This chapter describes how to install and configure Oracle Unified Directory (OUD) in the enterprise deployment.
This chapter includes the following topics:
Section 7.1, "Overview of Installing and Configuring Oracle Unified Directory"
Section 7.2, "Prerequisites for Configuring Oracle Unified Directory Instances"
Section 7.4, "Configuring the Oracle Unified Directory Instances"
Section 7.5, "Backing Up the Oracle Unified Directory installation"
Oracle Unified Directory is a required component in the Identity Management enterprise topologies. You use it as the Identity Store, that is, for storing information about users and groups.
In this chapter, you configure two instances of Oracle Unified Directory by using Oracle Unified Directory configuration assistant.
Before configuring the Oracle Unified Directory Instances on IDMHOST1 and IDMHOST2 ensure that the following tasks have been performed:
Synchronize the time on the individual IDMHOSTs nodes so that there is a discrepancy of no more than 250 seconds between them.
Ensure that the load balancer is configured.
To install Oracle Unified Directory on shared storage, perform the following steps from either IDMHOST1 or IDMHOST2.
Ensure that the system, patch, kernel and other requirements are met. These are listed in Oracle Fusion Middleware Installation Guide for Oracle Identity Management in the Oracle Fusion Middleware documentation library for the platform and version you are using.
Install JDK as described in Section 8.2.1.1, "Installing JRockit."
To start the Oracle Fusion Middleware 11g Oracle Identity Management Installer, change directory to Disk1 of the installation media and enter the command:
./runInstaller
Then proceed as follows:
On the Specify Inventory Directory screen, do the following:
Enter /u02/private/oracle/oraInventory, where HOME is the home directory of the user performing the installation (this is the recommended location).
Enter the OS group for the user performing the installation.
Click Next.
Follow the instructions on screen to execute createCentralInventory.sh as root.
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates, or search for updates locally.
Click Next.
On the Prerequisite Checks screen, verify that the checks complete successfully, then click Next.
On the specify Installation Screen Enter:
OUD Base Location Home: IAM_MW_HOME
Oracle Home Directory: oud
Click Next.
On the installation Summary Screen click Install.
On the Installation Progress Screen click Next.
On the installation complete Screen click Finish.
Follow these steps to configure Oracle Unified Directory components in the application tier on IDMHOST1 and IDMHOST2. During the configuration you will also configure Oracle Unified Directory replication servers.
This section contains the following topics:
Section 7.4.1, "Configuring Oracle Unified Directory on IDMHOST1"
Section 7.4.2, "Validating Oracle Unified Directory on IDMHOST1"
Section 7.4.3, "Configuring an Additional Oracle Unified Directory Instance on IDMHOST2"
Section 7.4.4, "Validating Oracle Unified Directory on IDMHOST2"
Section 7.4.5, "Enable Oracle Unified Directory Assured Replication"
Section 7.4.7, "Validating Oracle Unified Directory Through the Load Balancer"
Ensure that ports 1389 (LDAP_DIR_PORT), 1636 (LDAP_DIR_SSL_PORT), 4444 (LDAP_DIR_ADMIN_PORT), and 8989 (LDAP_DIR_REPL_PORT) are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On Linux:
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On Linux:
Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.
Set the environment variable JAVA_HOME
Set the environment variable INSTANCE_NAME to:
../../../../u02/private/oracle/config/instances/oud1
Note that the tool creates the instance home relative to the OUD_ORACLE_HOME, so you must include previous directories to get the instance created in OUD_ORACLE_INSTANCE.
Change Directory to OUD_ORACLE_HOME
Start the Oracle Unified Directory configuration assistant by executing the command:
oud-setup
On the Welcome screen, click Next.
On the Server Settings screen, enter:
Host Name: The name of the host where Oracle Unified Directory is running, for example: IDMHOST1.mycompany.com
LDAP Listener Port: 1389 (LDAP_DIR_PORT)
Administration Connector Port: 4444 (LDAP_DIR_ADMIN_PORT)
LDAP Secure Access: Click Configure
In the Security Options page, enter:
SSL Access: Selected.
Enable SSL on Port: 1636 (LDAP_DIR_SSL_PORT)
Certificate: Generate Self Signed Certificate OR provide details of your own certificate.
Click OK
Root User DN: Enter an administrative user for example cn=oudadmin
Password: Enter the password you wish to assign to the ouadmin user.
Password (Confirm): Repeat the password.
Click Next.
On the Topology Options screen:
Select: This server will be part of a replication topology
Enter: Replication Port: 8989
Select: Configure As Secure, if you wish replication traffic to be encrypted.
There is already a server in the topology. Leave it deselected.
Click Next.
On the Directory Data screen, enter:
Directory Base DN: dc=mycompany, dc=com
Directory Data: Only create base entry
Click Next.
On the Oracle Components Integration screen, click Next.
On the Runtime Options screen, click Next.
On the Review screen, verify that the information displayed is correct and click Finish.
On the Finished screen, click Close.
After configuration, you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDMHOST1.mycompany.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you will see a list supportedControl entries returned.
Ensure that ports 1389 (LDAP_DIR_PORT), 1636 (LDAP_DIR_SSL_PORT), 4444 (LDAP_DIR_ADMIN_PORT), and 8989 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On Linux:
netstat -an | grep "1389"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On Linux:
Remove the entries for ports 1389, 1636, 4444, and 8989 in the /etc/services file and restart the services or restart the computer.
Set the environment variable JAVA_HOME
Set the environment variable INSTANCE_NAME to ../../../../u02/private/oracle/config/instances/oud2.
Note the tool creates the instance home relative to the OUD_ORACLE_HOME, so you must include previous directories to get the instance created in OUD_ORACLE_INSTANCE.
