This chapter describes how to install and configure the Identity and Access Management database repositories.
This chapter contains the following topics:
Overview of Preparing the Databases for an Identity and Access Management Enterprise Deployment
Verifying the Database Requirements for an Enterprise Deployment
Using SecureFiles for Large Objects (LOBs) in an Oracle Database
Loading the Identity and Access Management Schemas in the Oracle RAC Database Using RCU
The Identity and Access Management components in the enterprise deployment use database repositories. This chapter describes how to perform the following steps:
Verify the database requirements as described in Section 10.2, "Verifying the Database Requirements for an Enterprise Deployment."
Install and configure the Oracle database repositories. See the installation guides listed in the "Related Documents" section of the Preface and Section 10.3, "Installing the Database for an Enterprise Deployment."
Create database services, as described in Section 10.4, "Creating Database Services."
Create the required Oracle schemas in the database using the Repository Creation Utility (RCU). See Section 10.7, "Loading the Identity and Access Management Schemas in the Oracle RAC Database Using RCU."
Before loading the metadata repository into your databases, check that they meet the requirements described in these subsections:
For Oracle Identity and Access Management, a number of separate databases are recommended. Table 10-1 provides a summary of these databases. Which database or databases you use depends on the topology that you are implementing.
The Oracle Metadata Services (MDS) Repository is a particular type of repository that contains metadata for some Oracle Fusion Middleware components. It can also include custom Java EE applications developed by your organization.
For this release of IAM you must use a separate RCU schema prefix each domain. This allows different products to use a different database if required.
Table 10-1 Mapping between Databases and Schemas
| Database Names | Database Hosts | Scan Address | Service Name | RCU Prefix | Schemas in Database |
|---|---|---|---|---|---|
|
IADDB |
IADDBHOST1 IADDBHOST2 |
|
|
EDGIAD |
OAM, IAU, MDS, OPSS, MSM, OIF |
|
IGDDB |
IGDDBHOST1 IGDDBHOST2 |
|
|
EDGIGD |
OIM, SOAINFRA, MDS, OPSS, ORASDPM, BI, ODS |
Note:
Table 10-1 shows two separate database to make the transition to a multi data center deployment simpler. You may combine two databases into a single database, if required.Note:
ODS is required only if you are using OID. This can be placed into a dedicated database if requiredThe following sections apply to all the databases listed in Table 10-1.
The database used to store the metadata repository should be highly available in its own right, for maximum availability Oracle recommends the use of an Oracle Real Application Clusters (RAC) database.
Ideally the database should use Oracle Automatic Storage Management (ASM) for the storage of data, however this is not necessary.
If using ASM, then ASM should be installed into its own Oracle home and have two disk groups:
One for the Database Files
One for the Flash Recovery Area
If you are using Oracle ASM, best practice is to also use Oracle Managed Files.
The Deployment Tools require that you have Oracle Database 11.2.0.0 or newer for Oracle RAC deployments.
To check if your database is certified or to see all certified databases, refer to the "Certified Databases" section in the Certification Document:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
To determine the version of your installed Oracle Database, execute the following query at the SQL prompt:
select version from sys.product_component_version where product like 'Oracle%';
If you are using Oracle Database 11g (11.2.0.2.0), make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 10259620. This is a prerequisite for installing the Oracle Identity Manager schemas.
Table 10-2 lists the patches required for Oracle Identity Manager configurations that use Oracle Database 11g Release 2 (11.2.0.2.0). Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.
Table 10-2 Required Patches for Oracle Database 11g (11.2.0.2.0)
| Platform | Patch Number and Description on My Oracle Support |
|---|---|
|
Linux x86 (32-bit) Linux x86 (64-bit) |
RDBMS Interim Patch#10259620. |
If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.
Note:
Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.
In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the note "Wrong Results on 11.2.0.2 with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" at http://support.oracle.com for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.
The Oracle Database must meet some minimum requirements.
Character Set–The character set must be Unicode compliant, for example: AL32UTF8.
