15 Creating Domains for an Enterprise Deployment

This section describes how to create the various domains to support the split domain topology.

Note:

Tasks in each section must be performed for every domain being created, unless otherwise stated.

This section contains the following topics:

• Choosing Which Domains to Create

• Domains and URLs

• Running the Configuration Wizard to Create a Domain

• Post-Configuration and Verification Tasks

15.1 Choosing Which Domains to Create

Which domains you need to create depends on the topologies that you are implementing. Table 15-1 shows which domains are required for Oracle Access Manager and Oracle Identity Manager.

Table 15-1 Domains to Create for Each Product

Domain	Virtual Host
IAMAccessDomain	IADADMINVHN.example.com
IAMGovernanceDomain	IGDADMINVHN.example.com

15.2 Domains and URLs

Table 15-2 lists the component URL's related to the domains, and the user names used to access them. In addition, Table 15-3 lists the post-Web tier configuration user names you would use to access the consoles after they have been integrated into single sign-on.

The URL's are divided into two sections:

• Pre-Web Integration

• Post-Web Integration

The rest of this document will relate to these URL's for example if you see log into the WebLogic console you will need to use the URL for the WebLogic console listed below for the domain you are working on.

Table 15-2 URLs Available Prior to Web Tier Integration

Domain	Component	URL	User
IAMAccessDomain	WebLogic Console	http://IADADMINVHN.example.com:7001/console	weblogic
	OAM Console	http://IADADMINVHN.example.com:7001/oamconsole	weblogic
	Fusion Middleware Control	http://IADADMINVHN.example.com:7101/em	weblogic
IAMGovernanceDomain	WebLogic Console	http://IGDADMINVHN.example.com:7101/console	weblogic
	Fusion Middleware Control	http://IGDADMINVHN.example.com:7101/em	weblogic

Table 15-3 URLs Available After Web Tier Integration

Domain	Component	URL	User	SSO User
IAMAccessDomain	WebLogic Console	http://iadadmin.example.com/console	weblogic	weblogic_idm
	Fusion Middleware Control	http://iadadmin.example.com/em	weblogic	weblogic_idm
	OAM Console	http://iadadmin.example.com/oamconsole	weblogic	oamadmin
	Policy Manager	http://iamadmin.example.com/access	weblogic	oamadmin
IAMGovernanceDomain	WebLogic Console	http://igdadmin.example.com/console	weblogic	weblogic_idm
	Fusion Middleware Control	http://igdadmin.example.com/em	weblogic	weblogic_idm

15.3 Running the Configuration Wizard to Create a Domain

Run the WebLogic Configuration Wizard once for each domain listed in Table 15-1.

Note:

For ease of use, the example host names in this section refer to the hosts in the distributed topology. Refer to the Enterprise Deployment Workbook for that actual host names to use. For more information, see Chapter 4, "Using the Enterprise Deployment Workbook".

Table 15-4 Domains to be Created

Domain Name	Consolidated Host	Distributed Host	Listen Address	Listen Port
IAMAccessDomain	IAMHOST1	OAMHOST1	IADADMINVHN.example.com	7001
IAMGovernanceDomain	IAMHOST2	OIMHOST1	IGDADMINVHN.example.com	7101

To create a domain:

1. Ensure that the database where you installed the repository is running. For Oracle RAC databases, all instances should be running, so that the validation check later in the procedure is more reliable.

2. Change the directory to the location of the Oracle Fusion Middleware Configuration Wizard:

   cd MW_HOME/oracle_common/common/bin
   

   In this command, MW_HOME is:

   IAD_MW_HOME for IAMAccessDomain

   IGD_MW_HOME for IAMGovernanceDomain

3. Start the Configuration Wizard using the following command:

   ./config.sh
   

4. On the Welcome screen, select Create a New WebLogic Domain, and click Next.

5. On the Select Domain Source screen, select the following products:

   Table 15-5 Domain Component Information

   Domain Name	Products
   IAMAccessDomain	Oracle Access Management and Mobile Security Suite (select this and all dependent components will be selected automatically) Oracle Enterprise Manager [oracle_common] Oracle JRF [oracle_common] Oracle WSM Policy Manager [oracle_common] Oracle Platform Security Service Oracle OPSS Metadata for JRF [oracle_common]
   IAMGovernanceDomain	Oracle Identity Manager [IGD_ORACLE_HOME] (select this and all dependent components will be automatically selected) Oracle Enterprise Manager [oracle_common] Oracle JRF [oracle_common] Oracle JRF WebServices Asynchronous services [oracle_common] Oracle BI Publisher [oracle_bip] Oracle BI JDBC [oracle_bip] Oracle OPSS Metadata for JRF [oracle_common] Oracle Platform Security Service [IGD_ORACLE_HOME] Oracle SOA Suite [SOA_ORACLE_HOME] Oracle WSM Policy Manager

   
   

   Click Next.

6. On the Specify Domain Name and Location screen, enter the following:

   Domain name: Name of the Domain you are creating. For example: IAMAccessDomain

   Domain location: SHARED_CONFIG_DIR/domains

   Application Location: SHARED_CONFIG_DIR/domains/IAMAccessDomain/applications

   Ensure that the domain directory matches the directory and shared storage mount point

   Click Next.

7. On the Configure Administrator Username and Password screen, enter the username (default is weblogic) and password to be used for the domain's administrator. For example:

   Name: weblogic

   User Password: password for weblogic user

   Confirm User Password: password for weblogic user

   Description: This user is the default administrator.

   Click Next.

8. On the Configure Server Start Mode and JDK screen, do the following:

   For WebLogic Domain Startup Mode, select Production Mode.

   For JDK Selection, select the JDK in MW_HOME/jdk (for the domain you are creating. For example IAD_MW_HOME/jdk)

   Click Next.

   Note:

   The next step and all steps through Step 12, "On the Test Component Schema," are only relevant if the domain being created is IAMAccessDomain or IAMGovernanceDomain.

9. On the Configure JDBC Component Schema screen, select all the data sources listed on the page.

   Select: Convert to GridLink.

   Click Next.

10. The Gridlink RAC Component Schema screen appears. In this screen, enter values for the following fields, specifying the connect information for the Oracle RAC database that was seeded with RCU.

    Driver: Select Oracle's driver (Thin) for GridLink Connections,Versions:10 and later.

    Select Enable FAN.

    Do one of the following:

    • If SSL is not configured for ONS notifications to be encrypted, deselect SSL.

    • Select SSL and provide the appropriate wallet and wallet password.

    Service Listener: Enter the SCAN address and port for the RAC database being used. You can identify this address by querying the parameter remote_listener in the database:

    SQL>show parameter remote_listener;
     
    NAME            TYPE   VALUE
    -------------------------------------------------------------
    remote_listener string db-scan.example.com:1521
    

    Note:

    • For Oracle Database 11g Release 1 (11.1), use the virtual IP and port of each database instance listener, for example: DBHOST1-vip.example.com (port 1521) and DBHOST2-vip.example.com (port 1521)

    • For Oracle Database 10g, use multi data sources to connect to an Oracle RAC database.

    ONS Host: Enter the SCAN address for the Oracle RAC database and the ONS remote port, as reported by the database when you invoke the following command:

    srvctl config nodeapps -s
    ONS exists: Local port 6100, remote port 6200, EM port 2016
    

    Note:

    For Oracle Database 11g Release 1 (11.1), use the hostname and port of each database's ONS service, for example: DBHOST1.example.com (port 6200) and DBHOST2.example.com (port 6200).

