This chapter describes how to deploy Identity and Access Management.
It contains the following sections:
This section introduces the deployment process. This section includes the following topics:
There are eight stages to Deployment. These stages are:
preverify - This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured. This also checks for database connections for schemas and port availability,
install - This installs all of the software required by the installation. This also includes binary patching for all of the patches included in the repository.
preconfigure - This does the following:
Creates Oracle Unified Directory instances and seeds them with Users/Groups.
Creates the WebLogic domains and extends domains for various products
Creates OHS instance
Migrates the Policy Store to the database
configure - This does the following:
Starts managed servers as necessary
Associates Access Manager with Oracle Unified Directory
Configure Oracle Identity Manager
configure-secondary - This does the following:
Integrates Weblogic Domain with Webtier
Register webtier with domain
Integrate Access Manager and Oracle Identity Manager
postconfigure - This does the following:
Run Oracle Identity Manager Reconciliation
Configure UMS Mail Server
Generate Access Manager Keystore
Configure WebGates
startup - This starts up all components in the topology and applies any needed artifact patches.
validate - This performs a number of checks on the built topology to ensure that everything is working as it should be.
Each stage must be completed on all hosts in a specific order, as described in the next section. Each stage must be completed on each host in the topology before the next stage can begin. Failure of a stage will necessitate a cleanup and restart.
Deployment processes the hosts in the following order:
Identity Governance Host 1
Identity Governance Host 2
Access Management Host 1
Access Management Host 2
Web Host 1
Web Host 2
This equates to the following order for hosts in this guide.
Consolidated Topology Processing Order
IAMHOST1
IAMHOST2
Distributed Topology Processing Order
OIMHOST1
OIMHOST2
OAMHOST1
OAMHOST2
WEBHOST1
WEBHOST2
Note:
For Exalogic Physical use the Consolidated Topology Steps.For Exalogic Virtual use the Distributed Topology Steps.
Before you start the deployment on Exalogic, you must complete the following prerequisites:
Install and configure Oracle Traffic Director (OTD).
For information about installing Oracle Traffic Director, see Section 11.2.2, "Installing Oracle Traffic Director".
For information about configuring Oracle Traffic Director, see Section 14.2, "Configuring Oracle Traffic Director".
Use a dummy port number for OTD. For more information, see the Note in Section 14.2.3, "Creating a Configuration".
Ensure that you create a dummy entry in the hosts file.
In Exalogic, internal requests are load balanced by OTD. When performing a deployment using Life Cycle Management Tool, the load balancer entry points, iadinternal.example.com
:7777
and igdinternal.example.com
:7777
are managed by OTD. When you set OTD to use a dummy port number, those URLs become inaccessible. This does not cause an issue for Oracle Identity Manager, but Oracle MSAS configuration will fail, as it requires access to the WebLogic wls_msm
Managed Servers during configuration.
To workaround this issue, you must change the entry in the /etc/hosts
file for iadinternal
to point to the OTD host. This makes it look like the iadinternal.example.com
exists and is working. For example:
On WEBHOST1, the /etc/hosts
file looks like:
10.10.10.1 webhost1.example.com 192.168.50.1 iadinternal.example.com
Change this to:
10.10.10.1 webhost1.example.com 10.10.10.1 iadinternal.example.com
This makes the MSAS configuration access the OHS server on OTD host1 which will then be able to pass on requests to the wls_msm
Managed Servers.
You must make these changes on both the WEBHOSTS. Ensure that you assign the value to the local WEBHOST. After the deployment is complete, remove the dummy entries.
In previous releases of the configuration Wizard, each phase of the process needed to be initiated manually on each host in the topology. This is still a supported method. However, in this release, you can provision the entire environment using two simple commands. For completeness, both options are shown below:
Choose a host to initiate provisioning from. This should be one of the application tier hosts, this will be known henceforth as the master host. The master host is the node where you are running the deployment.
This process sets up SSH equivalence on each node. This is required for the duration of the deployment. It can be disabled later if desired.