Change Directory to: OUD_ORACLE_HOME
Start the Oracle Unified Directory configuration assistant by executing the command:
./oud-setup
On the Welcome screen, click Next.
On the Server Settings screen, enter:
Host Name: The name of the host where Oracle Unified Directory is running, for example: IDMHOST2
LDAP Listener Port: 1389 (LDAP_DIR_PORT)
Administration Connector Port: 4444 (LDAP_DIR_ADMIN_PORT)
LDAP Secure Access
Click Configure
Select SSL Access
Enable SSL on Port: 1636 (LDAP_DIR_SSL_PORT)
Certificate: Generate Self Signed Certificate OR provide details of your own certificate.
Click OK
Root User DN: Enter an administrative user for example cn=oudadmin
Password: Enter the password you wish to assign to the ouadmin user.
Password (Confirm): Repeat the password.
Click Next.
On the Topology Options screen, enter
This server will be part of a replication topology
Replication Port: 8989
Select Configure As Secure, if you wish replication traffic to be encrypted.
There is already a server in the topology: Selected.
Enter the following:
Host Name: The name of an existing Oracle Unified Directory server host, for example: IDMHOST1.mycompany.com
Administrator Connector Port: 4444 (LDAP_DIR_ADMIN_PORT)
Admin User: Name of the Oracle Unified Directory admin user on IDMHOST1, for example: cn=oudadmin
Admin Password: Administrator password.
Click Next.
If you see a certificate Not Trusted Dialogue, it is because you are using self signed certificates. Click Accept Permanently.
Click Next.
On The Create Global Administrator Screen Enter:
Global Administrator ID: The name of an account you want to use for managing Oracle Unified Directory replication, for example: oudmanager
Global Administrator Password / Confirmation: Enter a password for this account.
Click Next.
On the Data Replication Screen. select dc=mycompany,dc=com and click Next.
On the Oracle Components Integration screen, click Next.
On the Runtime Options Screen Click Next.
On the Review Screen, check that the information displayed is correct and click Finish.
On the Finished screen, click Close.
After configuration you can validate that Oracle Unified Directory is working by performing a simple search. To do this issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDMHOST2.mycompany.com -p 1389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
If Oracle Unified Directory is working correctly, you see a list supportedControl entries returned.
As discussed in Section 2.2.2.2.1, "About Oracle Unified Directory," you must ensure that data read from every Oracle Unified Directory instance is current. You do this by enabling Oracle Unified Directory Assured Replication in Safe Read Mode, as follows:
On IDMHOST1, issue the following command:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig -h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=mycompany,dc=com" \ --advanced \ --set assured-type:safe-read \ --trustAll
Confirm that the operation has been successful by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/dsconfig -h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \
get-replication-domain-prop \
--provider-name "Multimaster Synchronization" \
--domain-name "dc=mycompany,dc=com" \
--advanced \
--property assured-type --property assured-timeout --property group-id \
--trustAll
where password_file is a file that contains the OUD administrator password.
If Safe Mode is enabled, the output looks similar to this:
Property : Value(s) ----------------:---------- assured-timeout : 2 s assured-type : safe-read group-id : 1
Repeat steps 1-2 for each Oracle Unified Directory instance, for example: IDMHOST2.
Oracle Identity Management requires that a number of object classes be created in Oracle Unified Directory. You must perform the following step so that Oracle Unified Directory allows creation of the needed object classes.
Execute the following command on each Oracle Unified Directory instance:
OUD_ORACLE_INSTANCE/OUD/dsconfig -h IDMHOST1 -p 4444 -D "cn=oudadmin" -j ./password_file -n \
set-global-configuration-prop \
--set single-structural-objectclass-behavior:warn \
--trustAll
Repeat the command for each Oracle Unified Directory instance, for example: IDMHOST2.
In addition, validate that you can access Oracle Unified Directory through the load balancer by issuing the command:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h LDAP_LBR_HOST -p LDAP_LBR_PORT -D OUD_Adminisitrator -b "" -s base "(objectclass=*)" supportedControl
For example:
OUD_ORACLE_INSTANCE/OUD/bin/ldapsearch -h IDSTORE.mycompany.com -p 389 -D cn=oudadmin -b "" -s base "(objectclass=*)" supportedControl
To check that Oracle Unified Directory replication is enabled, issue the command:
OUD_ORACLE_INSTANCE/OUD/bin/status
If you are asked how you wish to trust the server certificate, valid options are:
Automatically trust
Use a truststore
Manually validate
Select your choice.
You are then prompted for the Administrator bind DN (cn=oudadmin) and its password.
Next, you see output similar to the following example. Replication will be set to enable.
--- Server Status --- Server Run Status: Started Open Connections: 2 --- Server Details --- Host Name: idmhost1 Administrative Users: cn=oudadmin Installation Path: /u01/oracle/products/access/oud Instance Path: /u02/private/oracle/config/instances/oud1/OUD Version: Oracle Unified Directory 11.1.2.0.0 Java Version: 1.6.0_29 Administration Connector: Port 4444 (LDAPS) --- Connection Handlers --- Address:Port : Protocol : State -------------:-------------:--------- -- : LDIF : Disabled 8989 : Replication : Enabled 0.0.0.0:161 : SNMP : Disabled 0.0.0.0:1389 : LDAP : Enabled 0.0.0.0:1636 : LDAPS : Enabled 0.0.0.0:1689 : JMX : Disabled --- Data Sources --- Base DN: dc=mycompany,dc=com Backend ID: userRoot Entries: 1 Replication: Enabled Missing Changes: 0 Age Of Oldest Missing Change: <not available>
Perform a backup of the Middleware home and of Oracle Unified Directory, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."