with the OPSS Policy Store"
Section 8.5.4, "Starting Node Manager on IDMHOST1 and IDMHOST2"
Section 8.5.6, "Validating the WebLogic Administration Server"
Section 8.5.8, "Disabling Host Name Verification for the Oracle WebLogic Administration Server"
Section 8.5.9, "Stopping and Starting the WebLogic Administration Server"
This section is required only if you are using Oracle Unified Directory in active-active mode, as shown in the topology diagrams.
After installing Oracle Identity and Access Management, apply Patch 16943171.
Then manually copy the file adapter_template_oim.xml from ORACLE_COMMON_HOME/modules/oracle.ovd_11.1.1/templates/ to: IAM_ORACLE_HOME/libovd/. For example:
cp ORACLE_COMMON_HOME/modules/oracle.ovd_11.1.1/templates/adapter_template_oim.xml IAM_ORACLE_HOME/libovd/
Create a boot.properties file for the Administration Server on the host IDMHOST1. If the file already exists, edit it. The boot.properties file enables the Administration Server to start without prompting you for the administrator username and password.
For each Administration Server:
Create the following directory structure.
mkdir -p ASERVER_HOME/servers/AdminServer/security
In a text editor, create a file called boot.properties in the last directory created in the previous step, and enter the username and password in the file. For example:
username=weblogic
password=password for weblogic user
Save the file and close the editor.
Note:
The username and password entries in the file are not encrypted until you start the Administration Server, as described in Section 8.5.5, "Updating the Node Manager Credentials." For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.
Before starting your domain for the first time, you must associate the domain with the OPSS policy store in the database. To do this perform the following steps.
To associate the first domain with the OPSS security store use the following command:
ORACLE_COMMON_HOME/common/bin/wlst.sh IAM_ORACLE_HOME/common/tools/configureSecurityStore.py -d ASERVER_HOME -c IAM -m create -p opss_schema_password
Validate that the above commands have been successful by issuing the command:
ORACLE_COMMON_HOME/common/bin/wlst.sh IAM_ORACLE_HOME/common/tools/configureSecurityStore.py -d ASERVER_HOME -m validate
Perform these steps to start Node Manager on IDMHOST1 and IDMHOST2:
Run the startNodeManager.sh script located under the WL_HOME/server/bin directory.
Run the setNMProps.sh script to set the StartScriptEnabled property to true:
cd IAM_MW_HOME/oracle_common/common/bin
./setNMProps.sh
Note:
You must use the StartScriptEnabled property to avoid class loading failures and other problems.
Stop the Node Manager by killing the Node Manager process.
Start Node Manager by running the startNodeManager.sh script located under the IAM_MW_HOME/wlserver_10.3/server/bin directory.
You start the Administration server by using WLST and connecting to Node Manager. The first start of the Administration Server with Node Manager, however, requires that you change the default username and password that the Configuration Wizard sets for Node Manager. Therefore you must use the start script for the Administration Server for the first start. Follow these steps to start the Administration Server using Node Manager. Steps 1-4 are required for the first start operation, but subsequent starts require only Step 4.
Start the Administration Server using the start script in the domain directory.
cd ASERVER_HOME/bin
./startWebLogic.sh
Use the Administration Console to update the Node Manager credentials on IDMDomain.
In a browser, go to the listen address for the domain. For example:
http://ADMINVHN.mycompany.com:7001/console where 7001 is WLS_ADMIN_PORT, as described in Section B.3.
Log in as the administrator.
Click Lock and Edit.
Click domain_name in the Domain Structure menu.
Select Security tab then General tab.
Expand Advanced Options.
Enter a new username for Node Manager or make a note of the existing one and update the Node Manager password.
Click Save.
Click Activate Changes.
Stop the WebLogic Administration Server by issuing the command stopWebLogic.sh located under the ASERVER_HOME/bin directory.
Start WLST and connect to the Node Manager with nmConnect and the credentials you just updated. Then start the WebLogic Administration Server using nmStart.
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Once in the WLST shell, execute the following commands:
nmConnect('Admin_User','Admin_Password', 'ADMINHOST1','Port',
  'domain_name','ASERVER_HOME')
nmStart('AdminServer')
where Port is NMGR_PORT in Section B.3, domain_name is the name of the domain and Admin_User and Admin_Password are the Node Manager username and password you entered in Step 2. For example:
nmConnect('admin','password', 'IDMHOST1','5556',
  'IDMDomain','ASERVER_HOME')
nmStart('AdminServer')
Perform these steps to ensure that the Administration Server is properly configured:
In a browser, go to the Oracle WebLogic Server Administration Console at the URL:
http://ADMINVHN.mycompany.com:7001/console, where 7001 is WLS_ADMIN_PORT, as described in Section B.3.
Log in as the WebLogic administrator, for example: weblogic.
Check that you can access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control as the WebLogic administrator, for example: weblogic.
In Enterprise deployments, Oracle WebLogic Server is fronted by Oracle HTTP servers. The HTTP servers are, in turn, fronted by a load balancer, which performs SSL translation. In order for internal loopback URLs to be generated with the https prefix, Oracle WebLogic Server must be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in.
The plug-in can be set at either the domain, cluster, or Managed Server level. Because all requests to Oracle WebLogic Server are through the Oracle OHS plug-in, set it at the domain level.
To do this perform the following steps:
Log in to the Oracle WebLogic Server Administration Console at http://ADMINVHN.mycompany.com/console.
Click Lock and Edit.
Click domain_name, for example: IDMDomain in the Domain Structure Menu.
Click the Configuration tab.
Click the Web Applications sub tab.
Select WebLogic Plugin Enabled.
Click Save and Activate the Changes.
This step is required if you have not set up the appropriate certificates to authenticate the different nodes with the Administration Server. (See Chapter 13, "Setting Up Node Manager for an Enterprise Deployment.") If you have not configured the server certificates, you will receive errors when managing the different WebLogic Servers. To avoid these errors, disable host name verification while setting up and validating the topology, and enable it again once the EDG topology configuration is complete as described in Chapter 13, "Setting Up Node Manager for an Enterprise Deployment."
Perform these steps to disable host name verification:
Go to the Oracle WebLogic Server Administration Console at: http://ADMINVHN.mycompany.com:7001/console, where 7001 is WLS_ADMIN_PORT, as described in Section B.3.
Log in as the user weblogic, using the password you specified during the installation.
Click Lock and Edit.
Expand the Environment node in the Domain Structure window.
Click Servers. The Summary of Servers page appears.
Select AdminServer(admin) in the Name column of the table. The Settings page for AdminServer(admin) appears.
Click the SSL tab.
Click Advanced.
Set Hostname Verification to None, if it is not already set.
Click Save.
Click Activate Changes.
Stop the Administration Server as described in Section 17.1, "Starting and Stopping Oracle Identity Management Components"
Note:
Admin_User and Admin_Password are only used to authenticate connections between Node Manager and clients. They are independent from the server administration ID and password and are stored in the ASERVER_HOME/config/nodemanager/nm_password.properties file.
Test failover of the Administration Server to IDMHOST2 and then back to IDMHOST1, as described in Section 17.9, "Manually Failing Over the WebLogic Administration Server"
Back up the Middleware home, the database and the WebLogic domain as described in Section 17.6.3, "Performing Backups During Installation and Configuration."