8 Procuring Software for an Enterprise Deployment
Procure the required software such as the software distributions, the container images, the WebLogic Kubernetes Operator, and the appropriate connector bundle.
This chapter includes the following topics:
- Identifying and Obtaining Software Distributions for an Enterprise Deployment
Before you begin to install and configure an enterprise topology, you must download the container images from Oracle Support. - About Container Image Names
Container images have names in a specific format depending on whether you have pre-loaded them or pulled them from a container registry. - Obtaining Software from the Oracle Container Registry
Before you download container images from the Oracle Container Registry, you must first log in to the Oracle Container Registry using your support credentials and accept the license agreements for each container you want to deploy. - Downloading Images from a Container Registry
If you use a container registry, you can pull images from the registry either on-demand or in advance. Pulling images in advance results in a faster deployment but means that you will have the images available on all worker nodes regardless of whether you are running a container on that worker node or not. - Staging Container Images
If you upload images to a container registry or use manually staged images, you have to stage those images in the local container repository. - Logging in to GitHub
The examples below require that you pull images and scripts fromgithub.com
, a public repository. To successfully pull images from GitHub, should log in to the repository. - Staging the WebLogic Operator for Kubernetes
Use the WebLogic Operator for Kubernetes to deploy Oracle Access Manager or Oracle Identity Governance. There are two parts to the WebLogic Operator: the WebLogic Operator Container Image and the WebLogic Operator deployment scripts. - Staging the Code Repository
Oracle provides a sample code repository to deploy Oracle Identity and Access Management in Kubernetes. The procedures explained in this guide use the sample code repository extensively. Download the sample code repository to a temporary work directory on your configuration host. - Downloading the Oracle Connector Bundle for Oracle Identity Governance
If you are planning to integrate Oracle Identity Governance with outside systems, you have to download the appropriate connector bundle. In an enterprise deployment, the LDAP connector is used to integrate with Oracle Unified Directory (OUD) and Oracle Internet Directory (OID).
Parent topic: Preparing for an Enterprise Deployment
Identifying and Obtaining Software Distributions for an Enterprise Deployment
Before you begin to install and configure an enterprise topology, you must download the container images from Oracle Support.
For more information about downloading the container images, see Container Images for Oracle Identity and Access Management, and Oracle IDM Microservices (Doc ID 2723908.1). Oracle is migrating container delivery to the Oracle Container Registry (https://container-registry.oracle.com). Later images will be delivered by using this mechanism.
After you have downloaded the container images, you can stage them either locally on each of your Kubernetes worker nodes or host them in a container registry. If you want to use a container registry, see Using an OCI Container Registry.
Oracle strongly recommends that you use a container registry to store your images. However, you can manually load the images on to each worker node. See Staging Container Images.
Note:
If you are using Oracle Advanced Authentication, you must use a container registry.If you use a container registry, you have the option of either pulling the images on demand to the worker node which requires them (see individual product chapters) or pulling the image ahead of time to every Kubernetes worker node in your deployment. If you choose to pull the images ahead of time, see Downloading Images from a Container Registry.
For obtaining the pre-built container images, see the Support document Oracle Identity and Access Management 12.2.1.4 Products with Kubernetes.
Oracle HTTP Server will be installed outside of the Kubernetes cluster. Therefore, a traditional software distribution is required.
Oracle Software Distributions Used in this Guide
Table 8-1 lists the distributions used in this guide.
For general information about how to obtain Oracle HTTP Server software, see Obtaining Product Distributions in Planning an Installation of Oracle Fusion Middleware.
For more specific information about locating and downloading specific Oracle Fusion Middleware products, see the Oracle Fusion Middleware Download, Installation, and Configuration Readme Files on OTN.
