Creating Oracle Access Management Docker Containers

Before You Begin

This tutorial shows you how to create and configure Oracle Access Management (OAM) 12.2.1.4.0 Docker containers.

Background

Docker is a platform that enables users to build, package, ship and run distributed applications. Docker users package up their applications, and any dependent libraries or files, into a Docker image.

Docker images are portable artifacts that can be distributed across Linux environments. Images that have been distributed can be used to instantiate containers where applications can run in isolation from other applications running in other containers on the same host operating system.

You can deploy OAM images in the following ways:

1. Download a prebuilt OAM image from Oracle Container Registry by by navigating to Middleware > oam_cpu. This image is prebuilt by Oracle and includes Oracle Access Management 12.2.1.4.0, the latest Patch Set Update (PSU) and other fixes released with the Critical Patch Update (CPU) program.

2. Build your own OAM image using the WebLogic Image Tool or by using the dockerfile, scripts and base images from Oracle Container Registry (OCR). You can also build your own image by using only the dockerfile and scripts. For more information about the various ways in which you can build your own container image, see Building the OAM Image.

Before following this tutorial, the OAM image must be installed in the docker images repository using one of these methods. Instructions for all these methods are found in the links referenced above.

The OAM image is designed to be used for the following OAM containers:

WebLogic Administration Server (AdminServer)
OAM Managed Server (oam_server1)
OAM Policy Manager Managed Server (oam_policy_mgr1)

What Do You Need?

An OAM image installed in the docker images repository
A basic understanding of Docker
A running Oracle Database. The database must be a supported version for OAM as outlined in Oracle Fusion Middleware 12c certifications.

Validate the OAM Image

In this section you validate the OAM image is installed in the docker images repository.

Run the following command to make sure the OAM image is installed in the docker images repository:
```
$ docker images
```
The output will look similar to the following:
```
REPOSITORY    TAG            IMAGE ID         CREATED         SIZE 
oam           12.2.1.4.0     d285e4354f9d     4 months ago    3.38GB
```
Make note of the the OAM image name as this will be used in later sections. In this example the image name is oam:12.2.1.4.0

Create a Bridged Network

In this section you create a bridged network so the OAM Container(s) can communicate with each other.

To create a docker network, run the following command:

$ docker network create -d bridge OamNET

The output will look similar to the following:

eff0bf4d7752e11e735a1e570d3348592af181e76ff86e6762f57e3f62928f9f

Create and Run the OAM Administration Server Container

In this section you create and run the OAM WebLogic Administration Server container, which hosts the WebLogic and OAM Consoles.

When the container is created for the Administration Server, the following operations are performed:

Execution of the Repository Creation Utility
Creation of the OAM Domain with DOMAIN_ROOT as /u01/oracle/user_projects
Startup of the Administration Server

A directory from the host, for example /scratch/user_projects, will be mapped to containers at /u01/oracle/user_projects. This is the mechanism by which the domain structure is shared among the OAM Administration Server and Managed Server containers.

