10 Preparing the Database for an Enterprise Deployment

This chapter describes how to install and configure the Identity and Access Management database repositories.

This chapter contains the following topics:

10.1 Overview of Preparing the Databases for an Identity and Access Management Enterprise Deployment

The Identity and Access Management components in the enterprise deployment use database repositories. This chapter describes how to perform the following steps:

10.2 Verifying the Database Requirements for an Enterprise Deployment

Before loading the metadata repository into your databases, check that they meet the requirements described in these subsections:

10.2.1 Databases Required

For Oracle Identity and Access Management, a number of separate databases are recommended. Table 10-1 provides a summary of these databases. Which database or databases you use depends on the topology that you are implementing.

The Oracle Metadata Services (MDS) Repository is a particular type of repository that contains metadata for some Oracle Fusion Middleware components. It can also include custom Java EE applications developed by your organization.

For this release of IAM you must use a separate RCU schema prefix each domain. This allows different products to use a different database if required.

Table 10-1 Mapping between Databases and Schemas

Database Names Database Hosts Scan Address Service Name RCU Prefix Schemas in Database
















Table 10-1 shows two separate database to make the transition to a multi data center deployment simpler. You may combine two databases into a single database, if required.


ODS is required only if you are using OID. This can be placed into a dedicated database if required

The following sections apply to all the databases listed in Table 10-1.

10.2.2 Database Host Requirements

The database used to store the metadata repository should be highly available in its own right, for maximum availability Oracle recommends the use of an Oracle Real Application Clusters (RAC) database.

Ideally the database should use Oracle Automatic Storage Management (ASM) for the storage of data, however this is not necessary.

If using ASM, then ASM should be installed into its own Oracle home and have two disk groups:

  • One for the Database Files

  • One for the Flash Recovery Area

If you are using Oracle ASM, best practice is to also use Oracle Managed Files.

10.2.3 Database Versions Supported

The Deployment Tools require that you have Oracle Database or newer for Oracle RAC deployments.

To check if your database is certified or to see all certified databases, refer to the "Certified Databases" section in the Certification Document:


To determine the version of your installed Oracle Database, execute the following query at the SQL prompt:

select version from sys.product_component_version where product like 'Oracle%';

10.2.4 Patch Requirements for Oracle Database 11g (

If you are using Oracle Database 11g (, make sure that you download and install the appropriate version (based on the platform) for the RDBMS Patch Number 10259620. This is a prerequisite for installing the Oracle Identity Manager schemas.

Table 10-2 lists the patches required for Oracle Identity Manager configurations that use Oracle Database 11g Release 2 ( Make sure that you download and install the following patches before creating Oracle Identity Manager schemas.

Table 10-2 Required Patches for Oracle Database 11g (

Platform Patch Number and Description on My Oracle Support

Linux x86 (32-bit)

Linux x86 (64-bit)

RDBMS Interim Patch#10259620.

If this patch is not applied, then problems might occur in user and role search and manager lookup. In addition, search results might return empty result.


  • Apply this patch in ONLINE mode. Refer to the readme.txt file bundled with the patch for the steps to be followed.

  • In some environments, the RDBMS Interim Patch has been unable to resolve the issue, but the published workaround works. Refer to the note "Wrong Results on with Function-Based Index and OR Expansion due to fix for Bug:8352378 [Metalink Note ID 1264550.1]" at http://support.oracle.com for the workaround. This note can be followed to set the parameters accordingly with the only exception that they need to be altered at the Database Instance level by using ALTER SYSTEM SET <param>=<value> scope=<memory> or <both>.

10.2.5 Oracle Database Minimum Requirements

The Oracle Database must meet some minimum requirements. General Database Characteristics

  • Character Set–The character set must be Unicode compliant, for example: AL32UTF8.

  • Database Options–The following database options must be installed into the database:

    • Oracle JVM

    • Oracle Text

  • Database Views–The following Database view must be created on the database:


  • Database Packages–The following Database package must exist in the database:


  • Transparent Data Encryption - This is required by Oracle Privileged Account Manager Minimum Initialization Parameters

The databases must have the following minimum initialization parameters defined:

Table 10-3 Minimum Initialization Parameters for Oracle Databases

Parameter Value























It is recommended that you set these parameters in the database configuration assistant when creating the database. If you have not done this, you can adjust them after creation by using the alter system database command. For example:

sqlplus / as sysdba
alter system set aq_tm_processes=1 scope=spfile;

After making changes in the spfile, restart the database. For example

srvctl stop database -d iaddb
srvctl start database -d iaddb


For guidelines on setting up optimum parameters for the Database, see Oracle Fusion Middleware Performance and Tuning Guide.