Note:
The information in this guide is meant to complement the information contained in the Oracle Fusion Middleware certification matrixes. If there is a conflict of information between this guide and the certification matrixes, then the information in the certification matrixes must be considered the correct version, as they are frequently updated.Table 8-1 Oracle Fusion Middleware Distributions to Download for Installing and Configuring the Enterprise Deployment Topology
Distribution | Image Name | Tag/Release | Description |
---|---|---|---|
Oracle HTTP Server 12c |
|
NA |
Download this distribution to install the Oracle HTTP Server software on the web tier. |
Oracle WebLogic Operator |
|
4.1.8 |
Used to configure the WebLogic Operator, which is used to configure the domain, and if necessary, run RCU. |
Oracle Unified Directory 12c |
|
12.2.1.4-jdk8-ol8-<date> |
Download this version or later and install on each Kubernetes worker node or load into a container registry. |
Oracle Unified Directory Services Manager |
|
12.2.1.4-jdk8-ol8-<date> |
Download this version or later and install on each Kubernetes worker node or load into a container registry. |
Oracle Access Manager 12c |
|
12.2.1.4-jdk8-ol8-<date> |
Download this version or later and install on each Kubernetes worker node or load into a container registry. |
Oracle Identity Governance 12c |
|
12.2.1.4-jdk8-ol8-<date> |
Download this version or later and install on each Kubernetes worker node or load into a container registry. |
Oracle Identity Role Intelligence |
|
12.2.1.4.<date> |
Download this version or later and install on each Kubernetes worker node or load into a container registry. |
Oracle Advanced Authentication |
|
12.2.1.4.1_<date> |
Download this version or later and install on each Kubernetes worker node or load it into a container registry. |
Note:
- The tags in this table show the base release. You should use the
latest image, which contains the most recent Bundle Patch. A tag reflects
the version you are using. For example:
12.2.1.4.0-8-ol7-210721.0755
. - Oracle Advanced Authentication is also dependent on the
following images being available in your container registry:
docker.io/library/alpine:latest
container-registry.oracle.com/database/instantclient:12.2.0.1
container-registry.oracle.com/os/oraclelinux:8-slim
- The commands to download and tag these images are as
follows:
podman pull container-registry.oracle.com/database/instantclient:12.2.0.1
podman tag container-registry.oracle.com/database/instantclient:12.2.0.1 <container_image_registry>/shared/oracle/database-instantclient:12.2.0.1
podman pull container-registry.oracle.com/os/oraclelinux:8-slim
podman tag container-registry.oracle.com/os/oraclelinux:8-slim <container_image_registry>/shared/oracle/linux:8-slim
If you are using Docker, then replace podman
with
docker
in the above commands.
Parent topic: Procuring Software for an Enterprise Deployment
About Container Image Names
Container images have names in a specific format depending on whether you have pre-loaded them or pulled them from a container registry.
In the subsequent chapters, some procedures/instructions require you to provide the names of the container images. The image name depends on whether you are using a container registry or staging the images locally. The following description explains how you can determine the container image name to use for your deployments.
<REPOSITORY_NAME>/<IMAGE_NAME>:<IMAGE_VERSION>
If you have pre-loaded your images using the steps described in Staging Container Images, the image name will have this format:
oracle/oam:12.2.1.4.0-8-ol7-210721.0755
.
In Oracle Cloud Native Environment, the format is
localhost/oracle/oam:12.2.1.4.0-8-ol7-210721.0755
If you are pulling your image from a container registry, the container name will be
preceeded with the repository name. Assuming that your resgistry is
iad.ocir.io/mytenancy
, your image name will be
iad.ocir.io/mytenancy/oracle/oam:12.2.1.4.0-8-ol7-210721.0755
.
docker images
sudo podman images
Parent topic: Procuring Software for an Enterprise Deployment
Obtaining Software from the Oracle Container Registry
Before you download container images from the Oracle Container Registry, you must first log in to the Oracle Container Registry using your support credentials and accept the license agreements for each container you want to deploy.
After you accept the licence agreement, you can pull the images directly from the Oracle Container Registry. Ensure that you pull the images with the latest bundled patches applied.
- Pull container images from the Oracle Container Registry on demand. If you are using this method follow the instructions in each of the sections for using a container registry.
- Manually pull the container images from the Oracle Container Registry and manually stage them on each worker node. See Downloading Images from a Container Registry.
- Manually pull the container images from the Oracle Container Registry, and then upload them to your own container registry. - See Downloading Images from a Container Registry and Using an OCI Container Registry.
