10 Preparing the Oracle Cloud Infrastructure for an Enterprise Deployment

If you plan to deploy Identity and Access Management on Oracle Cloud Infrastructure (OCI), you have to configure OCI to facilitate the deployment. Create the required OCI components to perform the deployment.

Note:

The instructions provided in this guide are correct at the time of publishing. Due to the evolving nature of the OCI interface, you may find minor changes in the options. See the Oracle Cloud Infrastructure documentation to obtain the latest steps.

This chapter includes the following topics:

• About the OCI Deployment
  It is important to understand the OCI components that you require to deploy Oracle Identity and Access Management on OCI.
• Creating an SSH Key Pair
  You must create an SSH key pair in order to connect to the bastion node, compute instances, and database hosts
• Creating an OCI Compartment
  Create a container in your OCI tenancy to hold the deployment.
• Creating OCI Networking
  Create the network components in your OCI tenancy for the deployment.
• Creating Compute Instances
  Create the compute instances in your OCI tenancy for the deployment.
• Creating File Systems and Mount Targets
  You need to create NFS file systems for Persistent Volumes and Oracle HTTP Server installations.
• Creating Load Balancers
  You need to create two OCI load balancers. One of these load balances is used to direct public traffic and the other for internal call backs. The load balancer used for internal traffic is not available outside the OCI container.
• Creating a Database
  You must create a database to store all the schema information for Oracle Identity Management.
• Creating a DNS Server
  It is important that all host names are resolvable, including the load balancer virtual hosts. You can make them resolvable by adding entries to the local hosts files. However, in OCI, using a private DNS server is the simpler method.
• Validating Your Environment
  Perform checks to ensure that your environment is ready for a deployment.

About the OCI Deployment

It is important to understand the OCI components that you require to deploy Oracle Identity and Access Management on OCI.

This illustrations below shows all the required OCI components. It shows the different network requirements and how the OCI components fit into those networks. Each subnet is protected by security lists.

Figure 10-1 An Illustration of the OCI Layout in an End to End SSL Topology

Figure 10-2 An Illustration of the OCI Layout in a SSL Terminated Topology

When deploying Oracle Identity and Access Management in OCI, you have to set up the OCI environment with the following characteristics:

• VCN: There will be one public Virtual Cloud Network which provides external access to the environment. For security reasons, the VCN is broken down into a several subnets.
• Subnets: The VCN is divided into several subnets to ensure that the network traffic is routed only to the areas requiring it. For instance, traffic to the database subnet will not be available directly from the internet. Traffic is available only to the Application tier, which interacts with the database subnet.
• Security Lists: Security lists provide an additional layer of security that allows traffic only into and out of a subnet, based on the ports and protocols permitted.
• Bastion Node: The Bastion node is a compute instance inside the VCN that you can log in to. The Bastion node can communicate with all the components inside the deployment. The Bastion node is used for setting up the environment and for ongoing management. Therefore, you must lock down access to the Bastion node to ensure that it is accessed only by clients on your corporate network who are registered with it using an SSL key pair.
• Load balancer: The three LBaaS services are created within the OCI framework. The public-facing load balancer is used to access the Oracle Identity and Access Management deployment from the internet. The private load balancers are for internal traffic and routing it is not available outside of the VCN. The public load balancer is the only internet-facing part of your deployment (except for the Bastion node).
• Compute Instances: You require a minimum of two compute instances to host your Oracle HTTP servers. These are placed into a demilitarized zone (DMZ) below the load balancers. The load balancers send requests to the OHS servers which pass traffic onto the applications residing in the application compute instances.You require a minimum of two compute instances for your applications. For example, two compute Instances for OAM, two compute instances for OIG and two compute instances for LDAP.
• Database: The database(s) are present in a dedicated subnet.
• DNS: The DNS server is optional. It is used internally to provide name resolution. You can achieve name resolution by maintaining entries in the individual host files.

The following sections describe the procedure to set up the components depicted in this illustration:

Creating an SSH Key Pair

You must create an SSH key pair in order to connect to the bastion node, compute instances, and database hosts

You can configure OCI by using the Oracle Cloud Console and a bastion node. The SSL certificates provide a secure access to the bastion node, compute instances, and database hosts. You have to create an SSL certificate on the host you use to configure OCI. This host could be a laptop or a desktop.

After you create the certificate on the device, share it with the OCI resources to enable access to the resources and to manage them. If you use more than one device, you have to register the SSL keys for all those devices.

If you do not have an SSL certificate for the device you are using, create the cetificate using the following command:

ssh-keygen -t rsa -N "" -b 2048 -f id_rsa

This command creates two files id_rsa and id_rsa.pub in the .ssh directory under the home directory. These are the certificate files you will use to access the OCI resources.

Creating an OCI Compartment

Create a container in your OCI tenancy to hold the deployment.

To create a compartment:

1. Log in to the Oracle Cloud Infrastructure Console, select Identity and Security, and then select Compartments under Identity.
2. Click Create Compartment.
3. Specify a Name and Description.
4. Click Create Compartment.

You will create all the OCI objects inside this compartment.

Creating OCI Networking

Create the network components in your OCI tenancy for the deployment.

• Creating an Oracle Virtual Cloud Network
  
• Creating Gateways
  
• Creating Security Lists
  
• Creating Route Tables
  
• Creating Subnets
  

Creating an Oracle Virtual Cloud Network

You need to create a Virtual Cloud Network (VCN). A VCN is a customizable, software-defined network that you create in an OCI region. It's analogous to a traditional data center network, offering you control over your cloud network environment. You can define your own private IP address space, create subnets, configure routing, and set up security rules.

To create an Oracle Virtual Cloud Network:

1. Log in to the Oracle Cloud Infrastructure Console.
2. Select Networking and then Virtual Cloud Networks.
3. Click Create VCN.
4. Enter the following information in the wizard:
   • Name: Select a name for the network. For example idm.
   • Compartment: Select the name of the compartment you created earlier. See Creating an OCI Compartment.
   • IPv4 CIDR Blocks: Enter the internal CIDR block you want to use for your network. For example: 10.0.0.0/16.
   • Use DNS Hostnames in this VCN: Select this option.
5. Click Create VCN.
6. Review the summary information of the details specified and click Create.
7. When complete, click View Virtual Cloud Network.

These steps will create a public and private subnet.

Creating Gateways

You need to create a gateway to allow data to flow from one network to another. Gateways serve as an entry and exit point for a network as all data going outside of a network must pass through it. As the name suggests it acts as a gate between two networks.

There are four types of Gateways in Oracle Cloud Infrastructure (OCI):

• Internet Gateway: Used to access the internet from a VCN (say, network) in OCI. It supports connections initiated from within the VCN (egress) and connections initiated from the internet (ingress).
• NAT Gateway: Used to provide resources without public IP addresses, access to the Internet without exposing these resources to the incoming internet connections.
• Service Gateway: Gives resources in your VCN and on-premises network, private access to multiple Oracle services within OCI without the traffic going over the internet. Any traffic from your VCN that is destined for one of the supported public services uses the instance’s private IP address for routing, travels over the Oracle Cloud Infrastructure network fabric, and never traverses the internet.
• Dynamic Routing Gateway (DRG): Used to connect to your existing on-premises network to your VCN. A DRG provides a single point of entry for remote network paths coming into the VCN. It provides a path for VCNs to communicate across regions or outside the region to On-premise. Each VCN can have a single DRG.

To create the required gateways:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Networking > Virtual Cloud Networks and click the name of your Virtual Cloud Network.
3. Select Gateways from the list of resources.
4. To create an Internet Gateway:
   1. Click Create Internet Gateway.
   2. Enter a name, for example Internet Gateway.
   3. Click Create Internet Gateway.
5. To create a Service Gateway:
   1. Click Create Service Gateway.
   2. Enter a name, for example Service Gateway.
   3. From the drop down list, select ALL Services in Oracle Services Network.
   4. Click Create Service Gateway.

Creating Security Lists

You need to create security lists which enable different subnets to communicate with each other.

This section describes the minimum steps you need to perform to enable this access. You should harden your security lists to ensure that only certain machines/networks have access to this node. This part is outside the scope of this guide.

• Required Security Lists
  
• Creating the Required Security Lists
  

Required Security Lists

You need to create security lists which enable the OCI components to communicate with each other across different subnets and where necessary the internet.

The following tables show the security lists that need to be created.

bastion-private-seclist

Table 10-1 Description of Ingress and Egress Rules for Security List bastion-private-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Destination Port Range
Ingress	CIDR	10.0.1.0/29		TCP SSH Connections	22
Ingress	CIDR	10.0.1.0/29		ICMP
Egress	CIDR		0.0.0.0/0	All Protocols

Note:

10.0.1.0 is the subnet you will use for the bastion node. You can change this value if required.

bastion-public-seclist

Table 10-2 Description for Ingress and Egress Rules for Security List bastion-public-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Destination Port Range	Type
Ingress	CIDR	0.0.0.0/0		TCP	22
Ingress	CIDR	10.0.1.0/29		ICMP		3
Egress	CIDR		0.0.0.0/0	All Protocols

Note:

10.0.1.0 is the subnet you will use for the bastion node. You can change this value if required. Unless otherwise stated, leave the values blank.

setup-seclist

During the set up of Oracle Identity and Access Management, the bastion node requires access to some of the services that get created as part of the build process. The access is not required after the build process is complete. For manageability reasons, a separate security list is created for this purpose. This way, after the setup is complete, you just have to remove the security list from the subnet. If further setups are required, you can add as needed.