Create an environment file /scratch/oam-admin.env which contains the following variables:
```
DOMAIN_NAME=access_domain
ADMIN_USER=weblogic
ADMIN_PASSWORD=<password>
ADMIN_LISTEN_HOST=oamadmin
ADMIN_LISTEN_PORT=7001
CONNECTION_STRING=oamdb.example.com:1521/oampdb1.example.com
RCUPREFIX=OAM01
DB_USER=sys
DB_PASSWORD=<password>
DB_SCHEMA_PASSWORD=<password>
```
where:
a) DOMAIN_NAME is the name of the WebLogic domain to be created
b) ADMIN_USER and ADMIN_PASSWORD are the weblogic user/pwd for the WebLogic and OAM Administration Consoles
c) ADMIN_LISTEN_HOST is the hostname for the container. Note: it is recommended to make this the same name as the container name passed in the --name parameter in the docker run command below
d) ADMIN_LISTEN_PORT is the port number for the WebLogic Administration Server to listen on
e) CONNECTION_STRING is the <host>:<port>/<service_name> of the running database
f) RCUPREFIX is the prefix name to give the schemas built by RCU
g) DB_USER and DB_PASSWORD are the user/pwd of the running database
h) DB_SCHEMA_PASSWORD is the password you want to set for the RCU schemas
Run the following command to create and start the OAM Administration Server container:
```
$ mkdir /scratch/user_projects
$ chmod 777 /scratch/user_projects
$ docker run -d -p 7001:7001 --name oamadmin --network=OamNET --env-file /scratch/oam-admin.env --volume /scratch/user_projects:/u01/oracle/user_projects oam:12.2.1.4.0
```
In the above example:
a) -d starts the container detached as a background process
b) --name is the name given to the docker container once started. For ease of use name this the same as passed in the ADMIN_LISTEN_HOST variable
c) --volume maps the /scratch/user_projects directory on the host environment to the /u01/oracle/user_projects directory in the container.
d) --env-file is the path to the .env file created earlier
e) oam:12.2.1.4.0 is the name of the OAM image name.
f) --network is the name of the network bridge we created earlier

The output will look similar to the following:
```
5ed71fe34a04cde9dfca08dbbe1a24d3b921f35f697f2c0881c93f5d25e1dd06
```
Note: In the above example the environment variables are passed with the --env-file parameter which points a file containing the environment variables. Alternatively, you can to pass the environment variables on the command line as follows:
```
$ docker run -d --network=OamNET -p 7001:7001 --name=oamadmin \
--env CONNECTION_STRING=oamdb.example.com:1521/oampdb1.example.com --env ADMIN_LISTEN_HOST=oamadmin \
--env DOMAIN_NAME=access_domain --env ADMIN_USER=weblogic --env ADMIN_PASSWORD=<password> \
--env ADMIN_LISTEN_PORT=7001 --env RCUPREFIX=OAM1 --env DB_USER=sys \
--env DB_PASSWORD=<password> --env DB_SCHEMA_PASSWORD=<password> \
-v /scratch/user_projects/:/u01/oracle/user_projects oam:12.2.1.4.0
```

Validate the container is running by issuing the following command:

$ docker ps

The output should look similar to the following:

CONTAINERID  IMAGE                           COMMAND                     CREATED        STATUS        PORTS                  NAMES
74653360d1fa oam:12.2.1.4.0 "sh -c ${SCRIPT_DIR}\u2026" 16 seconds ago Up 15 seconds 0.0.0.0:7001->7001/tcp oamadmin

Run the docker logs command to see the status of the domain creation:
```
$ docker logs oamadmin
```
The domain creation will take several minutes. Run the above command until you see the following output confirming the OAM Administration Server is running:
```
INFO: Starting the Admin Server...
INFO: Logs = /u01/oracle/user_projects/domains/access_domain/logs/as.log
<Mar 4, 2020 2:34:26,180 PM GMT> <Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.>
INFO: Admin server is running
INFO: Admin server running, ready to start managed server
```
Note: If after a while the oamadmin container disappears then it's likely the container failed to start. If so run "docker ps -a". This should show the status of all the containers started, stopped, or exited. You can then run "docker logs oamadmin" to view the log to try and work out what went wrong. Most problems are caused by typo's in the docker run command, or incorrect setting of environment variables.

Create and Run the OAM WebLogic Managed Server Container

In this section you create and run the OAM WebLogic Managed Server Container.