Database Options–The following database options must be installed into the database:
Oracle JVM
Oracle Text
Database Views–The following Database view must be created on the database:
XAVIEWS
Database Packages–The following Database package must exist in the database:
DBMS_SHARED_POOL
Transparent Data Encryption - This is required by Oracle Privileged Account Manager
The databases must have the following minimum initialization parameters defined:
Table 10-3 Minimum Initialization Parameters for Oracle Databases
| Parameter | Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It is recommended that you set these parameters in the database configuration assistant when creating the database. If you have not done this, you can adjust them after creation by using the alter system database command. For example:
sqlplus / as sysdba alter system set aq_tm_processes=1 scope=spfile;
After making changes in the spfile, restart the database. For example
srvctl stop database -d iaddb srvctl start database -d iaddb
Note:
For guidelines on setting up optimum parameters for the Database, see Oracle Fusion Middleware Performance and Tuning Guide.Install and configure the database repository as follows.
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.
When you run the installer, select the Configure Automatic Storage Management option in the Select Configuration screen to create a separate Automatic Storage Management home.
Oracle Real Application Clusters
For 11g Release 1 (11.1), see Oracle Real Application Clusters Installation Guide.
Oracle Real Application Clusters Database
Create a Real Applications Clusters Database with the following characteristics:
Database must be in archive log mode to facilitate backup and recovery.
Optionally, enable the Flashback database.
Create UNDO tablespace of sufficient size to handle any rollback requirements during the Oracle Identity Manager reconciliation process.
Database is created with ALT32UTF8 character set.
When multiple Oracle Fusion Middleware products are sharing the same database, each product should be configured to connect to a separate, dedicated database service.
Note:
The instructions in this section are for the Oracle Database 12c (12.1) release. If you are using another supported database, refer to the appropriate documentation library for more up-to-date and release-specific information.For more information about connecting to Oracle databases using services, see "Overview of Using Dynamic Database Services to Connect to Oracle Databases" in the Oracle Real Application Clusters Administration and Deployment Guide.
In addition, the database service should be different from the default database service. For complete instructions on creating and managing database services for an Oracle Database 12c database, see "Overview of Automatic Workload Management with Dynamic Database Services" in the Oracle Real Application Clusters Administration and Deployment Guide.
Run-time connection load balancing requires configuring Oracle RAC Load Balancing Advisory with service-level goals for each service for which load balancing is enabled.
This section includes the following topics:
Section 10.4.1, "Creating Database Services for 12c Databases"
Section 10.4.2, "Creating a Database Service for Oracle Internet Directory"
Use srvctl to create the database services for the components in your topology. The lists of services to be created are listed in Table 10-1, "Mapping between Databases and Schemas".
Log in to SQL*Plus and create the service:
sqlplus "sys/password as sysdba"
SQL> EXECUTE DBMS_SERVICE.CREATE_SERVICE (SERVICE_NAME => 'iadedg.example.com', NETWORK_NAME => 'iadedg.example.com' );
Note:
For the Service Name of the Oracle RAC database, use lowercase letters, followed by the domain name. For example:iadedg.example.com
Enter the EXECUTE DBMS_SERVICE command shown on a single line.
For more information about the DBMS_SERVICE package, see Oracle Database PL/SQL Packages and Types Reference.
Add the service to the database and assign it to the instances using the following command:
srvctl add service -d iaddb -s iadedg.example.com -r iaddb1,iaddb2 -q FALSE -m NONE -e SELECT -w 0 -z 0
The meanings of the command-line arguments are as follows:
| Option | Argument |
|---|---|
| -d | Unique name for the database |
| -s | Service name |
| -r | Comma separated list of preferred instances |
| -q | AQ HA notifications (TRUE or FALSE) |
| -e | Failover type (NONE, SESSION, or SELECT) |
| -m | Failover method (NONE or BASIC) |
| -w | Failover delay (integer) |
| -z | Failover retries (integer) |
Start the Service using srvctl start service
srvctl start service -d iaddb -s iadedg.example.com
Validate the service started by using srvctl status service, as follows:
srvctl status service -d iaddb -s iadedg.example.com Service iadedg.example.com is running on instance(s) iaddb1,iaddb2
Validate that the service was created correctly by using srvctl config service:
srvctl config service -d iaddb -s iadedg.example.com Service name: iadedg.example.com Service is enabled Server pool: IADDB_iadedg.example.com Cardinality: 2 Disconnect: false Service role: PRIMARY Management policy: AUTOMATIC DTP transaction: false AQ HA notifications: false Failover type: SELECT Failover method: NONE TAF failover retries: 0 TAF failover delay: 0 Connection Load Balancing Goal: LONG Runtime Load Balancing Goal: NONE TAF policy specification: NONE Edition: Preferred instances: iaddb1,iaddb2 Available instances:
Note:
For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.OID does not have the same retry logic as Weblogic Grid Link Datasources. However creating a database service specifically for OID which is TAF (Transparent Application Failover) enabled, will simulate this logic and result in faster resumption after the failure of a database RAC instance.