    Table 15-6 RAC Component Schema Information

    Domain	Schema	Service Name	User Name	Password
    IAMAccessDomain	OAM Infrastructure	iadedg.example.com	EDGIAD_OAM	password
    	OPSS Schema	iadedg.example.com	EDGIAD_OPSS	password
    	OMSM MDS Schema	iadedg.example.com	EDGIAD_MDS	password
    	OMSM Schema	iadedg.example.com	EDGIAD_OMSM	password
    IAMGovernanceDomain	OIM Schema		EDGIGD_OIM	password
    	SOA Infrastructure	igdedg.example.com	EDGIGD_SOAINFRA	password
    	User Messaging Service	igdedg.example.com	EDGIGD_ORASDPM	password
    	BIP Schema	igdedg.example.com	EDGIGD_BIPLATFORM	password
    	OIM MDS Schema	igdedg.example.com	EDGIGD_MDS	password
    	OWSM MDS Schema	iadedg.example.com	EDGIGD_MDS	password
    	SOA MDS Schema	igdedg.example.com	EDGIGD_MDS	password
    	OPSS Schema	igdedg.example.com	EDGIGD_OPSS	password

    
    

    Click Next.

11. On the Test Component Schema screen, the Wizard attempts to validate the data sources. If the data source validation succeeds, click Next. If it fails, click Previous, correct the problem, and try again.

12. On the Select Optional Configuration screen, select the following:

    • Administration Server

    • JMS Distributed Destination (IAMGovernanceDomain only)

    • Managed Servers, Clusters and Machines

    • JMS File Store (IAMGovernanceDomain only)

    Click Next.

13. On the Configure the Administration Server screen, enter the following values:

    For IAMAccessDomain:

    • Name: AdminServer

    • Listen Address: See Table 15-4

    • Listen Port: See Table 15-4

    • SSL Listen Port: n/a

    • SSL Enabled (deselected)

    Click Next.

14. On the JMS Distributed Destination screen (IAMGovernanceDomain Only), ensure that all the JMS system resources listed on the screen are uniform distributed destinations. If they are not, select UDD from the drop down box. Ensure that the entries are correct according to Table 15-7.

    Table 15-7 JMS Distributed Destination Information

    JSM System Resource	Uniform/Weighted Distributed Destination
    JRFWSASYNCJMSMODULE BIPJMSRESOURCE	UDD UDD
    UMSJMSSYSTEMRESOURCE	UDD
    SOAJMSMODULE	UDD
    OIMJMSMODULE	UDD
    BPMJMSMODULE	UDD

    
    

    Click Next.

    An Override Warning box with the following message is displayed:

    CFGFWK-40915: At least one JMS system resource has been selected for conversion to a Uniform Distributed Destination (UDD). This  conversion will take place only if the JMS System resource is assigned to a cluster
    

    Click OK on the Override Warning box.

15. When you first enter the Configure Managed Servers screen you will see a number of managed servers already created. DO NOT remove any of these entries. Edit the existing entries and add new ones as described below, existing entries can be matched up using ports:

    Table 15-8 Consolidated WebLogic Managed Server Information

    Domain	Name	Listen Address(Distributed)	Listen Address(Consolidated)	Listen Port	SSL Listen Port	SSL Enabled
    IAMAccessDomain	WLS_OAM1	OAMHOST1.example.com	IAMHOST1.example.com	14100	N/A	No
    	WLS_OAM2	OAMHOST2.example.com	IAMHOST2.example.com	14100	N/A	No
    	WLS_AMA1	OAMHOST1.example.com	IAMHOST1.example.com	14150	N/A	No
    	WLS_AMA2	OAMHOST2.example.com	IAMHOST2-.example.com	14150	N/A	No
    	WLS_MSM1	OAMHOST1.example.com	IAMHOST1.example.com	14180	14181	Yes
    	WLS_MSM2	OAMHOST2.example.com	IAMHOST2-.example.com	14180	14181	Yes
    IAMGovernanceDomain	WLS_OIM1	OIMHOST1VHN1.example.com	OIMHOST1VHN1.example.com	14000	N/A	No
    	WLS_OIM2	OIMHOST2VHN1.example.com	OIMHOST2VHN1.example.com	14000	N/A	No
    	WLS_SOA1	OIMHOST1VNH2.example.com	OIMHOST1VHN2.example.com	8001	N/A	No
    	WLS_SOA2	OIMHOST2VNH2.example.com	OIMHOST2VHN2.example.com	8001	N/A	No
    	WLS_BI1	OIMHOST1VNH3.example.com	OIMHOST1VHN3.example.com	9704	N/A	No
    	WLS_BI2	OIMHOST2VNH3.example.com	OIMHOST2VHN3.example.com	9704	N/A	No

    
    

    Click Next.

    Note:

    When using Exalogic, ensure that you set the listen address to that associated with the network interface name. For example, IAMHOST1-INT for the internal IPoIB network.

16. On the Configure Clusters screen, create clusters as described below by clicking Add and supplying the following information.

    Table 15-9 WebLogic Cluster Information

    Domain Name	Name	Cluster Messaging Mode	Muiticast Address	Multicast Port	Cluster Address
    IAMAccessDomain	cluster_oam	unicast	N/A	N/A
    	cluster_ama	unicast	N/A	N/A
    	cluster_msm	unicast	N/A	N/A
    IAMGovernanceDomain	cluster_oim	unicast	N/A	N/A	OIMHOST1VHN1:14000,OIMHOST2VHN1:14000
    	cluster_soa	unicast	N/A	N/A	OIMHOST1VHN2:8001,OIMHOST2VHN2:8001
    	cluster_bi	unicast	N/A	N/A	OIMHOST1VHN3:9704,OIMHOST2VHN3:9704

    
    

    Click Next.

17. On the Assign Servers to Clusters screen, associate the managed servers with the cluster as shown below. Click the cluster name in the right pane. Click the managed server under Servers and then click the arrow to assign it to the cluster.

    Table 15-10 WebLogic Cluster Details

    Cluster	Domain	Managed Servers
    cluster_oam	IAMAccessDomain	WLS_OAM1 WLS_OAM2
    cluster_ama	IAMAccessDomain	WLS_AMA1 WLS_AMA2
    cluster_msm	IAMAccessDomain	WLS_MSM1 WLS_MSM2
    cluster_oim	IAMGovernanceDomain	WLS_OIM1 WLS_OIM2
    cluster_soa	IAMGovernanceDomain	WLS_SOA1 WLS_SOA2
    cluster_bi	IAMGovernanceDomain	WLS_BI1 WLS_BI2

    
    

    Click Next.

18. On the Configure Machines screen, click the Unix Machine tab and then click Add to add the following machines. The machine name does not need to be a valid host name or listen address; it is just a unique identifier of a node manager location.

    You create one machine per host in your topology, and an additional Adminhost entry for the Administration Server.

    Table 15-11 Distributed WebLogic Machine Information

    Domain	Name	Node Manager Listen Address	Node Manager Listen Port
    IAMAccessDomain	ADMINHOST	LOCALHOST	5556
    	OAMHOST1.example.com	OAMHOST1.example.com	5556
    	OAMHOST2.example.com	OAMHOST2.example.com	5556
    IAMGovernanceDomain	ADMINHOST	LOCALHOST	5556
    	OIMHOST1.example.com	OIMHOST1.example.com	5556
    	OIMHOST2.example.com	OIMHOST2.example.com	5556

    
    

    Table 15-12 Consolidated WebLogic Machine Information

    Domain	Name	Node Manager Listen Address	Node Manager Listen Port
    IAMAccessDomain	ADMINHOST	LOCALHOST	5556
    	IAMHOST1.example.com	IAMHOST1.example.com	5556
    	IAMHOST2.example.com	IAMHOST2.example.com	5556
    IAMGovernanceDomain	ADMINHOST	LOCALHOST	5556
    	IAMHOST1.example.com	IAMHOST1.example.com	5556
    	IAMHOST2.example.com	IAMHOST2.example.com	5556

    
    

    Note:

    If you see a machine called localhost, remove it.

