9 Deploying Identity and Access Management

This chapter describes how to deploy Identity and Access Management.

It contains the following sections:

• Section 9.1, "Introduction to the Deployment Process"

• Section 9.2, "Deployment Procedure"

• Section 9.3, "Check List"

• Section 9.4, "Deploying Identity and Access Management Without a Common LCM_HOME"

9.1 Introduction to the Deployment Process

This section introduces the Deployment process.

9.1.1 Deployment Stages

There are eight stages to Deployment. These stages are:

1. preverify - This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured. This also checks for database connections for schemas and port availability,

2. install - This installs all of the software required by the installation. This also includes binary patching for all of the patches included in the repository.

3. preconfigure - This does the following:

   • Creates Oracle Unified Directory instances and seeds them with Users/Groups.

   • Creates the WebLogic domains and extends domains for various products

   • Creates OHS instance

   • Migrates the Policy Store to the database

4. configure - This does the following:

   • Starts managed servers as necessary

   • Associates Access Manager with Oracle Unified Directory

   • Configure Oracle Identity Manager

5. configure-secondary - This does the following:

   • Integrates Weblogic Domain with Webtier

   • Register webtier with domain

   • Integrate Access Manager and Oracle Identity Manager

6. postconfigure - This does the following:

   • Run Oracle Identity Manager Reconciliation

   • Configure UMS Mail Server

   • Generate Access Manager Keystore

   • Configure WebGates

7. startup - This starts up all components in the topology and applies any needed artifact patches.

8. validate - This performs a number of checks on the built topology to ensure that everything is working as it should be.

Each stage must be completed on all hosts in a specific order, as described in the next section. Each stage must be completed on each host in the topology before the next stage can begin. Failure of a stage will necessitate a cleanup and restart. See Appendix B, "Cleaning Up an Environment Before Rerunning IAM Deployment" for instructions.

9.1.2 Processing Order

You must process hosts in the following order:

1. LDAP Host 1

2. LDAP Host 2

3. Identity Governance Host 1

4. Identity Governance Host 2

5. Access Management Host 1

6. Access Management Host 2

7. Web Host 1

8. Web Host 2

This equates to the following order for hosts in this guide.

Consolidated List

1. IAMHOST1

2. IAMHOST2

3. WEBHOST1

4. WEBHOST2

Distributed List

1. LDAPHOST1

2. LDAPHOST2

3. OIMHOST1

4. OIMHOST2

5. OAMHOST1

6. OAMHOST2

7. WEBHOST1

8. WEBHOST2

9.2 Deployment Procedure

The following sections describe the procedure for performing Deployment.

• Section 9.2.1, "Running the Deployment Commands"

• Section 9.2.2, "Creating Backups"

9.2.1 Running the Deployment Commands

To deploy Identity and Access Management, run the runIAMDeployment.sh a number of times on each host in the topology from the following location:

IDMLCM_HOME/provisioning/bin

BEFORE embarking on the Deployment process, read this entire section. There are extra steps detailed below which must be performed during the process.

Notes:

• You must use the SAME version of the Deployment profile (IDMLCM_HOME/provisioning/bin/provisioning.rsp) on all targets and all hosts in the deployment.

• You MUST run each command on each host in the topology, in the specified order, before running the next command.

Before running the Deployment tool, set the following environment variable.:

• Set JAVA_HOME to: REPOS_HOME/jdk6

The commands you must run are:

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preverify

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target install

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preconfigure

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure-secondary

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target postconfigure

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target startup

runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target validate

9.2.2 Creating Backups

It is important that you take a backup of the file systems and databases at the following points:

1. Prior to starting Deployment.

2. At the end of the installation phase.

3. Upon completion of Deployment

It is not supported to restore a backup at any phase other than those three.

9.3 Check List

To help keep track of the Deployment process, print this check list from the PDF version of this guide. Run each stage on the hosts shown, and add a check mark to the corresponding row when that run is complete.

Consolidated:

Deployment Stage	Host	Complete
Preverify	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Install	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Preconfigure	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Configure	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Configure Secondary	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Post Configure	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Startup	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2
Validate	IAMHOST1
	IAMHOST2
	WEBHOST1
	WEBHOST2

Distributed:

Deployment Stage	Host	Complete
Preverify	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Install	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Preconfigure	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Configure	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Configure Secondary	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Post Configure	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Startup	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2
Validate	LDAPHOST1
	LDAPHOST2
	OIMHOST1
	OIMHOST2
	OAMHOST1
	OAMHOST2
	WEBHOST1
	WEBHOST2

9.4 Deploying Identity and Access Management Without a Common LCM_HOME

The previous deployment instructions assume that the LCM_HOME directory is shared across every host in the topology for the duration of the deployment process.

If your organization does not permit this sharing, you can still run the deployment by making LCM_HOME available locally on every host. The following extra manual steps are required.

1. Create a local version of the LCM_HOME directory, including the software repository.

2. Copy the Deployment Response File, responsefilename_data folder, and Summary created in Section 8.18, "Summary" to the same location on each of the hosts.

3. The deployment tool relies on the contents of the directories located under LCM_HOME/provisioning to determine what stages have run successfully. Therefore, after every command, copy the contents of this directory to every node before executing any runIAMDeployment.sh commands.

   If LCM_HOME is not shared to the directory hosts, copy LCM_HOME/internal from OAMHOST1 to LDAPHOST1 and LDAPHOST2 before running preconfigure on the LDAPHOSTs.

   LCM_HOME/internal is created after the install phase on the OAMHOSTs.

4. Before running preconfigure on OIMHOST1, copy LCM_HOME/keystores from LDAPHOST1 to OAMHOST1.

5. If LCM_HOME is not mounted on WEBHOST1 and WEBHOST2, before execution of the postconfigure phase on WEBHOST1, copy LCM_HOME/keystores/webgate_artifacts from OAMHOST1 to WEBHOST1 and WEBHOST2

   LCM_HOME/keystores/webgate_artifacts is created after the configure-secondary phase on OAMHOST1.