To create a TAF enabled database service, issue the following commands:
srvctl add service -d igddb -s oidedg.example.com -r igddb1,igddb2 -q TRUE -m BASIC -e SELECT -w 5 -z 5 srvctl start service -d igddb -s oidedg.example.com srvctl status service -d igddb -s oidedg.example.com
Note:
In the above commands,iamdb, oidedg.example.com, iamdb1, iamdb2, and idmdb are sample values. You must substitute them with the appropriate values.Beginning with Oracle Database 11g Release 1, Oracle introduced SecureFiles, a new LOB storage architecture. It is recommended that you use SecureFiles for the Oracle Fusion Middleware schemas, in particular, for the Oracle SOA Suite schemas. For more information, see "SecureFiles LOB Storage" in the Oracle Database SecureFiles and Large Objects Developer's Guide.
In Oracle 12c Database, the default setting for using SecureFiles is PREFERRED. This means that, the database attempts to create a SecureFiles LOB unless a BasicFiles LOB is explicitly specified for the LOB or the parent LOB (if the LOB is in a partition or sub-partition). The Oracle Fusion Middleware schemas do not explicitly specify BasicFiles, which means that, Oracle Fusion Middleware LOBs will default to SecureFiles when installed in an Oracle 12c database.
For Oracle 11g databases, the db_securefile system parameter controls the SecureFiles usage policy. This parameter can be modified dynamically. The following options can be used for using SecureFiles:
PERMITTED: This options allows SecureFiles to be created. This is the default setting for db_securefile. The default storage method uses BasicFiles.
FORCE: This option creates all new LOBs as SecureFiles.
ALWAYS: This option tries to create LOBs as SecureFiles, but falls back to BasicFiles if not possible (that is, if ASSM is disabled).
IGNORE: This option ignores attempts to create SecureFiles.
NEVER: This option disallows new SecureFiles creations.
For Oracle 11g Databases, it is recommended that you set the db_securefile parameter to FORCE before creating the Oracle Fusion Middleware schemas using the Repository Creation Utility (RCU).
Note:
The SecureFiles segments require tablespaces managed with automatic segment space management (ASSM). This means that, LOB creation on SecureFiles will fail if ASSM is not enabled. However, the Oracle Fusion Middleware tablespaces are created by default with ASSM enabled. As a result, with the default configuration, nothing needs to be changed to enable SecureFiles for the Oracle Fusion Middleware schemas.The database parameters defined in Section 10.2.5.2, "Minimum Initialization Parameters" are only a guide. You might need to perform additional tuning after the system is in use. For more information, see Database Performance Tuning Guide.
Refresh the database statistics after you initially load the database, and on an ongoing basis. To do that, issue a SQL*Plus command for each schema. The following example is for the schema EDGIGD_OIM:
exec DBMS_STATS.GATHER_SCHEMA_STATS(OWNNAME=> 'EDGIGD_OIM', ESTIMATE_PERCENT=>DBMS_STATS.AUTO_SAMPLE_SIZE, DEGREE=>8, OPTIONS=>'GATHER AUTO', NO_INVALIDATE=>FALSE);
This section describes the list of schemas required for deploying Identity and Access Management and the procedure for creating it manually. This section includes the following topics:
Before you can configure the Oracle Identity and Access Management software, you must install the database schemas listed in Table 10-4.
If you are using the IDMLCM provisioning tool to automatically configure the software, then you can create these schemas as part of the automated deployment.
If you wish to create the schemas manually, then follow the instructions described in Section 10.7.2, "Creating the Database Schemas Manually".