    When using Exalogic, ensure that you set the listen address to that associated with the network interface name. For example, IAMHOST1-INT for the internal IPoIB network.

    Click Next.

19. On the Assign Servers to Machines screen, assign servers to machines as follows:

    Table 15-13 Machine Names

    Machine Name(Distributed)	Machine Name(Consolidated)	Managed Servers
    AdminHost	AdminHost	Admin Server
    OAMHOST1.example.com	IAMHOST1.example.com	WLS_OAM1 WLS_AMA1 WLS_MSM1
    OAMHOST2.example.com	IAMHOST2.example.com	WLS_OAM2 WLS_AMA2 WLS_MSM2
    AdminHost	AdminHost	Admin Server
    OIMHOST1.example.com	IAMHOST1.example.com	WLS_SOA1 WLS_OIM1 WLS_BI1
    OIMHOST2.example.com	IAMHOST2.example.com	WLS_SOA2 WLS_OIM2 WLS_BI2

    
    

    Click Next.

20. On the Configure JMS File Stores screen (IAMGovernanceDomain only), update the directory locations for the JMS file stores. Provide the information shown in the following table.

    Table 15-14 JMS File Stores Information

    Name	Directory
    BipJmsStore	RT_HOME/domains/IAMGovernanceDomain/jms/BipJmsStore
    UMSJMSFileStore_auto_1	RT_HOME/domains/IAMGovernanceDomain/jms/UMSJMSFileStore_auto_1
    UMSJMSFileStore_auto_2	RT_HOME/domains/IAMGovernanceDomain/jms/UMSJMSFileStore_auto_2
    BPMJMSServer_auto_1	RT_HOME/domains/IAMGovernanceDomain/jms/BPMJMSServer_auto_1
    BPMJMSServer_auto_2	RT_HOME/domains/IAMGovernanceDomain/jms/BPMJMSServer_auto_2
    SOAJMSFileStore_auto_1	RT_HOME/domains/IAMGovernanceDomain/jms/SOAJMSFileStore_auto_1
    SOAJMSFileStore_auto_2	RT_HOME/domains/IAMGovernanceDomain/jms/SOAJMSFileStore_auto_2
    OIMJMSFileStore_auto_1	RT_HOME/domains/IAMGovernanceDomain/jms/OIMJMSFileStore_auto_1
    OIMJMSFileStore_auto_2	RT_HOME/domains/IAMGovernanceDomain/jms/OIMJMSFileStore_auto_2
    JRFWSASYNCFILESTORE_AUTO_1	RT_HOME/domains/IAMGovernanceDomain/jms/JRFWSAsyncFileStore_auto_1
    JRFWSASYNCFILESTORE_AUTO_2	RT_HOME/domains/IAMGovernanceDomain/jms/JRFWSAsyncFileStore_auto_2

    
    

    Note:

    The directory locations above must be on shared storage and accessible from OIMHOST1 and OIMHOST2.

    Click Next.

21. On the Configuration Summary screen, validate that your choices are correct, then click Create.

22. On the Create Domain screen, click Done.

15.4 Post-Configuration and Verification Tasks

After configuring the domain with the configuration Wizard, follow these instructions for post-configuration and verification, for each domain created.

This section contains the following topics:

• Section 15.4.1, "Associating the Domain with the OPSS policy Store"

• Section 15.4.2, "Forcing the Managed Servers to use IPv4 Networking"

• Section 15.4.3, "Setting IAMAccessDomain Memory Parameters"

• Section 15.4.4, "Creating boot.properties for the WebLogic Administration Servers"

• Section 15.4.5, "Perform Initial Node Manager Configuration"

• Section 15.4.6, "Creating a Separate Domain Directory for Managed Servers in the Same Node as the Administration Server"

• Section 15.4.7, "Propagating Changes to Remote Servers"

• Section 15.4.8, "Starting Node Manager on Remote Servers"

• Section 15.4.9, "Configuring the Web Tier"

• Section 15.4.10, "Using JDBC Persistent Stores for TLOGs and JMS in an Enterprise Deployment"

• Section 15.4.11, "Manually Failing over the WebLogic Administration Server"

• Section 15.4.12, "Backing up the WebLogic Domain"

• Section 15.4.13, "Adding a Load Balancer Certificate to JDK Trust Stores"

• Section 15.4.14, "Enabling Exalogic Optimizations"

15.4.1 Associating the Domain with the OPSS policy Store

You must associate the domain with the OPSS policy store in the database. This is must be done before a domain is started.

To associate the domain IAMAccessDomain with the OPSS security store use the following command:

ORACLE_COMMON_HOME/common/bin/wlst.sh IAD_ORACLE_HOME/common/tools/configureSecurityStore.py -d IAD_ASERVER_HOME -c IAM -m create -p opss_schema_password

To associate the domain IAMGovernanceDomain with the OPSS security store use the following command:

ORACLE_COMMON_HOME/common/bin/wlst.sh IGD_ORACLE_HOME/common/tools/configureSecurityStore.py -d IGD_ASERVER_HOME -c IAM -m create -p opss_schema_password

Validate that the above commands have been successful by issuing the command:

ORACLE_COMMON_HOME/common/bin/wlst.sh IAD_ORACLE_HOME/common/tools/configureSecurityStore.py -d IAD_ASERVER_HOME -m validate

OR

ORACLE_COMMON_HOME/common/bin/wlst.sh IGD_ORACLE_HOME/common/tools/configureSecurityStore.py -d IGD_ASERVER_HOME -m validate

15.4.2 Forcing the Managed Servers to use IPv4 Networking

Manually add the system property -Djava.net.preferIPv4Stack=true to the startWebLogic.sh script, which is located in the bin directory of ASERVER_HOME/bin of the domain you are modifying, using a text editor as follows:

1. Locate the following line in the startWebLogic.sh script:

   {DOMAIN_HOME}/bin/setDomainEnv.sh $*
   

2. Add the following property immediately after the above entry:

   JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
   

3. Save and close the file.

4. Complete the procedure for each domain.

15.4.3 Setting IAMAccessDomain Memory Parameters

In the IAMAccessDomain the initial startup parameters which define memory usage are insufficient. These parameters need to be increased.

To edit the setDomainEnv.sh file to change memory allocation setting:

1. Open the setDomainEnv.sh file located in the following directory using a text editor: IAD_ASERVER_HOME/bin.

2. Change the following memory allocation by updating the Java maximum memory allocation pool (Xmx) to 3072m and initial memory allocation pool (Xms) to 1024m. For example, change the following line to be:

   WLS_MEM_ARGS_64BIT="-Xms1024m -Xmx3072m"
   

   Update the values of the following parameters as specified:

   XMS_JROCKIT_64BIT="1024"
   XMX_JROCKIT_64BIT="3072"
   XMS_SUN_64BIT="1024"
   XMX_SUN_64BIT="3072"
   

   Save the file when finished.

15.4.4 Creating boot.properties for the WebLogic Administration Servers

Create a boot.properties file for each Administration Server. This file will be placed into the ASERVER_HOME/servers/AdminServer directory of each domain (IAD/IGD). If the file already exists, edit it. The boot.properties file enables the Administration Server to start without prompting you for the administrator username and password.

For the Administration Server:

1. Create the following directory structure.

   mkdir -p ASERVER_HOME/servers/AdminServer/security
   

   Where ASERVER_HOME is the SHARED_CONFIG_DIR domain directory that corresponds with that Administration Server: IAMAccessDomain or IAMGovernanceDomain.