The security list should be added to the following subnets:

• Private subnet for Node Manager
• db-subnet

Table 10-3 Description for Ingress Rules for Security List setup-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Source Port Range	Destination Port Range - SSL Terminated	Destination Port Range - End to End SSL	Comment
Ingress	CIDR	10.0.1.0/29		TCP		7001	9002 and 7002	OAM Administration Server
Ingress	CIDR	10.0.10.0/24		TCP		111	111
Ingress	CIDR	10.0.10.0/24		TCP		2048-2050	2048-2050
Ingress	CIDR	10.0.10.0/24		UDP		111	111
Ingress	CIDR	10.0.10.0/24		UDP		2048	2048
Ingress	CIDR	10.0.1.0/29		TCP		1389	1636	LDAP Connections
Ingress	CIDR	10.0.2.0/24		TCP		111	111
Ingress	CIDR	10.0.2.0/24		TCP		2048-2050	2048-2050
Ingress	CIDR	10.0.2.0/24		UDP		111	111
Ingress	CIDR	10.0.2.0/24		UDP		2048	2048
Egress	CIDR	10.0.2.0/24		TCP		111	111
Egress	CIDR	10.0.2.0/24		TCP		2048-2050	2048-2050
Egress	CIDR	10.0.2.0/24		UDP		111	111
Egress	CIDR	10.0.2.0/24		UDP		2048-2050	2048-2050

Note:

The destination ports listed above are dependent on the values you provide to your installation. Sample values will be used for consistency within this guide.

app-seclist

Table 10-4 Description for Ingress Rules for Security List app-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Destination Port Range - SSL Terminated	Destination Port Range - End to End SSL	Type	Code	Comment
Ingress	CIDR	10.0.10.0/24		All protocols
Ingress	CIDR	10.0.0.0/28		ICMP			3	4
Ingress	CIDR	0.0.0.0/0		TCP	22	22			SSH Connections
Ingress	CIDR	10.0.2.0/28		TCP		9002			OAM Admin Server Secure Port
Ingress	CIDR	10.0.2.0/28		TCP	7001	7002			OAM Admin Server Port
Ingress	CIDR	10.0.2.0/28		TCP	14100	14101			OAM Server Port
Ingress	CIDR	10.0.2.0/28		TCP	14150	14151			OAM Policy Manager Port
Ingress	CIDR	10.0.2.0/28		TCP		9102			OIG Admin Server Secure Port
Ingress	CIDR	10.0.2.0/28		TCP	7101	9102, 7102			OIG Admin Server Port
Ingress	CIDR	10.0.2.0/28		TCP	14001	14002			OIG OIM Port
Ingress	CIDR	10.0.2.0/28		TCP	7003	7004			OIG SOA Port
Ingress	CIDR	10.0.10.0/24		TCP	5556	5556			Node Manager
Ingress	CIDR	10.0.10.0/24		TCP	All	All			All communication within the subnet
Egress	CIDR		10.0.10.0/24	All protocols
Egress	CIDR		10.0.0.0/28	TCP		6433
Egress	CIDR		10.0.0.0/28	TCP		12250
Egress	CIDR		10.0.0.0/28	ICMP			3	4
Egress	CIDR		10.0.11.0/24	TCP			1521	1521	Database Connections
Egress	Service		All Services in Oracle Service Network	TCP		443 Loadbalancer

public-lbr-seclist

This security list determines who can access the load balancer and where the load balancer is allowed to send requests.

Table 10-5 Description for Ingress Rules for Security List public-lbr-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Destination Port Range - SSL Terminated	Destination Port Range - End to End SSL	Comment
Ingress	CIDR	0.0.0.0/0		TCP	80	80	HTTP requests from anywhere
Ingress	CIDR	0.0.0.0/0		TCP	443	443	HTTPS requests from anywhere
Egress	CIDR		10.0.2.0/28	TCP	7777		Oracle HTTP Server. Only for SSL terminated environments.
Ingress	CIDR	10.0.10.0/24	-	TCP	1389	1636	Application Tier LDAP calls
Ingress	CIDR	10.0.11.0/24	-	TCP	1389	1636	Database Tier LDAP calls
Egress	CIDR	-	10.0.2.0/28	TCP	80,443,7777	4443-4449	Oracle HTTP Server calls

storage-seclist

Create a security list for the OHS mount target.

Table 10-6 Description for Ingress Rules for Security List storage-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Source Port Range	Destination Port Range
Ingress	CIDR	10.0.10.0/24		TCP		111
Ingress	CIDR	10.0.10.0/24		TCP		2048-2050
Ingress	CIDR	10.0.10.0/24		UDP		111
Ingress	CIDR	10.0.10.0/24		UDP		2048
Ingress	CIDR	10.0.1.0/29		TCP		111
Ingress	CIDR	10.0.1.0/29		TCP		2048-2050
Ingress	CIDR	10.0.1.0/29		UDP		111
Ingress	CIDR	10.0.1.0/29		UDP		2048
Ingress	CIDR	10.0.2.0/28		TCP		111
Ingress	CIDR	10.0.2.0/28		TCP		2048-2050
Ingress	CIDR	10.0.2.0/28		UDP		111
Ingress	CIDR	10.0.2.0/28		UDP		2048
Egress	CIDR		10.0.10.0/24	TCP	111
Egress	CIDR		10.0.10.0/24	TCP	2048-2050
Egress	CIDR		10.0.10.0/24	UDP	111
Egress	CIDR		10.0.1.0/29	TCP	111
Egress	CIDR		10.0.1.0/29	TCP	2048-2050
Egress	CIDR		10.0.1.0/29	UDP	111
Egress	CIDR		10.0.2.0/28	TCP	111
Egress	CIDR		10.0.2.0/28	TCP	2048-2050
Egress	CIDR		10.0.2.0/28	UDP	111

db-seclist

Create a security list for the Database.

Table 10-7 Description for Ingress Rules for Security List db-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Destination Port Range - SSL Terminated	Destination Port Range - End to End SSL	Comment
Ingress	CIDR	0.0.0.0/0		TCP	22		SSH Calls
Ingress	CIDR	10.0.11.0/24		TCP	1521
Ingress	CIDR	10.0.11.0/24		TCP	6200
Ingress	CIDR	10.0.10.0/24		TCP	1521
Ingress	CIDR	10.0.10.0/24		TCP	6200
Ingress	CIDR	10.0.10.0/24		TCP	1389	1636
Ingress	CIDR	10.0.11.0/24		TCP	1389	1636
Ingress	CIDR	10.0.11.0/24		TCP	4444	4444	OUD Administration Port
Ingress	CIDR	10.0.11.0/24		TCP	8989	8989	OUD Replication Port
Ingress	CIDR	10.0.1.0/29		TCP	1521 :		Used for set up only
Egress	CIDR		0.0.0.0/0	All Protocols

web-seclist

To be assigned to web-subnet (just adding this from review comment so I can add to relevant section later)

Table 10-8 Description for Ingress Rules for Security List web-seclist

Rule Type	Type	Source CIDR	Destination CIDR	Protocol	Destination Port Range
Ingress	CIDR	0.0.0.0/0		TCP	22
Ingress	CIDR	10.0.2.0/28		TCP	111
Ingress	CIDR	10.0.2.0/28		TCP	2048-2050
Ingress	CIDR	10.0.2.0/28		UDP	111
Ingress	CIDR	10.0.2.0/28		UDP	2048
Ingress	CIDR	10.0.2.0/28		TCP	4445-4449
Ingress	CIDR	10.0.4.0/24		TCP	4445-4449
Egress	CIDR	10.0.2.0/28		TCP	111
Egress	CIDR	10.0.2.0/28		TCP	2048-2050
Egress	CIDR	10.0.2.0/28		UDP	111
Egress	CIDR	10.0.2.0/28		UDP	2048

Creating the Required Security Lists

To create the security lists in Required Security Lists:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Networking > Virtual Cloud Networks and click the name of your Virtual Cloud Network.
3. Select the Security tab.
4. Click Create Security List.
5. Enter the following information:
   • Name: Name of the security list to be created. See Required Security Lists.
   • Compartment: Select the name of the compartment you created earlier. See Creating an OCI Compartment.
   • Click Add Another Ingress Rule to add an Ingress rule as described in Required Security Lists.
   • Click Add Another Egress Rule to add an Egress rule as described in Required Security Lists.
6. Click Create Security List once all the rules are created.

Creating Route Tables

You need to create route tables which enable subnets to communicate with other subnets in the internet. In addition, you should enable access to the bastion node from the internet.

• Required Route Tables
  
• Creating the Required Route Tables
  

Required Route Tables

The following table shows the route tables that need to be created.