10.3 Installing the Database for an Enterprise Deployment

Install and configure the database repository as follows.

Oracle Clusterware

Automatic Storage Management

  • For 11g Release 1 (11.1), see Oracle Clusterware Installation Guide.

  • When you run the installer, select the Configure Automatic Storage Management option in the Select Configuration screen to create a separate Automatic Storage Management home.

Oracle Real Application Clusters

Oracle Real Application Clusters Database

Create a Real Applications Clusters Database with the following characteristics:

  • Database must be in archive log mode to facilitate backup and recovery.

  • Optionally, enable the Flashback database.

  • Create UNDO tablespace of sufficient size to handle any rollback requirements during the Oracle Identity Manager reconciliation process.

  • Database is created with ALT32UTF8 character set.

10.4 Creating Database Services

When multiple Oracle Fusion Middleware products are sharing the same database, each product should be configured to connect to a separate, dedicated database service.


The instructions in this section are for the Oracle Database 12c (12.1) release. If you are using another supported database, refer to the appropriate documentation library for more up-to-date and release-specific information.

For more information about connecting to Oracle databases using services, see "Overview of Using Dynamic Database Services to Connect to Oracle Databases" in the Oracle Real Application Clusters Administration and Deployment Guide.

In addition, the database service should be different from the default database service. For complete instructions on creating and managing database services for an Oracle Database 12c database, see "Overview of Automatic Workload Management with Dynamic Database Services" in the Oracle Real Application Clusters Administration and Deployment Guide.

Run-time connection load balancing requires configuring Oracle RAC Load Balancing Advisory with service-level goals for each service for which load balancing is enabled.

This section includes the following topics:

10.4.1 Creating Database Services for 12c Databases

Use srvctl to create the database services for the components in your topology. The lists of services to be created are listed in Table 10-1, "Mapping between Databases and Schemas".

  1. Log in to SQL*Plus and create the service:

    sqlplus "sys/password as sysdba"

    (SERVICE_NAME => 'iadedg.example.com',
    NETWORK_NAME => 'iadedg.example.com'


    For the Service Name of the Oracle RAC database, use lowercase letters, followed by the domain name. For example:


    Enter the EXECUTE DBMS_SERVICE command shown on a single line.

    For more information about the DBMS_SERVICE package, see Oracle Database PL/SQL Packages and Types Reference.

  2. Add the service to the database and assign it to the instances using the following command:

    srvctl add service -d iaddb -s iadedg.example.com -r iaddb1,iaddb2 -q FALSE -m NONE -e SELECT -w 0 -z 0

    The meanings of the command-line arguments are as follows:

    Option Argument
    -d Unique name for the database
    -s Service name
    -r Comma separated list of preferred instances
    -q AQ HA notifications (TRUE or FALSE)
    -e Failover type (NONE, SESSION, or SELECT)
    -m Failover method (NONE or BASIC)
    -w Failover delay (integer)
    -z Failover retries (integer)

  3. Start the Service using srvctl start service

    srvctl start service -d iaddb -s iadedg.example.com
  4. Validate the service started by using srvctl status service, as follows:

    srvctl status service -d iaddb -s iadedg.example.com
    Service iadedg.example.com is running on instance(s) iaddb1,iaddb2
  5. Validate that the service was created correctly by using srvctl config service:

    srvctl config service -d iaddb -s iadedg.example.com
    Service name: iadedg.example.com
    Service is enabled
    Server pool: IADDB_iadedg.example.com
    Cardinality: 2
    Disconnect: false
    Service role: PRIMARY
    Management policy: AUTOMATIC
    DTP transaction: false
    AQ HA notifications: false
    Failover type: SELECT
    Failover method: NONE
    TAF failover retries: 0
    TAF failover delay: 0
    Connection Load Balancing Goal: LONG
    Runtime Load Balancing Goal: NONE
    TAF policy specification: NONE
    Preferred instances: iaddb1,iaddb2
    Available instances:


For more information about the SRVCTL command, see the Oracle Real Application Clusters Administration and Deployment Guide.