2. In a text editor, create a file called boot.properties in the last directory created in the previous step, and enter the username and password in the file. For example:

   username=weblogic
   password=password for weblogic user
   

3. Save the file and close the editor.

Note:

The username and password entries in the file are not encrypted until you start the Administration Server. For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.

15.4.5 Perform Initial Node Manager Configuration

One Node Manager runs per host, regardless of the number of domains being supported by that host. Node Manager uses content from the MW_HOME/wlserver_10.3 directory. If you are running a consolidated topology where Access and Governance components run on the same host, you must start node manager from one of the MW_HOMEs.

The steps in this section apply to the Middleware home of your choice. These steps are for initial boot strapping. Further node manager configuration steps are described in Chapter 16, "Setting Up Node Manager for an Enterprise Deployment".

The following sections refer to just MW_HOME or ASERVER_HOME, to make it generic. If you are using Node Manager from the IAD_MW_HOME, the values would be IAD_MW_HOME or IAD_ASERVER_HOME. If are using the Node Manager from the IGD_MW_HOME, then IGD prefix should be used.

Note:

Perform the tasks in this section only if you have not configured the Node Manager on the host yet.

For example, if you are running a consolidated topology, and if you have already created a domain and configured the Node Manager for that host and any subsequent hosts in the following chapter, you do have to perform the tasks in this section.

Perform the following tasks to set the initial Node Manager configuration:

1. Section 15.4.5.1, "Starting Node Manager"

2. Section 15.4.5.2, "Updating the Node Manager Credentials"

3. Section 15.4.5.3, "Disabling Host Name Verification"

4. Section 15.4.5.4, "Restart the Administration Server via Node Manager"

5. Section 15.4.5.5, "Validating the WebLogic Administration Server"

15.4.5.1 Starting Node Manager

You start the Administration Server by using WLST and connecting to Node Manager. The first start of the Administration Server with Node Manager, however, requires that you change the default username and password that the Configuration Wizard sets for Node Manager. Therefore you must use the start script for the Administration Server for the first start. Follow these steps to start the Administration Server using Node Manager. Setting the memory parameters is required only for the first start operation. You must start the Node Manager only once per Administration Server host.

Note:

This procedure assumes that you have applied WebLogic Server patch 13964737. For more information, see:

• "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes for Identity Management

• Section 16.1, "Recreating WebLogic Demo Certificates"

Before you start the Node Manager, edit the MW_HOME/wlserver_10.3/server/bin/startNodeManager.sh as follows:

1. Open the startNodeManager.sh file in an editor and locate the line starting with:

   . "${WL_HOME}/common/bin/commEnv.sh"
   

2. Add the following line below the line that you located in the previous step:

   JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true"
   

   It is recommended that you perform this step from both IAD_MW_HOME and IGD_MW_HOME.

3. Save the file.

Perform these steps to start Node Manager on the administration host:

1. Start the Node Manager to generate an initial property file. To do this, run the following commands:

   MW_HOME/wlserver_10.3/server/bin/startNodeManager.sh
   

2. Stop the Node Manager by killing the process.

3. Update the generated Node Manager Property file by running the following commands:

   cd MW_HOME/oracle_common/common/bin
   ./setNMProps.sh
   

   This adds an extra parameter called startScriptEnabled to the property file. This ensures that, when the Administration Server is started, it uses the startWebLogic.sh script.

   Note:

   You must use the StartScriptEnabled property to avoid class loading failures and other problems.

   If you are creating a distributed topology, MW_HOME refers to the MW_HOME of the component that will be run on that machine. For example, OAMHOST will use IAD_MW_HOME.

   If you are creating a consolidated topology, set MW_HOME to be the home that you are running Node Manager out of. Only one Node Manager can run on a given server.

4. Restart the Node Manager using the instructions mentioned in the first step.

15.4.5.2 Updating the Node Manager Credentials

You must update each domain with Node Manager administration credentials. This is done via the WebLogic Administration Console which must first be started. You start the Administration server by using WLST and connecting to Node Manager. The first start of the Administration Server with Node Manager, however, requires that you change the default username and password that the Configuration Wizard sets for Node Manager. Therefore you must use the start script for the Administration Server for the first start. Follow these steps to start the Administration Server using Node Manager.

1. Start the Administration Server using the start script in the domain directory:

   Note:

   As part of application of WebLogic patch 13964737: SU Patch [YVDZ], you should have added Java arguments to various system shell scripts to enable JSSE. Refer to Section 16.1, "Recreating WebLogic Demo Certificates" for updating the scripts ASERVER_HOME/bin/startWeblogic.sh and MW_HOME/wlserver_10.3/common/bin/wlst.sh.

   cd ASERVER_HOME/bin
   
   ./startWebLogic.sh
   

2. Use the Administration Console to update the Node Manager credentials for the domain.

   1. In a browser, access the WebLogic Administration console.

      http://IADADMINVHN.example.com:7001/console
      or
      http://IGDADMINVHN.example.com:7101/console
      

   2. Log in as the weblogic user, using the password you specified during the installation.

   3. Click Lock & Edit.

   4. Click domain_name.

   5. Select Security tab, and then General tab.

   6. Expand Advanced Options.

   7. Enter a new username for Node Manager or make a note of the existing one and update the Node Manager password.

   8. Click Save.

   9. Click Activate Changes

15.4.5.3 Disabling Host Name Verification

This step is required if you have not set up the appropriate certificates to authenticate the different nodes with the Administration Server. (See Chapter 16, "Setting Up Node Manager for an Enterprise Deployment") If you have not configured the server certificates, you will receive errors when managing the different WebLogic Servers. To avoid these errors, disable host name verification while setting up and validating the topology, and enable it again once the enterprise deployment topology configuration is complete.

To disable host name verification, complete the following steps for each domain:

1. Log in to the Oracle WebLogic Server Administration console.

2. Log in as the user weblogic, using the password you specified during the installation.

3. Click Lock & Edit.

4. Expand the Environment node in the Domain Structure window.

5. Click Servers.

   The Summary of Servers page appears.

6. Select AdminServer(admin) in the Name column of the table. The Settings page for AdminServer(admin) appears.

7. Click the SSL tab.

8. Click Advanced.

9. Set Hostname Verification to None.

10. Click Save.

11. Click Activate Changes.

15.4.5.4 Restart the Administration Server via Node Manager

1. Stop the WebLogic Administration Server by issuing the command stopWebLogic.sh located under the following directory:

   ASERVER_HOME/bin
   

2. Start WLST and connect to the Node Manager with nmconnect and the credentials set previously described. Then start the Administration Server using nmStart.

   cd ORACLE_COMMON_HOME/common/bin
   ./wlst.sh
   

   Once in the WLST shell, execute the following commands:

   nmConnect('Admin_User','Admin_Pasword', 'ADMINHOST1','5556', 'domain_name','ASERVER_HOME')
   nmStart('AdminServer')
   

   Where domain_name is the name of the domain, Admin_user and Admin_Password are the Node Manager username and password you entered in Step 2. For example:

   nmConnect('weblogic','password', 'OAMHOST1','5556',
     'IAMAccessDomain','ASERVER_HOME')
   nmStart('AdminServer')
   

15.4.5.5 Validating the WebLogic Administration Server

Perform these steps to ensure that the Administration Server is properly configured:

1. In a browser, log in to the Oracle WebLogic Server Administration Console for example:

   http://IADADMINVHN.example.com:7001/console
   or
   http://IGDADMINVHN.example.com:7101/console
   

2. Log in as the WebLogic administrator, for example: weblogic.

3. Check that you can access Oracle Enterprise Manager Fusion Middleware Control for example:

   http://IADADMINVHN.example.com:7001/em
   or
   http://IGDADMINVHN.example.com:7101/em
   