Table 10-9 Description of Route Tables

Name	Target Type	Destination CIDR Block / Destination Service	Target Internet Gateway
bastion-route-table	Internet Gateway	0.0.0.0/0	Internet Gateway
lbr-route-table	Internet Gateway	0.0.0.0/0	Internet Gateway
web-route-table	Service Gateway	All Services in Oracle Services Network	Service Gateway
db-route-table	Service Gateway	All Services in Oracle Services Network	Service Gateway
app-route-table	Service Gateway	All Services in Oracle Services Network	Service Gateway

Creating the Required Route Tables

To create the route tables in Required Route Tables:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Networking > Virtual Cloud Networks and click the name of your Virtual Cloud Network.
3. Select the Routing tab.
4. Click Create Route Table.
5. Enter the following information:
   • Name: Name of the route table to be created. See Required Route Tables.
   • Compartment: Select the name of the compartment you created earlier. See Creating an OCI Compartment.
6. Click Add Another Route Rule.
7. In the Rule drop-down menu, enter the following information as described in Required Route Tables:
   • Target Type
   • Destination CIDR Block or Destination Service
   • Target Internet Gateway
8. Click Create.

Creating Subnets

After you create the security lists and route tables, you must create subnets and assign the route tables and security lists to them.

• Required Subnets
  
• Creating the Required Subnets
  

Required Subnets

The following table shows the subnets that need to be created.

Table 10-10 Description of Subnets

Name	Subnet Type	IPv4 CIDR Block	Route Table	Subnet Access	Security Lists
bastion-subnet	Regional	10.0.1.0/29	bastion-route-table	Public	bastion-public-seclist setup-seclist
app-subnet	Regional	10.0.10.0/24	app-route-table	Private	bastion-private-seclist app-seclist storage-seclist web-seclist setup-seclist
web-subnet	Regional	10.0.2.0/28	web-route-table	Private	web-seclist storage-seclist setup-seclist
db-subnet	Regional	10.0.11.0/24	db-route-table	Private	db-seclist setup-seclist storage-seclist
lbr-subnet	Regional	10.0.4.0/24	lbr-route-table	Public	public-lbr-seclist

Note:

setup-seclist is only required during initial setup.

Creating the Required Subnets

To create the subnets in Required Subnets:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Networking > Virtual Cloud Networks and click the name of your Virtual Cloud Network.
3. Select the Subnets tab.
4. Click Create Subnet.
5. Enter the following information as per Required Subnets:
   • Name: Name of the subnet to be created..
   • Compartment: Select the name of the compartment you created earlier. See Creating an OCI Compartment.
   • Subnet Type
   • IPv4 CIDR Block
   • Route Table
   • Subnet Access
   • DNS Resolution: Select Use DNS Hostnames in the subnet.
   • DHCP Options: Select Default DHCP Options for the VCN.
   • Security Lists: Select the secuirty list, and click Add Another Security List if needed.
6. Click Create Subnet.

Creating Compute Instances

Create the compute instances in your OCI tenancy for the deployment.

• Required Compute Instances
  
• Creating the Required Compute Instances
  
• Assigning a Secondary IP Address to a Compute Instance
  
• Connecting to a Compute Instance
  
• Configuring the Compute Instances (General)
  
• Configuring the Bastion Node
  
• Configuring the OHS Nodes
  

Required Compute Instances

The following table shows the compute instances that need to be created.

Table 10-11 Compute Instances to Create

Name	Min CPUs	Min Memory (GB)	Subnet	Public IP Address
bastion	1	8	bastion-subnet	Yes
webhost1	1	16	web-subnet	No
webhost1	1	16	web-subnet	No
oamhost1	4	32	app-subnet	No
oamhost2	4	32	app-subnet	No
oighost1	4	32	app-subnet	No
oighost2	4	32	app-subnet	No
ldaphost1	2	16	db-subnet	No
ldaphost2	2	16	db-subnet	No

Creating the Required Compute Instances

To create the compute instances in Required Compute Instances:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Compute > Instances.
3. Click Create Instance.
4. In Basic Information enter the following information using the details in Required Compute Instances :
   • Name: Name of the compute instance to be created. .
   • Compartment: Select the name of the compartment you created earlier. See Creating an OCI Compartment.
   • Placement: Select an Availability Domain.
   • Image: Select the operating system image you want to use. For example: Oracle Linux 9
   • Shape: Click Change Shape Select an architecture and shape you want to use. For example: VM.Standard.E4.Flex.

     On the selected image, expand the selected Shape name to customize the number of CPUs and memory to assign to the Compute Instance.

   • Click Next and Next again.
5. In Networking enter the following information:
   • Network : Select your VCN.
   • Subnet: Select which Subnet to use. If you need a public IP address selectAutomatically assign public IPv4 Address.
   • Add SSH Keys: SelectPaste public key. Copy the contents of the id_rsa.pub file that you created earlier. See Creating an SSH Key Pair.
6. Click Next and review the summary.
7. Click Create.

The summary screen displays the IP addresses assigned to the compute instance. Make a note of this address. You will need it for connecting to the node.

Assigning a Secondary IP Address to a Compute Instance

In an Enterprise deployment you need to assign an additional IP address to the hosts OAMHOST1 and OIGHOST1.

This IP address is used for Admin Server Failover. The Admin Server listens on this secondary IP address. If the host to which the IP address becomes unavailable, the IP address can be assigned to a different host and the admin server is started there.

Before you can add a secondary IP address, you need to look for an IP address in the same subnet as the main IP address that is not being used. For example, if the IP address of your OAMHOST1 is 10.0.10.96 then you may see that IP address 10.0.10.97 is not being used, and this can therefore be used as a Virtual IP address.

To add the Virtual IP address to the network card, perform the following steps:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Compute and click Instances.
3. Click on the Compute instance you want to add the IP address to, for example OAMHOST1.
4. Select the Networking tab.
5. Click on the VNIC listed in the Attached VNICs. This will most likely have the same name as the compute instance.
6. In the VNIC Information select the IP administration tab.
7. In IPv4 Addresses, click Assign Secondary IP Address
8. Enter the IP Address you wish to add and a hostname.
9. Click Assign.
10. Repeat the above steps for OIGHOST1.

Connecting to a Compute Instance

You can now connect to the compute instances using the following SSH command:

ssh -i id_rsa opc@IPAddress

Alternatively, if you are using SSH agent forwarding, which enables you to use your local SSH keys instead of leaving the keys (without passphrases) on the server, then you can use the following command:

ssh -A opc@IPAddress

To install the Oracle binaries, you will need access to a graphical display. To get this access, you should use X11 Forwarding. Ensure that on your desktop/laptop, you install an 'X' Window server. For example: XQuartz for MacOS. You will then need to connect as the oracle user, for example:

ssh -AX oracle@IPAddress

Configuring the Compute Instances (General)

After creating the compute instances, you need to configure them.

You must perform the following steps on all the compute instances unless otherwise stated:

• Installing X11 and Additional Packages
  
• Enabling X11 Forwarding
  
• Editing Compute Instance Fault Domain
  
• Creating a Software Owner Account
  
• Creating Local Directories
  
• Creating Mount Points for Shared Storage
  
• Preparing the Compute Instance
  
• Using the Firewall
  

Installing X11 and Additional Packages

In order to install the Identity Management products on the compute notes, you must install some Linux packages on all the compute nodes (LDAPHOSTn, OAMHOSTn, OIGHOSTn, WEBHOSTn).

Run the following command to install the packages on each of the compute nodes:

sudo yum install -y libXrender libXtst xauth xterm nc gtk3* at-spi2-cor* libXScrnSaver* libnotify* openldap* java

For the webhost (WEBHOST1 and WEBHOST2), you must also install additional packages. Run the following command to install the packages on the webhosts:

sudo yum install -y xorg-x11* libaio-devel* gcc-c++-* ksh* libnsl* xorg-x11-utils* libstdc++-devel sysstat* 

Enabling X11 Forwarding

Configure SSHD to not use localhost for X11:

1. Open /etc/ssh/sshd_config in your preferred editor.

   sudo vi /etc/ssh/sshd_config

2. Search for the line that has "X11UseLocalhost yes" (it is commented out).
3. Remove the comment from the beginning of the line.
4. Change the yes to no.
5. Save the file.
6. Restart SSHD by using the following command:

   sudo systemctl restart sshd

Editing Compute Instance Fault Domain

Each WEBHOST, OAMHOST, OIGHOST and LDAPHOST instance should reside in a different fault domain. Perform the following steps:

1. Click the compute instance.
2. Click Actions > More Actions and select edit.
3. Ensure each compute instance of a specific type is in a different fault domain, if not click Edit Fault domain and choose a different fault domain.
4. Click Save changes.
   Repeat the steps for each compute instance.

Creating a Software Owner Account

It is not good practice to install the Oracle software using the OPC user. It is better to create a custom user to own the software. You can create a custom user by running the following commands:

sudo adduser -u 1001 oracle
sudo groupadd -g 1002 oinstall
sudo usermod -a -G oinstall oracle 
sudo usermod -g oinstall oracle

Creating Local Directories

If your deployment requires the use of local directories, for example local binaries, local instance/domain files or certificates, then create local directories.

If you are using /u02 as described in this Enterprise Deployment Guide, you will need to create these local directories as root and then change the ownership to your oracle account.

sudo mkdir -p /u02/oracle/config /u02/oracle/products

sudo chown -R oracle:oinstall /u02

For a list of locations to create, see Preparing the File System for an Enterprise Deployment.