10.4.2 Creating a Database Service for Oracle Internet Directory

OID does not have the same retry logic as Weblogic Grid Link Datasources. However creating a database service specifically for OID which is TAF (Transparent Application Failover) enabled, will simulate this logic and result in faster resumption after the failure of a database RAC instance.

To create a TAF enabled database service, issue the following commands:

srvctl add service -d igddb -s oidedg.example.com -r igddb1,igddb2 -q
TRUE -m BASIC -e SELECT -w 5 -z 5
srvctl start service -d igddb -s oidedg.example.com

srvctl status service -d igddb -s oidedg.example.com


In the above commands, iamdb, oidedg.example.com, iamdb1, iamdb2, and idmdb are sample values. You must substitute them with the appropriate values.

10.5 Using SecureFiles for Large Objects (LOBs) in an Oracle Database

Beginning with Oracle Database 11g Release 1, Oracle introduced SecureFiles, a new LOB storage architecture. It is recommended that you use SecureFiles for the Oracle Fusion Middleware schemas, in particular, for the Oracle SOA Suite schemas. For more information, see "SecureFiles LOB Storage" in the Oracle Database SecureFiles and Large Objects Developer's Guide.

In Oracle 12c Database, the default setting for using SecureFiles is PREFERRED. This means that, the database attempts to create a SecureFiles LOB unless a BasicFiles LOB is explicitly specified for the LOB or the parent LOB (if the LOB is in a partition or sub-partition). The Oracle Fusion Middleware schemas do not explicitly specify BasicFiles, which means that, Oracle Fusion Middleware LOBs will default to SecureFiles when installed in an Oracle 12c database.

For Oracle 11g databases, the db_securefile system parameter controls the SecureFiles usage policy. This parameter can be modified dynamically. The following options can be used for using SecureFiles:

  • PERMITTED: This options allows SecureFiles to be created. This is the default setting for db_securefile. The default storage method uses BasicFiles.

  • FORCE: This option creates all new LOBs as SecureFiles.

  • ALWAYS: This option tries to create LOBs as SecureFiles, but falls back to BasicFiles if not possible (that is, if ASSM is disabled).

  • IGNORE: This option ignores attempts to create SecureFiles.

  • NEVER: This option disallows new SecureFiles creations.

For Oracle 11g Databases, it is recommended that you set the db_securefile parameter to FORCE before creating the Oracle Fusion Middleware schemas using the Repository Creation Utility (RCU).


The SecureFiles segments require tablespaces managed with automatic segment space management (ASSM). This means that, LOB creation on SecureFiles will fail if ASSM is not enabled. However, the Oracle Fusion Middleware tablespaces are created by default with ASSM enabled. As a result, with the default configuration, nothing needs to be changed to enable SecureFiles for the Oracle Fusion Middleware schemas.

10.6 Database Tuning

The database parameters defined in Section, "Minimum Initialization Parameters" are only a guide. You might need to perform additional tuning after the system is in use. For more information, see Database Performance Tuning Guide.

Refresh the database statistics after you initially load the database, and on an ongoing basis. To do that, issue a SQL*Plus command for each schema. The following example is for the schema EDGIGD_OIM:


10.7 Loading the Identity and Access Management Schemas in the Oracle RAC Database Using RCU

This section describes the list of schemas required for deploying Identity and Access Management and the procedure for creating it manually. This section includes the following topics:

10.7.1 Schemas Required by Identity and Access Management

Before you can configure the Oracle Identity and Access Management software, you must install the database schemas listed in Table 10-4.

If you are using the IDMLCM provisioning tool to automatically configure the software, then you can create these schemas as part of the automated deployment.

If you wish to create the schemas manually, then follow the instructions described in Section 10.7.2, "Creating the Database Schemas Manually".

Table 10-4 Database Schemas Required for Oracle Identity and Access Management

Database RCU Prefix Product RCU Option Comments



Oracle Platform Security Services for IAMAccessDomain

AS Common Schemas–Oracle Platform Security Service

Audit and Metadata Services are also selected.



Oracle Access Management Access Manager

Identity Management–Oracle Access Manager

Audit Services will also be selected.