4. Log in to Oracle Enterprise Manager Fusion Middleware Control as the WebLogic administrator, for example: weblogic.

15.4.6 Creating a Separate Domain Directory for Managed Servers in the Same Node as the Administration Server

Use the pack and unpack commands to separate the domain directory used by the Administration Server from the domain directory used by the managed servers. Before running the unpack script, be sure the following directories exist:

IAD_MSERVER_HOME
IGD_MSERVER_HOME

To create a separate domain directory on IAMAccessDomain:

1. Run the following command from the location IAD_MW_HOME/oracle_common/common/bin to create a template pack:

   ./pack.sh -managed=true -domain=IAD_ASERVER_HOME -template=domaintemplate.jar -template_name=domain_template
   

2. Run the following command from the location IAD_MW_HOME/oracle_common/common/bin to unpack the template in the managed server domain directory:

   ./unpack.sh -domain= IAD_MSERVER_HOME -template=domaintemplate.jar -app_dir=IAD_MSERVER_HOME/applications
   

   Note:

   You must have write permissions on the following directory before running the unpack command:

   LOCAL_CONFIG_DIR/domains/
   

3. If you already have a domain or Managed Servers running on this host, ensure that the SHARED_CONFIG_DIR/nodemanager/hostname/nodemanager.domains has an entry for the domain you are creating. This entry should point to the MSERVER_HOME directory.

   If the entry is missing, you must enrol the domain with the running Node Manager. To do this, perform the following steps:

   1. Launch the WebLogic Scripting Tool (WLST) using the following command from the location MW_HOME/oracle_common/common/bin:

      ./wlst.sh

   2. Connect to the domain you wish to add, by running the following command:

      connect('weblogic_user','password','t3://ADMINVHN:AdminPort')

      In this command:

      weblogic_user is the WebLogic Administration user. For example, weblogic or weblogic_idm.

      password is the password of the WebLogic Administrator account.

      ADMINVHN is the virtual host name of Administration Server. For example, IGDADMINVHN or IADADMINVHN.

      adminPort is the port on which the Administration Server is running. For example, 7101.

      For example:

      connect('weblogic_idm','mypasswd','t3://igdadminvhn.example.com:7001')
      

   3. Enrol the domain using the following command:

      nmEnroll(domainDir=full_path_to_the_domain,nm_Home=full_path_to_the_nodemanager_home)

      For example:

      nmEnroll(domainDir='/u02/private/oracle/config/domains/IAMGovernanceDomain/',nmHome='/u01/oracle/config/nodemanger/hostname')
      

      Note:

      For Managed Servers, the domain home must be specified as the local Managed Server directory.

15.4.7 Propagating Changes to Remote Servers

Before you can start managed servers on remote hosts, you must first perform an unpack on those servers.

IAMAccessDomain should be unpacked on OAMHOST2 and IAMGovernanceDomain should be unpacked on host OIMHOST2.

Using the file domaintemplate.jar created above perform an unpack on the target host by using the following commands:

cd IAD_MW_HOME/oracle_common/common/bin
./unpack.sh -domain= IAD_MSERVER_HOME
-template=domaintemplate.jar -app_dir=IAD_MSERVER_HOME/applications

15.4.8 Starting Node Manager on Remote Servers

Start the Node Manager on OIMHOST1, OIMHOST2, OAMHOST1, and OAMHOST2, if not already started.

For information about starting the Node Manager, see Section 31.1.4.1, "Starting Node Manager".

15.4.9 Configuring the Web Tier

This section of the document describes how to access the WebLogic Administration services via the Web Server. The Web Server will be either Oracle HTTP Server or Oracle Traffic Director depending on your topology.

Perform the following tasks to configure Web Tier:

1. Section 15.4.9.1, "Registering Oracle HTTP Server with Oracle WebLogic Server"

2. Section 15.4.9.2, "Setting the Front End URL for the Administration Console"

3. Section 15.4.9.3, "Enabling WebLogic Plug-in"

4. Section 15.4.9.4, "Validating Access to Domains"

15.4.9.1 Registering Oracle HTTP Server with Oracle WebLogic Server

This step is optional.

For Oracle Enterprise Manager Fusion Middleware Control to be able to manage and monitor the Oracle HTTP server, you must register the Oracle HTTP server with IAMAccessDomain. To do this, register Oracle HTTP Server with Oracle WebLogic Server by running the following command on WEBHOST1 from the location OHS_ORACLE_INSTANCE/bin:

./opmnctl registerinstance -adminHost IADADMINVHN.example.com -adminPort 7001 -adminUsername WebLogic

Run this command for ohs2 on WEBHOST2. This step is optional. Each Oracle HTTP Server can be registered with only one domain.

15.4.9.2 Setting the Front End URL for the Administration Console

Oracle WebLogic Server Administration Console tracks changes that are made to ports, channels, and security using the console. When changes made through the console are activated, the console validates its current listen address, port, and protocol. If the listen address, port, and protocol are still valid, the console redirects the HTTP request, replacing the host and port information with the Administration Server's listen address and port. When the Administration Console is accessed using a load balancer, you must change the Administration Server's front end URL so that the user's browser is redirected to the appropriate load balancer address. To make this change, perform the following steps:

1. Log in to the WebLogic Server Administration Console.

2. Click Lock and Edit.

3. Expand the Environment node in the Domain Structure window.

4. Click Servers to open the Summary of Servers page.

5. Select Admin Server in the Names column of the table. The Settings page for AdminServer(admin) appears.

6. Go to the Protocols tab, and then to the HTTP tab.

7. Set the Front End Host and Front End HTTP PORT fields to your load balancer address as shown in

   Table 15-15 Front End URL Information

   DOMAIN	FRONT END HOST	FRONT END HTTP PORT
   IAMAccessDomain	iadadmin.example.com	80
   IAMGovernanceDomain	igdadmin.example.com	80

   
   

8. Click Save, and then click Activate Changes.

To eliminate redirections, the best practice is to disable the Administration console's Follow changes feature. To do this, log in to the administration console and click Preference, and then click Shared Preferences. Deselect Follow Configuration Changes, and click Save.

15.4.9.3 Enabling WebLogic Plug-in

In Enterprise deployments, Oracle WebLogic Server is fronted by Oracle HTTP servers. The HTTP servers are, in turn, fronted by a load balancer, which performs SSL translation. In order for internal loopback URLs to be generated with the https prefix, Oracle WebLogic Server must be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in.

The plug-in can be set at either the domain, cluster, or Managed Server level. Because all requests to Oracle WebLogic Server are through the Oracle OHS plug-in, set it at the domain level.

To do this perform the following steps:

1. Log in to the Oracle WebLogic Server Administration Console.

2. Click Lock and Edit.

3. Click domain_name, for example: IAMAccessDomain in the Domain Structure Menu.

4. Go to the Configuration tab.

5. Go to the Web Applications sub tab.

6. Select WebLogic Plugin Enabled.

7. Click Save, and then click Activate Changes.

8. Restart the WebLogic Administration Server.

15.4.9.4 Validating Access to Domains

Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors.

Validate the Administration Console and the Oracle Enterprise Manager Fusion Middleware Control through Oracle HTTP Server using each of the console and em using the URLs available after Web Tier integration. For example:

http://iadadmin.example.com/console
http://iadadmin.example.com/em
http://igdadmin.example.com/console
http://igdadmin.example.com/em

15.4.10 Using JDBC Persistent Stores for TLOGs and JMS in an Enterprise Deployment

This section provides guidelines for when to use JDBC persistent stores for transaction logs (TLOGs) and JMS. This section also provides the procedures to configure the persistent stores in a supported database.