Parent topic: Procuring Software for an Enterprise Deployment
Downloading Images from a Container Registry
If you use a container registry, you can pull images from the registry either on-demand or in advance. Pulling images in advance results in a faster deployment but means that you will have the images available on all worker nodes regardless of whether you are running a container on that worker node or not.
Note:
The latest images in Oracle container registry is only available after you have logged into the registry and is available with a suffix of_cpu
. For example,
the latest oam images are available in oam_cpu
.
To download the images from a container registry, you should execute the commands on each worker node.
Parent topic: Procuring Software for an Enterprise Deployment
Pulling the Images to Docker
To download the images to Docker:
Parent topic: Downloading Images from a Container Registry
Pulling the Images to CRI-O
You have two options to download the images to CRI-O:
Option 1: Using podman
Note:
You should run podman as the root user.crictl
crictl
command:crictl pull --creds username:password repository/image:version
Where
username
and password
are the name of the user
and the associated password that you use to access the registry.
crictl pull --creds myuser:password container-registry.oracle.com/middleware/oam_cpu:12.2.1.4-jdk8-ol8-240415
Parent topic: Downloading Images from a Container Registry
Oracle Advanced Authentication
If you have downloaded the OAA images from Oracle Support rather than via the container registry you will have a downloaded zip file.
To load the images containers in a zip file, first unzip the file using the following command:
unzip oaa-install-<REL>.zip
You will get an image archive file called
/oaa-install/oaa-<REL>.tar
.
This file can be staged using the commands in Staging Container Images.
Parent topic: Downloading Images from a Container Registry
Staging Container Images
docker
or podman
commands. The host does not need to be a part of the
Kubernetes cluster.
If you are using locally staged images, each worker node should have access to all the container images in your deployment. Kubernetes decides on which worker node it wants to start a container. Therefore, you should have the image available on all hosts. If you are using locally staged images, you can use these instructions to load the images into each worker node manually. However, if you are using a container registry but want to load the image to the worker nodes ahead of time, you should manually pull the image from the container registry to each worker node.
Parent topic: Procuring Software for an Enterprise Deployment
Staging Images in Docker
If you are using Docker as your container repository, you must stage the Oracle Identity and Access Manager container images in the Docker repository on each of the Kubernetes worker nodes.
If you want to store your container images in a container registry, see Using an OCI Container Registry.
To stage the container images:
Parent topic: Staging Container Images
Staging Images in CRI-O
If you are using CRI-O as your container repository, the standard repository for Oracle Cloud Native Environment deployments, you must stage the Oracle Identity and Access Manager container images in the CRI-O repository on each Kubernetes worker node.
Note:
- The commands in this section rely on the
podman
command. By default, this command is available on the Oracle Cloud Native Environment. However, you should manually install the command into the OKE environments which use CRI-O (Release 1.20+). You should run thepodman
commands as the root user. - If you are using a multi-image archive files such as the file used by Oracle Advanced Authentication, you should use the latest release of podman. The release provided with OCNE 1.3 does not support multiple-image archives.
To stage the container images:
Parent topic: Staging Container Images
Logging in to GitHub
The examples below require that you pull images and scripts from
github.com
, a public repository. To successfully pull images from
GitHub, should log in to the repository.
You can log in to GitHub in one of two ways:
- By performing a manual login on each host, which requires access to the repository.
- By creating a Kubernetes secret, which grants access to the Kubernetes cluster.
Parent topic: Procuring Software for an Enterprise Deployment
Creating a Secret to Access GitHub
If you need to deploy containers from GitHub, you should create a token that authenticates you with the container registry.
Creating a GitHub Token
This section assumes that you have a GitHub account. If you do not have a GitHub account, you must create one before continuing
To create a GitHub token:
Make a note of the generated token. You will not be able to find it again.