Creating Mount Points for Shared Storage

Before you can mount shared storage to a host you must pre-create the location to which it will be attached. For example:

sudo mkdir -p /u01/oracle/products

sudo chown -R oracle:oinstall /u01/oracle

For a list of locations to create, see Preparing the File System for an Enterprise Deployment.

Preparing the Compute Instance

For each compute instance you must also perform the tasks outlined in Preparing the Host Computers for an Enterprise Deployment.

Using the Firewall

The compute instance is created using an Oracle Linux image. The image comes with a built-in firewall, which is enabled by default. Even though you have security rules defined in your network, the Linux server rejects these requests because of the built-in Linux firewall.

You can decide to use this extra firewall or rely on your OCI security rules.

• Opening the Ports in the Firewall
  
• Disabling the Firewall
  

Opening the Ports in the Firewall

If you decide to use the firewall, you need to add firewall rules that enable every port coming in to the server to be allowed.

1. For every port that needs to be accessed, execute the following command:

   sudo firewall-cmd --permanent --add-port=YOUR PORT/tcp

   For example:

   sudo firewall-cmd --permanent --add-port=7777/tcp

2. Restart the firewall service after you configure all the ports. Use the following command to restart:

   sudo systemctl restart firewalld

3. Validate the firewall configuration by executing the following command:

   sudo firewall-cmd --list-ports

Disabling the Firewall

To disable the firewall, run the following commands:

sudo systemctl stop firewalld

sudo systemctl disable firewalld

Configuring the Bastion Node

Perform the following steps to configure the bastion node:

• Installing Git
  
• Setting Up the Hosts File
  

Installing Git

Git contains sample code to deploy Oracle Fusion Middleware. Install GIT using the following command on the bastion only:

sudo yum install git -y

Setting Up the Hosts File

When setting up, you should make curl commands to the load balancer. Because the bastion node uses the private DNS, the IP addresses returned for the load balancer end points is through the internal network that the bastion host does not have access to. To get around this issue, create an entry in the bastion hosts file for each entry point that points to the public IP address of the load balancer.

Note:

You cannot perform this step until you have created the load balancers. See Creating Load Balancers.

For example, if the public IP address of the load balancer is 129.1.1.3, add the following entry to the bastion hosts file:

129.1.1.3 login.example.com oig.example.com iadadmin.example.com igdadmin.example.com

Configuring the OHS Nodes

Perform the following steps to configure the OHS nodes:

• Preparing the Compute Instance for Use by Oracle HTTP Server
  
• Preparing the Hosts File
  

Preparing the Compute Instance for Use by Oracle HTTP Server

You may also need to install additional Linux packages required to install the Oracle HTTP server, as well as setting the kernel parameters. See Preparing the Host Computers for an Enterprise Deployment.

Preparing the Hosts File

The nature of the networks in an OCI environment means that the Oracle HTTP Server instances will not have access to the public load balancer. This can cause issues when the Oracle HTTP Server tries to access some virtual hosts.

In later sections, you will create a public load balancer for connections from the outside world to your system. See Creating a Public Load Balancer.

You will also create a private load balancer to allow you to route requests from the private subnets to this load balancer. See Creating a Private Load Balancer.

To ensure that the requests from the Oracle HTTP Server are directed to the private load balancer rather than the public, you should create an entry in the /etc/hosts file on the web hosts, which looks as follows:

PRIVATE_LOAD_BALANCER_IP login.example.com

For example:

10.0.2.7 login.example.com

Creating File Systems and Mount Targets

You need to create NFS file systems for Persistent Volumes and Oracle HTTP Server installations.

The filesystems that you have to create are described in Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

• Overview of Preparing the File System for an Enterprise Deployment
  
• Summary of File Systems
  
• Creating a File System
  
• Setting the Mount Target Storage Reporting
  
• Mounting File Systems on Hosts
  

Overview of Preparing the File System for an Enterprise Deployment

It is important to set up your storage in a way that makes the enterprise deployment easy to understand, configure, and manage.

This chapter provides an overview of the process of preparing the file system for an enterprise deployment. Oracle recommends setting up your storage according to information in this chapter. The terminology defined in this chapter is used in the diagrams and procedures throughout the guide.

Summary of File Systems

The following table lists a summary of the hosts and file systems to be mounted.

You have to mount the file systems to the bastion node only during the initial set up.

Table 10-12 Summary of Hosts and the File Systems to be Mounted

Mount Host	File Systems	Exports	Mount Directories	Comments
All nodes	installers	/exports/installers	/installers	Used as a staging directory to temporarily store installers and patches.
oamhost1	oamBinaries1	/exports/oamBinaries1	/u01/oracle/products
oamhost1	oamConfig	/exports/oamSharedConfig	/u01/oracle/config
oamhost2	oamBinaries2	/exports/oamBinaries2	/u01/oracle/products
oighost1	oigBinaries1	/exports/oigBinaries1	/u01/oracle/products
oighost1	oigConfig	/exports/oigSharedConfig	/u01/oracle/config
oighost2	oigBinaries2	/exports/oigBinaries2	/u01/oracle/products

Creating a File System

To create a file system:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Storage and click File Systems.
3. Click Create File System.
4. Select Filesystem for NFS.
5. Click Edit Details in the File System Information section.
6. Enter the following details:
   • Name: Provide a name for the file system. For example: oamBinaries1.
   • Compartment: Select the compartment you created earlier. See Creating an OCI Compartment.
7. Click Edit Details in the Export Information section.
8. Enter the following:
   • Export Path: This is the path you want to export. For example: /exports/oamBinaries1.
9. Click Edit Details in the Mount Target Information section.
10. Enter the following details:
    • Mount Target Name: Specify a name for the mount target. For example: APPVolumes (Application Servers).
    • Virtual Cloud Network: Select the VCN.
    • Subnet: For the persistent volumes, select the app-subnet.
11. Click Create.

Note:

Create a new mount target only for the first persistent volume (PV). Subsequent PVs should use the same mount target.

Setting the Mount Target Storage Reporting

When you install Oracle products, the installer checks the available disk storage. This check fails when you use an OCI file system. The system displays a message saying that there is insufficient disk space. To overcome this error, you can configure OCI to report a specified amount of free space.

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select a Mount Target, for example AppVolumes
3. Select Storage and click Mount Targets.
4. Click the NFS tab.
5. Click Edit next to the Reported Size (GB) (it looks like a pencil).
6. Set an arbitrary size value. For example: 20.
   This value ensures that the file system, when mounted on the OHS nodes, reports 20GB of free space. This enables the OHS installer to proceed.
7. Click Save.
8. Repeat the above steps for each mount target.

Mounting File Systems on Hosts

Each mount target has a different IP address. To determine how to mount a given file system:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Select Storage and click File Systems.
3. Select a file system.
4. On the File System screen, select an export from the list of exports.
5. Click Mount Commands at the top of the screen, to view examples of the mount command.
6. For OAM hosts, place the entries in /etc/fstab with the following mount options:

   Sample OAM /etc/fstab entry:

   <IP>:/exports/oamBinaries1 /u01/oracle/products nfs auto,rw,bg,hard,nointr,tcp,vers=3,timeo=300,rsize=32768,wsize=32768
   <IP>:/exports/oamSharedConfig /u01/oracle/config nfs auto,rw,bg,hard,nointr,tcp,vers=3,timeo=300,rsize=32768,wsize=32768

   Before you can use the file system ensure that you can write to it. Mount the file system to the bastion node and write to it. If you are unable to write, use the chmod command to enable writing to the file system.

   For example:

   sudo mkdir -p /u01/oracle/products /u01/oracle/config

   sudo mount -a

   sudo chmod -R 777 /u01/oracle

7. Run the following command to pick up the changes:

   sudo systemctl daemon-reload

Creating Load Balancers

You need to create two OCI load balancers. One of these load balances is used to direct public traffic and the other for internal call backs. The load balancer used for internal traffic is not available outside the OCI container.

For more information about load balancers, see Getting Started with Load Balancing.

• Creating a Public Load Balancer
  
• Creating a Private Load Balancer
  
• Creating an LDAP Load Balancer
  

Creating a Public Load Balancer

This load balancer directs traffic from the internet to the Oracle HTTP Servers, which in turn pass on the traffic to the Application tier.

The public load balancer will send traffic to and from the user via SSL. After the traffic moves inside the OCI Virtual Network, it is sent unencrypted in an SSL terminated topology, and encrypted in an end to end SSL topology. You will need to provide your own SSL certificate or create a self-signed certificate for testing purposes.

To create a public load balancer, perform the following steps:

• Creating a Self-Signed Certificate
  
• Creating a Load Balancer
  
• Uploading Load Balancer Certificates
  
• Creating Host Names
  
• Creating Backend Sets
  
• Creating Listeners
  
• Updating the Default Listener
  

Creating a Self-Signed Certificate

You can create a self-signed certificate on any host which has access to the openssl packages. The following example is from a Linux box (in this case the bastion server was used).

For more information, see Doc ID 2617046.1.

If you prefer, you can also use a certificate provided by a recognized certificate authority.