A JDBC store can be configured when a relational database is used for storage. A JDBC store enables you to store persistent messages in a standard JDBC-capable database, which is accessed through a designated JDBC data source. The data is stored in the JDBC store's database table, which has a logical name of WLStore. It is up to the database administrator to configure the database for high availability and performance. JDBC stores also support migratable targets for automatic or manual JMS service migration.

Using JMS in the database is optional; however, it can simplify Disaster Recovery implementations. If other servers in the same domain have already been configured with JDBC store for JMS, the same tablespace and data sources can be used. The sections below describe the steps to configure a database user and tablespace for the JDBC persistent store and a gridlink datasource in weblogic for the database schema.

Once the database schema and datasource are configured, you must create the JDBC persistent store and associate it with the gridlink datasource.

The following sections describe the process for configuring JDBC persistent store for the OIM JMS server. Same procedure can be followed to configure JDBC JMS persistence store for SOA and BI JMS servers.

• Section 15.4.10.1, "About JDBC Persistent Stores for JMS and TLOGs"

• Section 15.4.10.2, "Performance Impact of the TLOGs and JMS Persistent Stores"

• Section 15.4.10.3, "Roadmap for Configuring a JDBC Persistent Store for TLOGs"

• Section 15.4.10.4, "Roadmap for Configuring a JDBC Persistent Store for JMS"

• Section 15.4.10.5, "Creating a User and Tablespace for TLOGs"

• Section 15.4.10.6, "Creating a User and Tablespace for JMS"

• Section 15.4.10.7, "Creating GridLink Data Sources for TLOGs and JMS Stores"

• Section 15.4.10.8, "Assigning the TLOGs JDBC Store to the Managed Servers"

• Section 15.4.10.9, "Creating a JMS JDBC Store"

• Section 15.4.10.10, "Assigning the JMS JDBC Store to the JMS Servers"

• Section 15.4.10.11, "Creating the Required Tables for JMS JDBC Store"

15.4.10.1 About JDBC Persistent Stores for JMS and TLOGs

Oracle Fusion Middleware supports both database-based and file-based persistent stores for Oracle WebLogic Server transaction logs (TLOGs) and JMS. Before deciding on a persistent store strategy for your environment, consider the advantages and disadvantages of each approach.

Note:

Regardless of which storage method you choose, Oracle recommends that, for transaction integrity and consistency, you use the same type of store for both JMS and TLOGs.

When you store your TLOGs and JMS data in an Oracle database, you can take advantage of the replication and high availability features of the database. For example, you can use OracleData Guard to simplify cross-site synchronization. This is especially important if you are deploying Oracle Fusion Middleware in a disaster recovery configuration.

Storing TLOGs and JMS data in a database also means you do not have to identity a specific shared storage location for this data. However, the shared storage is still required for other aspects of an enterprise deployment. For example, it is necessary for Admnistration Server configuration (to support Administration Server failover), for deployment plans, and for adapter artifacts, such as the File/FTP Adapter control and processed files.

If you are storing TLOGs and JMS stores on a shared storage device, you can protect this data by using the appropriate replication and backup strategy to guarantee zero data loss, and you will potentially realize better system performance. However, the file system protection will always be inferior to the protection provided by an Oracle Database.

For more information about the potential performance impact of using a database-based TLOGs and JMS store, see Section 15.4.10.2, "Performance Impact of the TLOGs and JMS Persistent Stores".

15.4.10.2 Performance Impact of the TLOGs and JMS Persistent Stores

One of the primary considerations when selecting a storage method for Transaction Logs and JMS persistent stores is the potential impact on performance. This topic provides some guidelines and details to help you determine the performance impact of using JDBC persistent stores for TLOGs and JMS.

Performance Impact of Transaction Logs Versus JMS Stores

For transaction logs, the impact of using a JDBC store is relatively small, because the logs are very transient in nature. Typically, the effect is minimal when compared to other database operations in the system.

On the other hand, JMS database stores can have a higher impact on performance if the application is JMS intensive. For example, the impact of switching from a file-based to database-based persistent store is very low when you are using the SOA Fusion Order Demo (a sample application used to test Oracle SOA Suite environments), because the JMS database operations are masked by many other SOA database invocations that are much heavier.

Factors that Affect Performance

There are multiple factors that can affect the performance of a system when it is using JMS DB stores for custom destinations. The following are the important ones:

• Custom destinations involved and their type

• Payloads being persisted

• Concurrency on the SOA system (producers on consumers for the destinations)

Depending on the effect of each one of the above, different settings can be configured in the following areas to improve performance:

• Type of data types used for the JMS table (using raw versus lobs)

• Segment definition for the JMS table (partitions at index and table level)

Impact of JMS Topics

If your system uses Topics intensively, then, as concurrency increases, the performance degradation with an Oracle RAC database will increase more than for Queues. In tests conducted by Oracle with JMS, the average performance degradation for different payload sizes and different concurrency was less than 30% for Queues. For topics, the impact was more than 40%. Consider the importance of these destinations from the recovery perspective when deciding whether to use database stores.

Impact of Data Type and Payload Size

When choosing to use the RAW or SecureFiles LOB data type for the payloads, consider the size of the payload being persisted. For example, when payload sizes range between 100b and 20k, then the amount of database time required by SecureFiles LOB is slightly higher than for the RAW data type.

More specifically, when the payload size reach around 4k, then SecureFiles tend to require more database time. This is because 4k is where writes move out-of-row. At around 20k payload size, SecureFiles data starts being more efficient. When payload sizes increase to more than 20k, then the database time becomes worse for payloads set to the RAW data type.

One additional advantage for SecureFiles is that the database time incurred stabilizes with payload increases starting at 500k. In other words, at that point it is not relevant (for SecureFiles) whether the data is storing 500k, 1MB, or 2MB payloads, because the write is asynchronized, and the contention is the same in all cases.

The effect of concurrency (producers and consumers) on the queue's throughput is similar for both RAW and SecureFiles until the payload sizes reeach 50K. For small payloads, the effect on varying concurrency is practically the same, with slightly better scalability for RAW. Scalability is better for SecureFiles when the payloads are above 50k.

Impact of Concurrency, Worker Threads, and Database Partioning

Concurrency and worker threads defined for the persistent store can cause contention in the RAC database at the index and global cache level. Using a reverse index when enabling multiple worker threads in one single server or using multiple Oracle WebLogic Server clusters can improve things. However, if the Oracle Database partitioning option is available, then global hash partition for indexes should be used instead. This reduces the contention on the index and the global cache buffer waits, which in turn improves the response time of the application. Partitioning works well in all cases, some of which will not see significant improvements with a reverse index.