Parent topic: Creating a Secret to Access GitHub
Creating a Kubernetes Secret
After creating a GitHub token, you can now create a Kubernetes secret that will allow you to pull images from GitHub. The following command will create a Kubernetes secret called 'github' in the default namespace:
kubectl create secret docker-registry github --docker-server=ghcr.io --docker-username=mygituser --docker-password="mytoken"
Parent topic: Creating a Secret to Access GitHub
Logging in to GitHub Manually
To log in to GithHub manually on each worker host, use the following commands.
docker login ghcr.io
When prompted, specify your user name and the token you created earlier. See Creating a GitHub Token.
sudo podman login ghcr.io
When prompted, specify your user name and the token you created earlier.
Parent topic: Logging in to GitHub
Staging the WebLogic Operator for Kubernetes
Use the WebLogic Operator for Kubernetes to deploy Oracle Access Manager or Oracle Identity Governance. There are two parts to the WebLogic Operator: the WebLogic Operator Container Image and the WebLogic Operator deployment scripts.
The WebLogic Operator for Kubernetes is available from
oracle.github.io
. Sign in to GitHub to download the container
image.
- Staging the Oracle WebLogic Kubernetes Image in Docker
- Staging the Oracle WebLogic Kubernetes Image in CRI-O
Parent topic: Procuring Software for an Enterprise Deployment
Staging the Oracle WebLogic Kubernetes Image in Docker
docker pull ghcr.io/oracle/weblogic-kubernetes-operator:<VERSION>
docker tag ghcr.io/oracle/weblogic-kubernetes-operator:<VERSION> weblogic-kubernetes-operator:<VERSION>
docker pull ghcr.io/oracle/weblogic-kubernetes-operator:3.3.0
docker tag ghcr.io/oracle/weblogic-kubernetes-operator:<VERSION> weblogic-kubernetes-operator:3.3.0
You should stage the Operator on all the worker nodes or place it into a registry that is accessible by the cluster.
Parent topic: Staging the WebLogic Operator for Kubernetes
Staging the Oracle WebLogic Kubernetes Image in CRI-O
sudo podman pull ghcr.io/oracle/weblogic-kubernetes-operator:<VERSION>
sudo podman tag ghcr.io/oracle/weblogic-kubernetes-operator:<VERSION> weblogic-kubernetes-operator:<VERSION>
For example: To stage the image on CRI-O, use the following command:
sudo podman pull ghcr.io/oracle/weblogic-kubernetes-operator:3.3.0
sudo podman tag ghcr.io/oracle/weblogic-kubernetes-operator:3.3.0 weblogic-kubernetes-operator:3.3.0
Note:
You should use thepodman
commands as the root user.
You should stage the Operator on all the worker nodes or place it into a registry that is accessible by the cluster.
Parent topic: Staging the WebLogic Operator for Kubernetes
Staging the Code Repository
Oracle provides a sample code repository to deploy Oracle Identity and Access Management in Kubernetes. The procedures explained in this guide use the sample code repository extensively. Download the sample code repository to a temporary work directory on your configuration host.
A configuration host is any host in your cluster which can run helm
and kubectl
commands.
For example, in an OCI installation, this host could be a bastion host. For an
Oracle Cloud Native Environment installation, it could be the operator node or any
of the control plane hosts. Alternatively, you may have defined a specific host for
the purpose.
The sample code is available from GitHub. You may need to create an account and log in if you do not have access.
To download the scripts, log in to GitHub and perform the following steps:
These commands create a directory called fmw-kubernetes
, where all
of the sample files are stored. You can use the files directly from this location or
copy the files you need to another temporary working directory. To keep everything
separate, the procedures explained in this guide recommend copying the files to
product working directories. For example: /workdir/OAM
.
However, it is optional.
Note:
This code repository also includes sample automation scripts for deploying Oracle Identity and Access Management as per the instructions provided in this guide.Parent topic: Procuring Software for an Enterprise Deployment
Downloading the Oracle Connector Bundle for Oracle Identity Governance
If you are planning to integrate Oracle Identity Governance with outside systems, you have to download the appropriate connector bundle. In an enterprise deployment, the LDAP connector is used to integrate with Oracle Unified Directory (OUD) and Oracle Internet Directory (OID).
Download the latest version of the Oracle Connector bundle from Oracle Identity Manager Connector Downloads.
Parent topic: Procuring Software for an Enterprise Deployment