To create a self-signed certificate:

1. Create the CA (certificate authority) private key by using the following command:

   openssl genrsa -out ca.key 2048

   Generating RSA private key, 2048 bit long modulus
   ....................+++
   .....+++
   e is 65537 (0x10001)

2. Create the Certificate Signing Request (CSR).

   openssl req -new -key ca.key -out ca.csr

   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CR
   State or Province Name (full name) []:SJO
   Locality Name (eg, city) [Default City]:
   Organization Name (eg, company) [Default Company Ltd]:mycompany
   Organizational Unit Name (eg, section) []:
   Common Name (eg, your name or your server's hostname) []:*.example.com
   Email Address []:
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

3. Create the CA SIGN certificate that will be used to sign the new certificates.

   openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

   Signature ok
   subject=/C=CR/ST=SJO/L=Default City/O=mycompany/CN=*.example.com
   Getting Private key

4. Create the private key for the load balancer.

   openssl genrsa -out loadbalancer.key 2048

   Generating RSA private key, 2048 bit long modulus
   ....................+++
   .....+++
   e is 65537 (0x10001)

5. Create the CSR for the load balancer.

   openssl req -new -key loadbalancer.key -out loadbalancer.csr

   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CR
   State or Province Name (full name) []:SJO
   Locality Name (eg, city) [Default City]:
   Organization Name (eg, company) [Default Company Ltd]:mycompany
   Organizational Unit Name (eg, section) []:
   Common Name (eg, your name or your server's hostname) []:*.example.com
   Email Address []:
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

6. Sign the certificate with the CA certificate.

   openssl x509 -req -in loadbalancer.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out loadbalancer.crt -days 50000

   Signature ok
   subject=/C=CR/ST=SJO/L=Default City/O=mycompany/CN=*.example.com
   Getting CA Private Key

7. Check that the certificate is signed by the CA.

   openssl x509 -in loadbalancer.crt -text

   Certificate:
   Data:
   Version: 1 (0x0)
   Serial Number:
   df:e7:c9:6a:56:e5:e4:c9
   Signature Algorithm: sha256WithRSAEncryption
   Issuer: Issuer: C=CR, ST=SJO, L=Default City, O=mycompany, CN=*.example.com <==== here signed by my ca..
   Validity
   Not Before: Dec 3 16:34:58 2019 GMT
   Not After : Oct 25 16:34:58 2156 GMT
   Subject: =/C=CR/ST=SJO/L=Default City/O=mycompany/CN=*.example.com
   Subject Public Key Info:
   Public Key Algorithm: rsaEncryption
   Public-Key: (2048 bit)
   Modulus:
   00:da:62:ce:69:77:ff:45:b0:84:9f:af:53:44:97:
   13:28:91:44:cd:0b:1d:e5:a1:f6:a3:ef:f8:98:19:
   8d:c2:56:a0:e1:80:1c:e0:0e:ae:34:9a:a8:ae:52:
   d4:71:a4:da:10:8b:fd:df:73:0d:8e:98:ef:d4:7b:
   36:f1:1c:5a:d7:24:88:63:f5:b2:6b:7a:62:50:3a:
   e7:3a:3d:9a:b7:41:db:8e:f5:e8:91:46:48:cf:0c:
   54:da:7b:da:20:76:b6:eb:4b:cb:fa:36:09:f7:94:
   ea:c9:53:3f:b2:bc:66:4c:6d:7f:3f:09:cc:cd:c2:
   10:1f:39:0f:6c:1d:49:7c:db:99:d9:d9:7d:48:dd:
   09:52:50:9d:f5:44:fd:2e:48:f2:78:22:20:3c:07:
   b6:a1:4d:f8:17:82:67:a1:45:52:0a:21:78:ed:1b:
   ca:45:79:16:21:c9:e3:2f:a4:93:d4:bf:67:68:7a:
   b6:d9:8f:e1:53:35:31:a6:17:38:f2:a6:79:b5:12:
   6b:36:f2:2d:69:56:c2:d9:c0:89:d9:31:6b:06:0c:
   1e:ba:a6:30:88:32:7b:92:e4:af:11:ab:37:1a:cb:
   cf:4b:4c:7d:ff:a7:4d:f8:be:cd:98:17:63:83:06:
   cf:e7:ae:4a:d5:6e:6b:e4:0d:f3:6f:70:52:2b:8b:
   12:83
   Exponent: 65537 (0x10001)
   Signature Algorithm: sha256WithRSAEncryption
   d8:36:2e:2e:42:72:76:15:ec:a8:3a:e9:dd:2d:2e:28:42:97:
   48:4e:6f:33:ec:df:3e:a3:11:19:8b:62:d5:89:07:af:b5:ff:
   b6:de:d7:5c:8b:7a:46:37:46:da:b7:44:7f:b6:cc:c8:a9:1e:
   f9:ca:0f:76:2b:29:d2:4c:6a:af:18:9b:1a:62:42:87:e6:21:
   b7:09:15:8d:b3:1d:05:4a:4d:1b:d1:07:00:cd:69:40:92:ed:
   f9:3d:24:c9:b7:b9:00:7e:c3:f9:73:42:7f:13:34:a8:d1:e4:
   32:91:08:51:07:a5:d0:ab:42:fb:83:c4:a7:b5:94:0f:2a:56:
   8b:95:34:1b:63:5b:39:59:88:9b:9f:34:91:98:dc:8c:0a:0e:
   01:f9:b2:6e:fd:2e:95:28:4c:76:dd:fe:a0:3f:f1:16:3b:88:
   cd:e5:0a:f3:dd:52:0d:39:2a:60:2c:f0:5d:79:3b:7e:99:43:
   3b:47:33:85:f9:7c:f1:e8:cb:3d:cd:ab:4c:1f:a2:72:99:70:
   f4:8d:92:4a:24:9e:37:96:ad:24:d5:13:33:05:32:ae:d5:58:
   ed:3e:32:6f:a7:1e:a8:61:a5:fb:73:ea:54:46:b7:07:77:07:
   9a:9d:af:eb:66:5c:55:f1:50:23:fb:da:d9:b7:4b:0b:6d:bb:
   c7:39:18:ae
   -----BEGIN CERTIFICATE-----
   MIIDUDCCAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXAQsFADBaMQswCQYDVQQGEwJD
   UjEMMAoGA1UECAwDU0pPMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxDzANBgNVBAoM
   Bm9yYWNsZTEVMBMGA1UEAwwMKi5vcmFjbGUuY29tMCAXDTE5MTIwMzE2MzQ1OFoY
   DzIxNTYxMDI1MTYzNDU4WjB4MQswCQYDVQQGEwJDUjEMMAoGA1UECAwDU0pPMRUw
   EwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBM
   dGQxDzANBgNVBAsMBm9yYWNsZTEVMBMGA1UEAwwMKi5vcmFjbGUuY29tMIIBIjAN
   BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2mLOaXf/RbCEn69TRJcTKJFEzQsd
   5aH2o+/4mBmNwlag4YAc4A6uNJqorlLUcaTaEIv933MNjpjv1Hs28Rxa1ySIY/Wy
   a3piUDrnOj2at0HbjvXokUZIzwxU2nvaIHa260vL+jYJ95TqyVM/srxmTG1/PwnM
   zcIQHzkPbB1JfNuZ2dl9SN0JUlCd9UT9LkjyeCIgPAe2oU34F4JnoUVSCiF47RvK
   RXkWIcnjL6ST1L9naHq22Y/hUzUxphc48qZ5tRJrNvItaVbC2cCJ2TFrBgweuqYw
   iDJ7kuSvEas3GsvPS0x9/6dN+L7NmBdjgwbP565K1W5r5A3zb3BSK4sSgwIDAQAB
   MA0GCSqGSIb3DQEBCwUAA4IBAQDYNi4uQnJ2FeyoOundLS4oQpdITm8z7N8+oxEZ
   i2LViQevtf+23tdci3pGN0bat0R/tszIqR75yg92KynSTGqvGJsaYkKH5iG3CRWN
   sx0FSk0b0QcAzWlAku35PSTJt7kAfsP5c0J/EzSo0eQykQhRB6XQq0L7g8SntZQP
   KlaLlTQbY1s5WYibnzSRmNyMCg4B+bJu/S6VKEx23f6gP/EWO4jN5Qrz3VINOSpg
   LPBdeTt+mUM7RzOF+Xzx6Ms9zatMH6JymXD0jZJKJJ43lq0k1RMzBTKu1VjtPjJv
   px6oYaX7c+pURrcHdweana/rZlxV8VAj+9rZt0sLbbvHORiu
   -----END CERTIFICATE-----

This procedure creates the following files to be used later. See Uploading Load Balancer Certificates.

• ca.crt
• loadbalancer.crt
• loadbalancer.key

Creating a Load Balancer

To create a load balancer:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Select Load Balancer and click Create Load Balancer.
4. Enter the following information:
   • Name: Enter a name for the load balancer. For example: public-loadbalancer.
   • Visibility Type: Select Public.
   • Select Assign a Public IP Address and Ephemeral IP Address unless you want to use a specific IP address, in which case select Reserved IP Address.
   • Shapes: Select Flexible Shape.
   • Bandwidth: Select the anticipated bandwidth.
   • Virtual Cloud Network: Select the Virtual Cloud Network.
   • Subnet: Select the load balancer subnet you created earlier. See Creating Subnets for the Load Balancer.
5. Click Next.
6. On the Choose Back Ends screen, select your preferred Load Balancing Policy.
7. Click Add Back Ends.
   1. Select Web Server Instances.
   2. Click Add Selected Back Ends.
   3. Change the port to the listen port for Oracle HTTP Server. For example, 7777 (SSL Terminated) and 4447 (End to End SSL).
8. In the Specify Health Check Policy screen, change the port to the port used in the backend set. For example, 7777 or 4447.
9. In the URL path enter /health-check.html.
10. Enter a name for the back-end set. For example: ohs_servers.