15.4.10.3 Roadmap for Configuring a JDBC Persistent Store for TLOGs

This section lists the tasks to configure a database-based persistent store for JMS:

1. Section 15.4.10.5, "Creating a User and Tablespace for TLOGs"

2. Section 15.4.10.7, "Creating GridLink Data Sources for TLOGs and JMS Stores"

3. Section 15.4.10.8, "Assigning the TLOGs JDBC Store to the Managed Servers"

15.4.10.4 Roadmap for Configuring a JDBC Persistent Store for JMS

This section lists the tasks to configure a database-based persistent store for JMS:

1. Section 15.4.10.6, "Creating a User and Tablespace for JMS"

2. Section 15.4.10.7, "Creating GridLink Data Sources for TLOGs and JMS Stores"

3. Section 15.4.10.9, "Creating a JMS JDBC Store"

4. Section 15.4.10.10, "Assigning the JMS JDBC Store to the JMS Servers"

5. Section 15.4.10.11, "Creating the Required Tables for JMS JDBC Store"

15.4.10.5 Creating a User and Tablespace for TLOGs

Before you can create a database-based persistent store for transaction logs, you must create a user and tablespace in a supported database by completing the following steps:

1. Create a tablespace called logs. For example, log in to SQL*Plus as the sysdba user and run the following command:

   create tablespace IAMTLOGS datafile 'DBFILE_LOCATION/IAMTLOGS.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;
   

2. Create a user named IAMTLOGS and assign to it the IAMTLOGS tablespace using the following command:

   create user IAMTLOGS identified by password;
   grant create table to IAMTLOGS;
   grant create session to IAMTLOGS;
   alter user IAMTLOGS default tablespace IAMTLOGS;
   alter user IAMTLOGS quota unlimited on IAMTLOGS;
   

15.4.10.6 Creating a User and Tablespace for JMS

To set up a user and tablespace for the JDBC Persistent store, complete the following steps:

1. Create a tablespace called IAMJMS. For example, log on to SQL*Plus as the sysdba user and run the following command:

   create tablespace IAMJMS datafile 'DB_HOME/oradata/orcl/IAMJMS.dbf' size 32m autoextend on next 32m maxsize 2048m extent management local;
   

2. Create a user named EDGIGD_JMS and assign to it the IAMJMS tablespace using the following command:

   create user EDGIGD_JMS identified by password;
   grant create table to EDGIGD_JMS;
   grant create session to EDGIGD_JMS;
   alter user EDGIGD_JMS default tablespace IAMJMS;
   alter user EDGIGD_JMS quota unlimited on IAMJMS;
   

15.4.10.7 Creating GridLink Data Sources for TLOGs and JMS Stores

Before you can configure database-based persistent stores for JMS and TLOGs, you must create two data sources: one for the TLOGs persistent store and one for the JMS persistent store.

For an enterprise deployment, you should use GridLink data sources for your TLOGs and JMS stores. To create a GridLink data source, complete the following steps:

1. Log in to the Oracle WebLogic Server Administration Console for the IAMGovernanceDomain. The following is an example of the URL:

   http://igdadmin.example.com:7101/console

2. In the Change Center, click Lock & Edit.

3. In the Domain Structure tree, expand Services, then select Data Sources.

4. On the Summary of Data Sources page, click New and select GridLink Data Source, and enter the following information appropriate to the datasource you are creating:

   Name	JNDI Name	Database Driver
   IGDTLOGS_DS	jdbc/igdtlogs	Oracle's Driver (Thin) for GridLink Connections Versions: 11 and later.
   IGDJMS_DS	jdbc/igdjms	Oracle's Driver (Thin) for GridLink Connections Versions: 11 and later.

   
   

   Click Next.

5. On the Transaction Options page, de-select Supports Global Transactions, Logging Last Resource, and Emulate Two Phase commit.

   Click Next.

6. On the GridLink Data Source Connection Properties Options screen, select Enter individual listener information.

   Click Next.

7. Enter the following connection properties:

   • Service Name: Enter the service name of the database with lowercase characters. For a GridLink data source, you must enter the Oracle RAC service name. For example, igdedg.example.com

   • Host Name and Port: Enter the SCAN address and port for the RAC database, separated by a colon. For example:

     db-scan.example.com:1521

     Click Add to add the host name and port to the list box below the field.

     You can identify this address by querying the appropriate parameter in the database using the TCP Protocol:

     SQL>show parameter remote_listener;

     NAME	TYPE	VALUE
     remote_listener	string	db-scan.example.com

     
     

     Note:

     For Oracle Database 11g Release 1 (11.1), use the virtual IP and port of each database instance listener. For example:

     IDMDBHOST1-vip.example.com (port 1521)

     and

     IDMDBHOST2-vip.example.com (port 1521)

   • Port: The port on which the database server listens for connection requests.

   • Database User Name: For the TLOGs store, enter IAMTLOGS. For the JMS persistent store, enter EDGIGD_JMS. For example, EDGIGD_JMS

   • Password: Enter the password you used when you created the user in the database. For example: password

   • Confirm Password: Enter the password again.

   Click Next.

8. On the Test GridLink Database Connection page, review the connection parameters and click Test All Listeners.

   Click Next.

9. On the ONS Client Configuration page, do the following:

   Select FAN Enabled to subscribe to and process Oracle FAN events.

   Enter the SCAN address for the RAC database and the ONS remote port as reported by the database. For example:

   srvctl config nodeapps -s

   ONS exists: Local port 6100, remote port 6200, EM port 2016

   Click ADD.

   Click Next.

   Note:

   For Oracle Database 11g Release 1 (11.1), use the hostname and port of each database's ONS service, for example:

   IDMDBHOST1.example.com (port 6200)

   and

   IDMDBHOST2.example.com (6200)

10. On the Test ONS Client Configuration page, review the connection parameters and click Test All ONS Nodes.

    Click Next.

11. On the Select Targets page, select cluster_bi, cluster_oim, and cluster_soa.

12. Click Finish.

13. Repeat the steps to create both the data sources.

14. Click Activate Changes after you create each of the data sources, or after creating both.

15.4.10.8 Assigning the TLOGs JDBC Store to the Managed Servers

After you create the tablespace and user in the database, and the datasource, you must assign the TLOGs persistence store to each of the required Managed Servers. To do this, complete the following steps:

1. Log in to the Oracle WebLogic Server Administration Console for the IAMGovernanceDomain. The following is an example of the URL:

   http://igdadmin.example.com:7101/console

2. In the Change Center, click Lock and Edit.

3. In the Domain Structure tree, expand Environment, and then Servers.

4. Click the name of the Managed Server you want to use the TLOGs store.

5. Select Configuration, and then select General.

6. Go to the Services tab.

7. Under Transaction Log Store, select JDBC from the Type menu.

8. From the Data Source menu, select the data source you created for the TLOGs persistence store.

9. In the Prefix Name field, specify a prefix name to form a unique JDBC TLOG store name for each configured JDBC TLOG store.

10. Click Save.

11. Repeat step 3 to 7 for each of the additional Managed Servers in the cluster.

12. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

15.4.10.9 Creating a JMS JDBC Store

To create a JDBC Persistent Store, complete the following steps:

1. Log in to the Oracle WebLogic Server Administration Console.

2. In the Change Center, click Lock & Edit.

3. In the Domain Structure tree, expand Services, then select Persistent Stores.

4. On the Summary of Persistent Stores page, click New, and select JDBC Store, and enter the following:

   • Name: Name of the jdbc store. For example, OIMJMSDBSTORE_1

   • Target: wls_oim1

   • Data Source: IGDJMS_DS

   • Prefix Name: oimjmsdb1

   Note:

   It is highly recommended that you configure the Prefix option to a unique value for each configured JDBC store table.