Oracle Adaptive Access Manager

Oracle Identity Management–Oracle Adaptive Access Manager

If required.



Oracle Platform Security Services for IAMGovernanceDomain

AS Common Schemas–Oracle Platform Security Service

Audit and Metadata Services are also selected.



Oracle Identity Manager

Identity Management–Oracle Identity Manager

Metadata Services, SOA infrastructure, and User Messaging will also be selected.



Oracle Privileged Account Manager

Oracle Identity Management - Oracle Privileged Account Manager




Oracle Business Intelligence

Oracle Identity Management - Oracle Business Intelligence Manager




Oracle Internet Directory

Oracle Identity Management - Oracle Internet Directory

If you are using internet directory.


Although you are specifying a prefix for OID, OID will not actually use a prefix. This is a limitation of the tool.


While it is recommended to separate schemas into different databases to aid with future Multi Data Center deployments, it is not mandatory to do so, and if you have no plans to use Multi Data Center, it may be better to place all schemas in a single database.

When creating schemas manually using Repository Creation Utility (RCU), you must select the following products in Select Components screen of RCU:

  • For Oracle Identity Manager, select Identity Management - Oracle Identity Manager.

  • For Oracle Access Manager, select the following:

    • Identity Management - Oracle Access Manager

    • Identity Management - Oracle Mobile Security Manager

    • Identity Management - Oracle Adaptive Access Manager - if Oracle Adaptive Access Manager (OAAM) is part of your deployment.


When you select Oracle Identity Management or Oracle Access Management under Identity Management, all the required schema components for the selected product are selected automatically.

10.7.2 Creating the Database Schemas Manually

This section describes how to create schemas manually using the Repository Creation Utility.

You must to run the Repository Creation Utility (RCU) twice, once for each domain specifying a different Prefix each time. To create the schemas, complete the following steps:

  1. Start the Repository Creation Utility (RCU) by issuing this command:

  2. On the Welcome screen, click Next.

  3. On the Create Repository screen, select the Create operation to load component schemas into a database. Then click Next.

  4. On the Database Connection Details screen, provide the information required to connect to an existing database. For example:

    Database Type: Oracle Database

    • Host Name: Enter the VIP address of one of the RAC database nodes or the database SCAN address, for example: IAMDBSCAN.mycompany.com

    • Port: The port number for the database listener (DB_LSNR_PORT). For example: 1521

    • Service Name: The service name of the database. For example OAMEDG.mycompany.com.

      Use the service names for the components you will select from the table in Step 6.

    • Username: sys

    • Password: The sys user password

    • Role: SYSDBA

    Click Next.

  5. On the Check Prerequisites screen, click OK after the prerequisites have been validated.

  6. On the Select Components screen, provide the following values:

    Create a New Prefix: Enter a prefix to be added to the database schemas. Note that all schemas are required to have a prefix. See Table 10-1, "Mapping between Databases and Schemas" or Table 10-4, "Database Schemas Required for Oracle Identity and Access Management" for RCU prefixes.

    Components: Select the appropriate components from the Table 10-4 for the topology you are using.

    Click Next.


    If your topology requires more than one database, the following important considerations apply:
    • Be sure to install the correct schemas in the correct database.

    • You might have to run the RCU more than once to create all the schemas for a given topology.

    • Table 10-1 in this chapter provides the recommended mapping between the schemas and their corresponding databases. Refer to this table to ensure that the correct details are entered in this screen.

  7. On the Check Prerequisites screen, click OK after the prerequisites have been validated.

  8. On the Schema Passwords screen, enter the passwords for the schemas. You can choose to use either the same password for all the schemas or different passwords for each of the schemas. The deployment wizard requires that all passwords for a given prefix be the same.

    Click Next.

  9. On the Map Tablespaces screen, accept the defaults and click Next.

  10. On the confirmation screen, click OK to allow the creation of the tablespaces.

  11. On the Creating tablespaces screen, click OK to acknowledge creation of the tablespaces.

  12. On the Summary screen, the summary and verify that the details provided are accurate. Click Create to start the schema creation process.

  13. On the Completion summary screen, verify that the schemas were created.

  14. Repeat these steps for the remaining service names.

    Click Close to exit.

10.8 Backing up the Database

After you have prepared your database, back it up as described in Section, "Backing Up the Database."