    Note:

    In an SSL Terminated deployment, all listeners use the same backend set. In End to End SSL deployments, there is be a backend set for each host name. For consistency, call the backend set ohs_hostname. For example, ohs_login.

11. Select Enable load balancer cookie persistence in the Session Persistence section.
12. Click Next.
13. On the Configure Listener screen, enter the following information:

    Note:

    You will need one listener for each entry point. However, you can add only one listener at this point.

    • Name: Select a name for the listener. For example: login_listener.
    • Traffic Type: Select HTTPS.
    • Port: Select the load balancer port. login.example.com uses port 443.
    • Certificate Resource: Load Balancer Managed Certificate.
    • SSL Certificate: Paste the contents of the certificate (.crt) file of the certificate you have generated/purchased for the host login.example.com.
    • CA Certificate: Paste the contents of the CA Certificate that was used to generate the SSL certificate above.
    • Private Key: Paste the contents of the key file which was used in the generation of the SSL certificate.
14. Click Next.
15. Ensure that the Compartment is set to your compartment.
16. In the Manage Logging screen, ensure that Create a New Log Group is selected.
17. Change Name. For example: Public_Lbr.
18. Change Log Name. For example: Public_lbr_error.
19. Click Next
20. Click Submit.

Uploading Load Balancer Certificates

As the load balancer routes SSL requests, you need to upload the certificates for the load balancer. If you have created a self-signed certificate, add the details of that certificate. If you have your own certificates, upload those.

To upload the certificates:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: public_loadbalancer.
4. Select Certificates from the Certificates and Ciphers tab.
5. Select Load Balancer Managed Certificate.
6. Click Add Certificate.
7. Enter the following information. You can either upload the files directly or paste the contents of the files.
   • Certificate Name: Enter a name for the certificate. For example: login_cert.
   • SSL Certificate: Include the contents of the login.crt file.
   • CA Certificate: Select the Specify CA Certificate check box to include the contents of the ca.crt file.
   • Private Key: Select the Specify Private Key check box to include the contents of the login.key file.

   See Creating a Self-Signed Certificate.

8. Click Add Certificate.
9. Repeat the above step for each certificate you wish to upload.

Creating Host Names

Host names are used to filter the different entry points into the load balancer. You need to create a host name for each load balancer virtual host described in Summary of the Virtual Servers Required for an Enterprise Deployment.

You have to create the following host names:

• login.example.com
• oig.example.com
• iadadmin.example.com
• igdadmin.example.com
• igdinternal.example.com

To create the load balancer host names:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: public_loadbalancer.
4. Select the Hostnames tab.
5. Click Create Hostname.
6. Enter the following information:
   • Name: Enter a name for the host name. For example: login_hostname.
   • Hostname: Enter the fully qualified host name. For example: login.example.com.
7. Click Create.
8. Repeat for each host name to be created.

Note:

If you want to limit the admin access to users inside the network, you should create the hosts iadadmin.example.com and igdadmin.example.com in the private load balancer.

Creating Backend Sets

In End to End SSL deployments, you need to create additional backend sets that points to each OHS virtual host as outlined below. If using SSL Terminated, you can ignore this section.

Table 10-13 End to End SSL Deployments

Name	SSL	Healthcheck	Backends	Backend Port
ohs_login	Yes	https:4447	webhost1, webhost2	4447
ohs_oig	Yes	https:4448	webhost1, webhost2	4448

Perform the following steps to create a backend set:

1. Log into the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.

   For example, public_loadbalancer.

3. Click the Backends tab.
4. Click Create Backend Set.
5. Enter information for each field as described below:

   Name - For example, ohs_iadadmin.

   Use SSL - Select to use SSL.

   Certificate Resource - Select Load Balancer Managed Certificates.

   Certificate name - Enter the certificate name corresponding to the Oracle HTTP Servers CA. For example, ohs_ca. As all OHS certificates will have been created using the same CA, the CA created as part of the config wizard can be reused, This will have a system generated name similar to cert_bs_<DATESTAMP>.

   Verify Peer Certificate - Select Enabled.

   Verify Depth - Select 1.

   Session Persistence - Select Load balancer cookie persistence.

   Health Check - Enter https and the OHS listen port. For example, 4445.

   URL Path - /heathcheck.html.

6. Click Create backend set.
7. After the backend set is created, click its name. For example, iadadmin.
8. Select the Backends tab.
9. Click Add Backends.
10. Select Compute Instances and click Add Instances.
11. Select the compute instances where your OHS servers reside. For example, webhost1 and webhost2.
12. Click Add Instances.
13. In the port field, select the OHS port you want to use. For example, 4445.
14. Click Add

Creating Listeners

You need to create a listener for each host name you have created earlier. See Creating Host Names. The login listener has been created at the time of creating the load balancer. See Creating a Load Balancer.

Table 10-14 SSL Terminated Deployments

Name	Protocol	Port	SSL	Backend Set	Host Name
login (default)	https	443	Yes	ohs_servers	login_hostname
oig	https	443	Yes	ohs_servers	oig_hostname

Table 10-15 End to End SSL Deployments

Name	Protocol	Port	SSL	Backend Set	Host Name
login_listener (default)	https	443	Yes	ohs_login	login_hostname
oig_listener	https	443	Yes	ohs_oig	oig_hostname

Note:

In both of the above deployments the administration URLs are not included in the public loadbalancer. This ensures that it is physically impossible to access administration functions from the internet. They are available from inside the network or via a browser running on your bastion host.

Should you have a requirement to expose these end points to the internet you will need to add in extra listeners for the administration functions. Access to these URLs should however be tightly controlled via appropriate security lists.

To create the load balancer listeners:

1. Log into the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: public_loadbalancer.
4. Select the Listeners tab.
5. Click Create Listener.
6. Enter the following information:
   • Name: Enter a name for the listener. For example: oig_listener.
   • Protocol: Select https.
   • Port: Specify 443.
   • Certificate Resource: Select Load balancer managed certificate.
   • Certificate Name: Ensure that the certificate you created for the load balancer is displayed. If not displayed, select the certificate.

     Note:

     This option will be available only if you use the HTTPS protocol.
   • Verify Peer Certificate - Select Enabled.
   • Verify Depth - Select 1.
   • Hostname: Select the hostname associated with your listener. For example: oig.
   • Backend Set: Select the backend set. For example: ohs_oig.
7. Click Create Listener.
8. Repeat the steps to create the remaining listeners.

Note:

If you want to limit the admin access to users inside the network, create the listeners iadadmin_listener and igdadmin_listener in the private load balancer.

Updating the Default Listener

When you created the load balancer, a default listener also gets created. You have to assign the newly created host name to this listener.

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer, for example: public-loadbalancer.
4. Select the Listeners tab.
5. To edit the listener, click the three dots next to the name, for example login, and then click Edit.
6. Set the host name to the host name you created earlier, for example: login. See Creating Host Names.
7. Click Save changes.

Creating a Private Load Balancer

The private load balancer, which is used to route internal call backs, resides in the same subnet as the Oracle web servers. This load balancer services requests generated from inside the application.

Note:

Web servers issue curl commands to login.example.com. Therefore, you also need to define this on the private load balancer because the web servers do not have direct access to the public load balancer. You can use the same certificates that you used when you created the public load balancer.

To create a private load balancer, perform the following steps:

• Creating a Load Balancer
  
• Creating Host Names
  
• Updating the Default Listener
  
• Uploading Load Balancer Certificates
  
• Creating Backend Sets
  
• Creating Listeners
  

Creating a Load Balancer

To create a load balancer:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click Create Load Balancer.
4. Select Load Balancer and click Create Load Balancer.
5. Enter the following information:
   • Name: Enter a name for the load balancer. For example: internal-loadbalancer.
   • Visibility Type: Select Private.
   • Shapes: Select Flexible Shape.
   • Bandwidth: Select the anticipated bandwidth.
   • Virtual Cloud Network: Select the Virtual Cloud Network.
   • Subnet: Select the same subnet as the web servers. For example: web-subnet. See Creating Subnets for the Load Balancer.
6. Click Next.
7. On the Choose Back Ends screen, select your preferred Load Balancing Policy.
8. Click Add Instances.
   1. Select Web Server Instances.
   2. Click Add Instances.
   3. Change the port to the listen port for Oracle HTTP Server. For example: 7777 (SSL Terminated) and 4447 (End to End SSL).
9. In the Specify Health Check Policy section, change the port to the port used in the backend set. For example, 7777 and 4447.
10. In the Back End Set section, enter a name for the back-end set. For example: ohs_servers.

    Note:

    In an SSL Terminated deployment, all listeners use the same backend set. In End to End SSL deployments, there is a backend set for each host name. For consistency, call the backend set old_hostname. For example, ohs_login.