5. Click OK.

6. Repeat steps 3 to 5 for the Persistent Stores listed in Table 15-16

   Table 15-16 Persistent Stores

   Name	Target	Datasource	Prefix
   OIMJMSDBSTORE_2	wls_oim2	IGDJMS_DS	oimjmsdb2
   SOAJMSDBSTORE_1	wls_soa1	IGDJMS_DS	soajmsdb1
   SOAJMSDBSTORE_2	wls_soa2	IGDJMS_DS	soajmsdb2
   BIJMSDBSTORE_1	wls_bi1	IGDJMS_DS	bijmsdb1
   BIJMSDBSTORE_2	wls_bi2	IGDJMS_DS	bijmsdb2
   BPMJMSDBSTORE_1	wls_soa1	IGDJMS_DS	bpmjmsdb1
   BPMJMSDBSTORE_2	wls_soa2	IGDJMS_DS	bpmjmsdb2
   JRFWSASYNCDBSTORE_1	wls_oim1	IGDJMS_DS	jrfwsasynchdb1
   JRFWSASYNCDBSTORE_2	wls_oim2	IGDJMS_DS	jrfwsasynchdb2
   PS6SOAJMSDBSTORE_1	wls_soa1	IGDJMS_DS	ps6soajmsdb1
   PS6SOAJMSDBSTORE_2	wls_soa2	IGDJMS_DS	ps6soajmsdb2
   UMSJMSDBSTORE_1	wls_soa1	IGDJMS_DS	umsjmsdb1
   UMSJMSDBSTORE_2	wls_soa2	IGDJMS_DS	umsjmsdb2

   
   

15.4.10.10 Assigning the JMS JDBC Store to the JMS Servers

To configure JMS Server to use JDBC Persistent Store, do the following:

1. In the Domain Structure tree, expand Services, Messaging, and then select JMS Servers.

2. On the Summary of JMS Servers page, click OIMJMSSERVER_auto_1, that is the JMS Server for OIM that is targeted to WLS_OIM1.

3. On the General Configurations page of the OIM JMS Server, update the Persistent Store to use the JDBC Persistent store OIMJMSDBSTORE_1.

4. Click Save and then click Finish.

5. Repeat steps 1 to 4 for each of the JMS data stores created in the earlier sections.

6. Click Activate Changes.

Note:

When Oracle BI Publisher is configured, only one persistent store is created. This is a know issue. To create JMS store for each of the BI Managed Servers, manually, refer to Section 20.2.2, "Configuring JMS for BI Publisher".

15.4.10.11 Creating the Required Tables for JMS JDBC Store

The final step in using a JDBC persistent store for JMS is to create the required JDBC store tables. Perform this task before restarting the Managed Servers in the domain. To do this, complete the following steps:

1. If you want to use oracle_blob.ddl, run the following commands to extract the oracle_blob.ddl file from the com.bea.core.store.jdbc_1.3.1.0.jar file:

   cd IGD_MW_HOME/modules

   jar -xvf com.bea.core.store.jdbc_1.3.1.0.jar weblogic/store/io/jdbc/ddl

   Note:

   If you omit the weblogic/store/io/jdbc/ddl parameter, then the entire jar file is extracted.

2. Review the information in Performance Impact of the TLOGs and JMS Persistent Stores, and edit the DDL file, accordingly.

   For example, for an optimized schema definition that uses both secure files and hash partitioning, create a jms_custom.ddl file in the RT_HOME directory (or any other directory on shared storage accessible from all servers) with the following content:

   CREATE TABLE $TABLE (
     id     int  not null,
     type   int  not null,
     handle int  not null,
     record blob not null,
   PRIMARY KEY (ID) USING INDEX GLOBAL PARTITION BY HASH (ID) PARTITIONS 8)
   LOB (RECORD) STORE AS SECUREFILE (ENABLE STORAGE IN ROW);
   

   This example can be compared to the default schema definition for JMS stores, where the RAW data type is used without any partitions for indexes.

   Note that the number of partitions should be a power of two. This will ensure that each partition will be of the same size. The recommended number of partitions will vary depending on the expected table or index growth. You should have your database administrator (DBA) analyze the growth of the tables over time and adjust the tables accordingly. For more information, see the Oracle Database VLDB and Partitioning Guide.

3. Edit the existing JDBS Store you created earlier to create the table that will be used for the JMS data, using the Administration Console. To do this, complete the following steps:

   1. Log in to the Oracle WebLogic Server Administration Console.

   2. In the Change Center, click Lock and Edit.

   3. In the Domain Structure tree, expand Services, then expand Persistent Stores.

   4. Click the persistent store you created earlier.

   5. Under the Advanced options, enter RT_HOME/jms_custom.ddl in the Create Table from DDL File field.

      Note:

      You can use the oracle_blob.ddl that was extracted from com.bea.core.store.jdbc_1.3.1.0.jar or you can use a custom ddl script prepared as part of step 2.

      The oracle_blob.ddl path would be:

      IGD_MW_HOME/modules/weblogic/store/io/jdbc/ddl/oracle_blob.ddl

   6. Click Save.

   7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.

   8. Restart the Managed Servers.

15.4.11 Manually Failing over the WebLogic Administration Server

If a node running the Administration Server fails, you can fail over the Administration Server to another node. To do this, complete the following steps:

1. Disable the Administration Server virtual IP address on the failed server, if it is not disabled already.

2. Unmount the ASERVER_HOME shared file system from the failed server, if it is not dismounted already.

3. Mount the ASERVER_HOME shared file system on a new node.

4. Enable the Administration Server virtual IP Address on the new server.

5. Start the Administration Server.

15.4.12 Backing up the WebLogic Domain

It is recommendation that you create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far was successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.

For information about backing up database, see Oracle Database Backup and Recovery User's Guide.

To back up the installation at this point, complete the following steps:

1. Back up the web tier.

2. Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager.

3. Stop the Node Manager and all the processes running in the domain.

4. Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory.

15.4.13 Adding a Load Balancer Certificate to JDK Trust Stores

Some IAM Products require that the SSL certificate used by the load balancer be added to the trusted certificates in the JDK.

To add the certificate, do the following:

1. Create a directory to hold user created keystores and certificates. For example:

   mkdir SHARED_CONFIG_DIR/keystores
   

2. Obtain the certificate from the load balancer.

   You can obtain the load balancer certificate from the using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:

   openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/LOADBALANCER.pem
   

   For example:

   openssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM > SHARED_CONFIG_DIR/keystores/login.example.com.pem
   

   This command saves the certificate to a file called login.example.com.pem in the following directory:

   SHARED_CONFIG_DIR/keystores
   

3. Load the certificate into the JDK and Node Manager Trust Stores by running the following command to import the CA certificate file, login.example.com.pem, into the IGD_MW_HOME Java, and Node Manager trust stores:

   set JAVA_HOME to IGD_MW_HOME/jdk
   
   set PATH to include JAVA_HOME/bin
    
   keytool -importcert -file SHARED_CONFIG_DIR/keystores/login.example.com.pem -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
    
   keytool -importcert -file SHARED_CONFIG_DIR/keystores/login.example.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost1vhn1.example.com.jks
    
   keytool -importcert -file SHARED_CONFIG_DIR/keystores/login.example.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost2vhn1.example.com.jks
    
   keytool -importcert -file SHARED_CONFIG_DIR/keystores/login.example.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost1.example.com.jks
    
   keytool -importcert -file SHARED_CONFIG_DIR/keystores/login.example.com.pem -trustcacerts -keystore SHARED_CONFIG_DIR/keystores/appTrustKeyStore-oimhost2.example.com.jks
   

   You are prompted to enter a password for the keystore. The default password for the JDK is changeit. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You are also prompted to confirm that the certificate is valid.

   Note:

   The names of the virtual hosts you assigned to your OIM server are oimhost1vhn1 and oimhost2vhn1.

15.4.14 Enabling Exalogic Optimizations

This section describes the tasks specific to Exalogic optimization. This sections contains the following topic:

• Section 15.4.14.1, "Enabling WebLogic Domain Exalogic Optimization"

15.4.14.1 Enabling WebLogic Domain Exalogic Optimization

Perform these steps to enable WebLogic domain Exalogic optimizations:

1. Log in to the Oracle WebLogic Server Administration Console.

2. Select the domain name - IAMAccessDomain or IAMGovernanceDomain, in the left navigation pane.

3. Click Lock & Edit.

4. On the Settings page, click the General tab.

5. Select Enable Exalogic Optimizations, and click Save and Activate Changes.

6. Restart the WebLogic Administration Server.