From the master node, execute the command prov_setup_ssh.sh
, which is located in the following directory:
IDMLCM_HOME/provisioning/bin
Run the following command:
./prov_setup_ssh.sh -responseFile <Absolute_Path_to_the_deployment_file>
For example:
cd IDMLCM_HOME/provisioning/bin
./prov_setup_ssh.sh -responseFile /u01/lcm/tools/idmlcm/provisioning/bin/provisioning.rsp
When asked whether or not you wish to enable SSH, enter Yes and press Return.
The script now connects to each of the hosts in your topology. When it does, it may prompt you to verify the authenticity of the host by showing you the hosts RSA fingerprint and asking if you wish to continue connecting. Enter Yes and press Return.
It prompts you for the password of the account you are using on the remote host. It repeats this process for each host in the topology. Keep entering the passwords as prompted until the script finishes. At that time, it can remotely execute commands on those hosts without the need for a password. This is ssh equivalence.
After the deployment is complete, ssh equivalence is removed.
Now that you have set up ssh on the hosts, start the deployment. You can start the deployment by running prov_run.sh
command from the same directory. For example:
set JAVA_HOME to JAVA_HOME cd IDMLCM_HOME/provisioning/bin ./prov_run.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp
To deploy Identity and Access Management, run the runIAMDeployment.sh
a number of times on each host in the topology from the following location:
IDMLCM_HOME/provisioning/bin
BEFORE embarking on the Deployment process, read this entire section. There are extra steps detailed below which must be performed during the process.
Notes:
You must use the SAME version of the Deployment profile (IDMLCM_HOME
/provisioning/bin/provisioning.rsp
) on all targets and all hosts in the deployment.
You MUST run each command on each host in the topology, in the specified order, before running the next command.
Before running the Deployment tool, set the following environment variable.:
Set JAVA_HOME
to: REPOS_HOME
/jdk
The commands you must run are:
runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preverify runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target install runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target preconfigure runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target configure-secondary runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target postconfigure runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target startup runIAMDeployment.sh -responseFile IDMLCM_HOME/provisioning/bin/provisioning.rsp -target validate
It is important that you take a backup of the file systems and databases at the following points:
Prior to starting Deployment.
At the end of the installation phase.
Upon completion of Deployment
It is not supported to restore a backup at any phase other than those three.
To help keep track of the Deployment process, print this check list from the PDF version of this guide. Run each stage on the hosts shown, and add a check mark to the corresponding row when that run is complete.
Deployment Stage | Host | Complete |
---|---|---|
Preverify | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Install | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Preconfigure | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Configure | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Configure Secondary | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Post Configure | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Startup | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 | ||
Validate | OIMHOST1 | |
OIMHOST2 | ||
OAMHOST1 | ||
OAMHOST2 | ||
WEBHOST1 | ||
WEBHOST2 |
The previous deployment instructions assume that the LCM_HOME
directory is shared across every host in the topology for the duration of the deployment process.
If your organization does not permit this sharing, you can still run the deployment by making LCM_HOME
available locally on every host. The following extra manual steps are required.
Create a local version of the LCM_HOME
directory, including the software repository.
Copy the Deployment Response File, responsefilename
_data
folder, and Summary created in Chapter 25, "Creating a Deployment Response File" to the same location on each of the hosts.
The deployment tool relies on the contents of the directories located under LCM_HOME/provisioning
to determine what stages have run successfully. Therefore, after every command, copy the contents of this directory to every node before executing any runIAMDeployment.sh
commands.
Before running preconfigure on OIMHOST1, copy LCM_HOME
/keystores
from OAMHOST1 to OIMHOST1.
If LCM_HOME
is not mounted on WEBHOST1 and WEBHOST2 (or OHSHOST1/OHSHOST2 in a topology with external Oracle HTTP Servers), before execution of the postconfigure phase on WEBHOST1, copy LCM_HOME
/keystores/webgate_artifacts
from OAMHOST1 to WEBHOST1 and WEBHOST2
LCM_HOME
/keystores/webgate_artifacts
is created after the configure-secondary phase on OAMHOST1.