11. In the Session Persistence section select Enable Loadbalancer cookie persistence.
12. Click Next.
13. On the Configure Listener screen, enter the following information:
    • Name: Select a name for the listener. For example: login.
    • Traffic Type: Select the traffic type the listener uses. login_listener uses HTTPS.
    • Port: Select the load balancer port. login.example.com uses port 443.
    • Certificate Resource: Load Balancer Managed Certificate.
    • SSL Certificate: Paste the contents of the certificate (.crt) file of the certificate you have generated/purchased for the host login.example.com.
    • CA Certificate: Paste the contents of the CA Certificate that was used to generate the SSL certificate above.
    • Private Key: Paste the contents of the key file which was used in the generation of the SSL certificate.
14. Click Next.
15. In the Manage Logging screen, ensure that Create a New Log Group is selected.
16. Change Name. For example: lbr_internal.
17. Change Log Name. For example: lbr_internal_error.
18. Click Next
19. Click Submit.
20. Review the Summary and Click Submit.

Creating Host Names

Host names are used to filter the different entry points into the load balancer. You need to create a host name for each load balancer virtual host described in Summary of the Virtual Servers Required for an Enterprise Deployment.

You have to create the following host names:

• igdinternal.example.com
• login.example.com
• iadadmin.example.com
• igdadmin.example.com
• oig.example.com

Note:

login.example.com is defined here for internal traffic routing. The EDG uses network segregation. If you do not define it here, calls to login.example.com will attempt to communicate using the public network and fail.

To create the load balancer host name:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: internal_loadbalancer.
4. Select the Hostnames tab from the resource list.
5. Click Create Hostname.
6. Enter the following information:
   • Name: Enter a name for the host name. For example: igdinternal_hostname.
   • Hostname: Enter the fully qualified host name. For example: igdinternal.example.com.
7. Click Create.
8. Repeat Steps 5 through 7 to create each of the required host names.

Updating the Default Listener

When you created the load balancer, a default listener also gets created. You have to assign the newly created host name to this listener.

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: internal_loadbalancer.
4. Click on the Listeners tab.
5. To edit the listener, click the three dots next to the name, and then click Edit.
6. Set the host name to the host name you created earlier. For example: login. See Creating Host Names.
7. Click Save changes.

Uploading Load Balancer Certificates

As the load balancer routes SSL requests, you need to upload the certificates for the load balancer. If you have created a self-signed certificate, add the details of that certificate. If you have your own certificates, upload those.

To upload the certificates:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: internal_loadbalancer.
4. Select the Certificates and ciphers tab.
5. Click Add Certificate.
6. Enter the following information. You can either upload the files directly or paste the contents of the files.
   • Name: Enter a name for the certificate. For example: login_cert.
   • SSL Certificate: Include the contents of the login.crt file.
   • CA Certificate: Select the Specify CA Certificate check box to include the contents of the ca.crt file.
   • Private Key: Select the Specify Private Key check box to include the contents of the login.key file.

   See Creating a Self-Signed Certificate.

7. Click Add Certificate.
8. Repeat the above for each certificate you need to add.

Creating Backend Sets

In end to end SSL deployments, you need a backend set that points to each OHS virtual host. You have already created a backend set for login when you created the listener, you now need to create the following backend sets.

Table 10-16 End to End SSL Deployments

Name	SSL	Healthcheck	Backends	Backend Port
ohs_iadadmin	Yes	https:4445	webhost1, webhost2	4445
ohs_igdadmin	Yes	https:4446	webhost1, webhost2	4446
ohs_login (default)	Yes	https:4447	webhost1, webhost2	4447
ohs_oig	Yes	https:4448	webhost1, webhost2	4448
ohs_igdinternal	Yes	https:4449	webhost1, webhost2	4449

Perform the following steps to create a backend set:

1. Log into the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.

   For example, internal_loadbalancer.

3. Select the Backend Sets tab.
4. Click Create Backend Set.
5. Enter information for each field as described below:

   Name - For example, ohs_iadadmin.

   Use SSL - Select to use SSL.

   Certificate Resource - Select Load Balancer Managed Certificates.

   Certificate Name - Enter the certificate name corresponding to the Oracle HTTP Servers CA. For example, ohs_ca. As all OHS certificates will have been created using the same CA, the CA created as part of the config wizard can be reused, This will have a system generated name similar to cert_bs_<DATESTAMP>

   Verify Peer Certificate - Select Enabled.

   Verify Depth - Select 1.

   Session Persistence - Select Load balancer cookie persistence.

   Health Check - Enter https and the OHS listen port. For example 4445.

   URL Path - /heathcheck.html.

6. Click Create Backend Set.
7. After the backend set is created, click its name. For example, iadadmin.
8. Select the Backends tab.
9. Click Add backends.
10. Select Compute Instances and click Add Instances.
11. Select the compute instances where your OHS servers reside. For example, webhost1 and webhost2.
12. Click Add Instances.
13. In the port field, select the OHS port you want to use. For example, 4445.

Creating Listeners

You need to create a listener for each host name you have created earlier. See Creating Host Names.

Table 10-17 SSL Terminated Deployments

Name	Protocol	Port	SSL	Backend Set	Host Name
igdinternal_listener	http	7777	No	ohs_servers	igdinternal_hostname
login_listener (default)	https	443	Yes	ohs_servers	login_hostname
iadadmin_listener	http	80	No	ohs_servers	iadadmin_hostname
igdadmin_listener	http	80	No	ohs_servers	igdadmin_hostname

Table 10-18 End to End SSL Deployments

Name	Protocol	Port	SSL	Backend Set	Host Name
igdinternal_listener	https	443	Yes	ohs_igdinternal	igdinternal_hostname
login_listener (default)	https	443	Yes	ohs_login	login_hostname
oig_listener	https	443	Yes	ohs_oig	oig_hostname
iadadmin_listener	https	443	Yes	ohs_iadadmin	iadadmin_hostname
igdadmin_listener	https	443	Yes	ohs_igdadmin	igdadmin_hostname

To create the load balancer listeners:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: internal_loadbalancer.
4. Select the Listeners tab.
5. Click Create Listener.
6. Enter the following information as per the table above:
   • Name: Enter the listener name. For example iadadmin_listener.
   • Protocol: Select HTTPS.
   • Port: Specify 443.
   • Certificate Resource: Select Load balancer managed certificate.
   • Certificate Name: Ensure that the certificate you created for the load balancer is displayed. If not displayed, select the certificate, for example iadadmin_cert
   • Hostname: Select login.
   • Backend Set: Select the back end set. For example:
     • SSL Terminated: ohs_oig
     • End to End SSL: ohs_login
7. Click Create Listener.

Creating an LDAP Load Balancer

The LDAP load balancer is used to route internal LDAP requests to the LDAP Servers. It resides in the same subnet as the LDAP Servers. This load balancer services requests generated from inside the application.

To create an LDAP load balancer, perform the following steps:

• Creating a Load Balancer
  
• Creating Host Names
  
• Updating the Default Listener
  

Creating a Load Balancer

To create a load balancer:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click Create Load Balancer.
4. Select Load Balancer and click Create Load Balancer.
5. Enter the following information:
   • Name: Enter a name for the load balancer. For example: ldap-loadbalancer.
   • Visibility Type: Select Private.
   • Shapes: Select Flexible Shape.
   • Bandwidth: Select the anticipated bandwidth.
   • Virtual Cloud Network: Select the Virtual Cloud Network.
   • Subnet: Select the database subnet. For example: db-subnet. See Creating Subnets for the Load Balancer.
6. Click Next.
7. On the Choose Back Ends screen, select your preferred Load Balancing Policy.
8. Click Add Instances.
   1. Select LDAP Host Backends.
   2. Click Add Instances.
   3. Change the port to the listen port for OUD. For example: 1389 (SSL Terminated) and 1636 (End to End SSL).
9. In the Specify Health Check Policy section, select Protocol TCP. Change the port to the port used in the backend set, for example, 1389 and 1636. Set Use SSL: false
10. In the Back End Set section, enter a name for the back-end set. For example: ldap_servers.
11. In the Session Persistence section select Enable Loadbalancer cookie persistence.
12. Click Next.
13. On the Configure Listener screen, enter the following information:
    • Name: Select a name for the listener. For example: idstore_listener.
    • Traffic Type: Select the traffic type the listener uses. idstore_listener uses TCP.
    • Port: Select the load balancer port 1389 or 1636.
14. Click Next.
15. In the Manage Logging screen, ensure that Create a New Log Group is selected.
16. Change Name. For example: lbr_ldap.
17. Change Log Name. For example: lbr_ldap_error.
18. Click Next
19. Click Submit.
20. Review the Summary and Click Submit.

Creating Host Names

Host names are used to filter the different entry points into the load balancer. You need to create a host name for each load balancer virtual host described in Summary of the Virtual Servers Required for an Enterprise Deployment.

You have to create the following host names:

• idstore.example.com

To create the load balancer host name:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: ldap_loadbalancer.
4. Select the Hostnames tab from the resource list.
5. Click Create Hostname.
6. Enter the following information:
   • Name: Enter a name for the host name. For example: iidstore_hostname.
   • Hostname: Enter the fully qualified host name. For example: idstore.example.com.
7. Click Create.