Table 10-4 Database Schemas Required for Oracle Identity and Access Management
| Database | RCU Prefix | Product | RCU Option | Comments |
|---|---|---|---|---|
|
IADDB |
EDGIAD |
Oracle Platform Security Services for IAMAccessDomain |
AS Common Schemas–Oracle Platform Security Service |
Audit and Metadata Services are also selected. |
|
IADDB |
EDGIAD |
Oracle Access Management Access Manager |
Identity Management–Oracle Access Manager |
Audit Services will also be selected. |
|
IADDB |
EDGIAD |
Oracle Adaptive Access Manager |
Oracle Identity Management–Oracle Adaptive Access Manager |
If required. |
|
IGDDB |
EDGIGD |
Oracle Platform Security Services for IAMGovernanceDomain |
AS Common Schemas–Oracle Platform Security Service |
Audit and Metadata Services are also selected. |
|
IGDDB |
EDGIGD |
Oracle Identity Manager |
Identity Management–Oracle Identity Manager |
Metadata Services, SOA infrastructure, and User Messaging will also be selected. |
|
IGDDB |
EDGIGD |
Oracle Privileged Account Manager |
Oracle Identity Management - Oracle Privileged Account Manager |
|
|
IGDDB |
EDGIGD |
Oracle Business Intelligence |
Oracle Identity Management - Oracle Business Intelligence Manager |
|
|
IGDDB |
EDGIGD |
Oracle Internet Directory |
Oracle Identity Management - Oracle Internet Directory |
If you are using internet directory. |
Note:
Although you are specifying a prefix for OID, OID will not actually use a prefix. This is a limitation of the tool.Note:
While it is recommended to separate schemas into different databases to aid with future Multi Data Center deployments, it is not mandatory to do so, and if you have no plans to use Multi Data Center, it may be better to place all schemas in a single database.When creating schemas manually using Repository Creation Utility (RCU), you must select the following products in Select Components screen of RCU:
For Oracle Identity Manager, select Identity Management - Oracle Identity Manager.
For Oracle Access Manager, select the following:
Identity Management - Oracle Access Manager
Identity Management - Oracle Mobile Security Manager
Identity Management - Oracle Adaptive Access Manager - if Oracle Adaptive Access Manager (OAAM) is part of your deployment.
Note:
When you select Oracle Identity Management or Oracle Access Management under Identity Management, all the required schema components for the selected product are selected automatically.This section describes how to create schemas manually using the Repository Creation Utility.
You must to run the Repository Creation Utility (RCU) twice, once for each domain specifying a different Prefix each time. To create the schemas, complete the following steps:
Start the Repository Creation Utility (RCU) by issuing this command:
RCU_ORACLE_HOME/bin/rcu
On the Welcome screen, click Next.
On the Create Repository screen, select the Create operation to load component schemas into a database. Then click Next.
On the Database Connection Details screen, provide the information required to connect to an existing database. For example:
Database Type: Oracle Database
Host Name: Enter the VIP address of one of the RAC database nodes or the database SCAN address, for example: IAMDBSCAN.mycompany.com
Port: The port number for the database listener (DB_LSNR_PORT). For example: 1521
Service Name: The service name of the database. For example OAMEDG.mycompany.com.
Use the service names for the components you will select from the table in Step 6.
Username: sys
Password: The sys user password
Role: SYSDBA
Click Next.
On the Check Prerequisites screen, click OK after the prerequisites have been validated.
On the Select Components screen, provide the following values:
Create a New Prefix: Enter a prefix to be added to the database schemas. Note that all schemas are required to have a prefix. See Table 10-1, "Mapping between Databases and Schemas" or Table 10-4, "Database Schemas Required for Oracle Identity and Access Management" for RCU prefixes.
Components: Select the appropriate components from the Table 10-4 for the topology you are using.
Click Next.
Notes:
If your topology requires more than one database, the following important considerations apply:Be sure to install the correct schemas in the correct database.
You might have to run the RCU more than once to create all the schemas for a given topology.
Table 10-1 in this chapter provides the recommended mapping between the schemas and their corresponding databases. Refer to this table to ensure that the correct details are entered in this screen.
On the Check Prerequisites screen, click OK after the prerequisites have been validated.
On the Schema Passwords screen, enter the passwords for the schemas. You can choose to use either the same password for all the schemas or different passwords for each of the schemas. The deployment wizard requires that all passwords for a given prefix be the same.
Click Next.
On the Map Tablespaces screen, accept the defaults and click Next.
On the confirmation screen, click OK to allow the creation of the tablespaces.
On the Creating tablespaces screen, click OK to acknowledge creation of the tablespaces.
On the Summary screen, the summary and verify that the details provided are accurate. Click Create to start the schema creation process.
On the Completion summary screen, verify that the schemas were created.
Repeat these steps for the remaining service names.
Click Close to exit.
After you have prepared your database, back it up as described in Section 31.5.3.3, "Backing Up the Database."