Updating the Default Listener

When you created the load balancer, a default listener also gets created. You have to assign the newly created host name to this listener.

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking and click Load Balancers.
3. Click the load balancer. For example: ldap_loadbalancer.
4. Click on the Listeners tab.
5. To edit the listener, click the three dots next to the name, and then click Edit.
6. Set the host name to the host name you created earlier. For example: idstore. See Creating Host Names.
7. Click Save changes.

Creating a Database

You must create a database to store all the schema information for Oracle Identity Management.

There are several different databases that you can create in OCI. For this example, a bare metal RAC database will be created. You may need to create one or more databases.

See Preparing the Database for an Enterprise Deployment for details on the databases and services you should create. This section shows an example of creating one of these databases in OCI.

• Creating the Database
  
• Creating a Secondary Pluggable Database
  
• Connecting to the Database Node
  
• Configuring the Database
  

Creating the Database

After establishing the network, you can now create the database.

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Oracle Database and click Oracle Base Database Service.
3. Click on Create DB System.
4. Enter the following information:
   • Compartment: Select the name of the compartment you created earlier. See Creating an OCI Compartment.
   • DB System Name: Enter a name for the database infrastructure. For example: Identity_Management_Databases.
   • Availability Domain: Select an availability domain.
   • Shape: This value depends on your sizing requirements.
   • Storage: Select Change Storage then select Oracle Grid Infrastructure. Choose your storage performance, for example Balanced.
   • Click Save.
   • In the DB System Configuration section choose the Total Node Count. This should be at least 2 for High Availability.

     Select the Database Software Edition. you wish to use.

   • Configure Storage: Select the sizing requirements for your storage.
   • In the SSH Keys box, select Paste SSH Keys.
   • Copy the contents of the id_rsa.pub file that you created earlier. See Creating an SSH Key Pair.
   • License Type: Select the type of database license you have.
   • Virtual Cloud Network: Select your VCN, for example idm-vcn.
   • Client Subnet: Select the DB subnet. For example: db-subnet.
   • Host Name Prefix: Select a host name prefix. For example: db.
   • Database Name: Enter a name for you database, for example idmdb
   • Database Unique Name Suffix: Set it to a value unique to your system, which is especially important if you are going to create a disaster recovery site. The best practice is to set the suffix to the abbreviated region. For example: lon for London.
   • Database Image: Select the database release you want to use. For example: 23ai.
   • PDB Name : Enter a name for the Oracle Access Manager PDB you want to create. For example: oampdb.
   • Sys Password : Select a password you want to assign to the database SYS account.
   • Database Backups: Select Enable automatic backups.
   • Backup Retention Period: Specify the period for which you want to keep the database backups.
   • Backup Scheduling: Specify the preferred time to initiate the backup.
5. Click Create.
6. After the database is created, note the following values for use at a later point:
   • SCAN DNS Name: This is the host name you use to connect to the database.
   • db node 1 and db node 2: To obtain the names/IP addresses of these nodes, click Nodes from the resources list.

Note:

After the database is created, OCI adds a suffix to the database name. Ensure that you use the complete name including this suffix when configuring the database as described in Preparing the Database for an Enterprise Deployment.

Creating a Secondary Pluggable Database

When you create the database, it creates a single pluggable database (PDB). A single PDB may be sufficient for your needs.

However, if you require more PDBs so that OAM and OIG use different PDBs in the same database, you have to create additional PDBs. See Creating a PDB Using an Existing PDB as a Template.

You can do this either at the database level or, if you are using Oracle OCI, through the OCI console. For adding a PDB at the database level, see Creating a PDB Using an Existing PDB as a Template.

Alternatively, you can create extra pluggable databases by using the OCI Console.

1. Log in to the Oracle Cloud Infrastructure for your tenancy.
2. Navigate to Oracle Database and click Oracle Base Database Service.
3. Click the DB system hosting the database.
4. Click on the Databases tab
5. Click the Container Database Name from the list of displayed databases.
6. Click the Pluggable Databases tab.
7. Click Create.
8. Add a name for the new pluggable database, for example oigpdb, and enter the TDE wallet password for the container database. This password may be the same as the database SYS password if you opt not to set an explicit value.
9. Click Create.

Connecting to the Database Node

You can now connect to the database node using the following SSH command:

ssh -A opc@databaseNodeIPAdddress

Connect to DB node 1 from the bastion node using the command:

ssh -A opc@dbnode1

After you connect to DB node 1 as opc, connect to the oracle user using the following command:

sudo su - oracle

Configuring the Database

After you create the skeletal database, you should configure the database as described in Preparing the Database for an Enterprise Deployment.

Creating a DNS Server

It is important that all host names are resolvable, including the load balancer virtual hosts. You can make them resolvable by adding entries to the local hosts files. However, in OCI, using a private DNS server is the simpler method.

By default, the compute hosts are configured to use a private DNS server. You have to add the entries only for the local hosts.

• Creating a DNS Zone
  
• Creating DNS Records
  

Creating a DNS Zone

To create a DNS zone:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking, select DNS Management, and then click Zones.
3. Select the Private Zones tab.
4. Click Create Zone.
5. Enter the following information:
   • Name: Enter a name for the zone. For example: example.com.
   • Select Existing DNS Private View.
   • DNS Private View: Select Virtual Cloud Network.
6. Click Create.

Creating DNS Records

After you create the zone, you can create records in the zone for each host. There are two types of DNS records that have to be created:

• A Record: This is an IP address association with a host name.
• CNAME: This is an alias for the A Record.

If you have multiple hosts using the same IP address, Oracle recommends you to create one 'A Record' and multiple 'CNAME' records.

To create a record:

1. Log in to the Oracle Cloud Infrastructure Console for your tenancy.
2. Navigate to Networking, select DNS Management, and then click Zones.
3. Select the Private Zones tab.
4. Click on the newly created zone example.com.
5. Click Manage Records.
6. Click Add Record.
7. Select the Record Type: A or CNAME.
8. Specify the name of the host in the domain. For example: loadbalancer.example.com.
9. Specify the Address which is the IP Address of the host. For example: The IP address of the public load balancer.

   OR

   Specify the Target which is the name of the A record with which you want to associate the alias.

10. Set the TTL value to 86400. If the TTL field is disabled, select the lock icon at the end of the row to specify a value.
11. Click Add Record.

    Note:

    To continue adding another record, select the ADD ANOTHER RECORD check box. After you click Submit, the Add Record screen remains open to add another record.

    You have to create the following entries:

    Table 10-19 DNS Record Type and the Associated Host Name

    Name	Type	Target	Address
    loadbalancer	A		IP address of the Internal load balancer.
    iadadmin	CNAME	loadbalancer.example.com
    igdadmin	CNAME	loadbalancer.example.com
    login	CNAME	loadbalancer.example.com
    oig	CNAME	loadbalancer.example.com
    idstore	A		IP Address of the internal LDAP load balancer
    igdinternal	CNAME		IP address of the Internal load balancer.
    webhost1	A		IP address of WEBHOST1.
    webhost2	A		IP address of WEBHOST2.
    ldaphost1	A		IP Address of LDAPHOST1
    ldaphost2	A		IP Address of LDAPHOST2
    oamhost1	A		IP Address of OAMHOST1
    oamhost2	A		IP Address of OAMHOST2
    iadadminvh	A		Floating IP Address of the OAM Admin Server
    oighost1	A		IP Address of OIGHOST1
    oighost2	A		IP Address of OIGHOST2
    igdadminvh	A		Floating IP Address of the OIG Admin Server

    Note:

    The hostnames ldaphostn, oamhostn, oighostn, iadadminvhn and igdadminvhn must be the same on both a primary and standby sites for disaster recovery, regardless of the underlying physical hostname.
12. After entering all your entries, click Publish Changes.
13. Click Confirm Publish Changes to make the records active.

Validating Your Environment

Perform checks to ensure that your environment is ready for a deployment.

For the bastion node

• Check the network connectivity:

  ping webhost1.example.com

  ping webhost2.example.com

• Resolve the public address of the load balancer:

  ping login.example.com

  ping oig.example.com

• Verify DNS is working by issuing the command:

  nslookup idstore.example.com 

  Verify that the IP address returned is that of your LDAP load balancer.

From the Web Tiers

• Verify that the web tiers can communicate with the Application compute instances, which includes the port that you communicate on.

  Use the following command to check network connectivity:

  nc -zv OAMHOSTn <PORT>

  or:

  nc -zv OIGHOSTn <PORT>

  For example, if your OAM Administration Server for OAMHOST1 is using port 9002 then the command is as follows:

  nc -zv oamhost1.example.com 9002

  This will check that WEBHOSTn can communicate with the OAMHOST1 on port 9002 which is the secure mode port of the OAM Administration Server.

  The output will be similar to the following:

  Ncat: Version 7.92 ( https://nmap.org/ncat )
  Ncat: Connection refused.

  The Connection refused message is expected because you have not yet configured the OAM Admin Server. If the command hangs then this means that there is no pathway between the WEBHOST and the OAMHOST using port 9002. This indicates an issue with your security rules.

• Resolve the public address of the load balancer

  ping login.example.com