Create an environment file /scratch/oam-ms.env which contains the following variables:
```
DOMAIN_NAME=access_domain
ADMIN_USER=weblogic
ADMIN_PASSWORD=<password>
ADMIN_LISTEN_HOST=oamadmin
ADMIN_LISTEN_PORT=7001
MANAGEDSERVER_PORT=14100
MANAGED_SERVER_CONTAINER=true
MS_HOST=oamms
MS_NAME=oam_server1
```
where:
a) DOMAIN_NAME is the name of the WebLogic domain created previously
b) ADMIN_USER and ADMIN_PASSWORD is the weblogic user/pwd
c) ADMIN_LISTEN_HOST is the hostname of the OAM Administration Server container
d) ADMIN_LISTEN_PORT is the port number of the WebLogic Administration Server
e) MANAGEDSERVER_PORT is the port number for the OAM Managed Server
f) MANAGED_SERVER_CONTAINER is set to true for healthcheck reasons
g) MS_HOST is the hostname where the managed server will reside. This should be set to the the same as the --name parameter passed in the docker run command below
h) MS_NAME is the name of the OAM managed server to create
Run the following command to create and start the OAM Managed Server container:
```
$ docker run -d -p 14100:14100 --network=OamNET --volumes-from oamadmin --name oamms --env-file /scratch/oam-ms.env oam:12.2.1.4.0 "/u01/oracle/dockertools/startMS.sh"
```
In the above example:
a) -d starts the container detached as a background process
b) --name is the name given to the docker container once started. For ease of use name this the same as passed in the MS_HOST variable
c) --volumes-from is the name of the OAM Administration Server container
d) --env-file is the name of the file containing the environment variables created earlier
e) oam:12.2.1.4.0 is the OAM image name
f) --network is the name of the network bridge we created earlier
g) /u01/oracle/dockertools/startMS.sh is passed as a CMD to docker run. The script startMS.sh establishes connection with ADMIN_LISTEN_HOST:ADMIN_LISTEN_PORT using credentials ADMIN_USER and ADMIN_PASSWORD to start the MS_NAME managed server.

The output will look similar to the following:
```
7e735093a9503dc6586e00f31c9846cf59b92fb5299875f4eb650053f0a1fb01
```
Note: In the above example the environment variables are passed with the --env-file parameter which points a file containing the environment variables. Alternatively, you can to pass the environment variables on the command line as follows:
```
$ docker run -d -p 14100:14100 --network=OamNET --volumes-from oamadmin --name oamms --env DOMAIN_NAME=access_domain --env ADMIN_USER=weblogic \
--env ADMIN_PASSWORD=<password> --env ADMIN_LISTEN_HOST=oamadmin --env ADMIN_LISTEN_PORT=7001 --env MANAGEDSERVER_PORT=14100 --env MANAGED_SERVER_CONTAINER=true --env MS_NAME=oam_server1 \
--env MS_HOST=oamms oam:12.2.1.4.0 "/u01/oracle/dockertools/startMS.sh"
```

Validate the container is running by issuing the following command:

$ docker ps

The output should look similar to the following:

CONTAINER ID IMAGE                           COMMAND    CREATED        STATUS        PORTS                    NAMES
7e735093a950 oam:12.2.1.4.0 "/u01/oracle/dockert\u2026" 14 seconds ago Up 13 seconds 0.0.0.0:14100->14100/tcp oamms
74653360d1fa oam:12.2.1.4.0 "sh -c ${SCRIPT_DIR}\u2026" 2 hours ago    Up 2 hours    0.0.0.0:7001->7001/tcp   oamadmin

Run the docker logs command to see the status of the server creation:
```
$ docker logs oamms
```
The OAM Managed Server creation will take several minutes. Run the above command until you see the following output to confirm the OAM Managed Server is running:
```
INFO: Waiting for the Managed Server to accept requests...
<Mar 4, 2020 3:13:44,286 PM GMT> <Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.>
INFO: Managed Server is running
INFO: Managed server has been started
```
Note: If after a while the oamms container disappears then it's likely the container failed to start. If so run "docker ps -a". This should show the status of all the containers started, stopped, or exited. You can then run "docker logs oamms" to view the log to try and work out what went wrong. Most problems are caused by typo's in the docker run command, or incorrect setting of environment variables.

Create and Run the OAM Policy Manager Container

In this section you create and run the OAM Policy Manager Container.

Create an environment file /scratch/oam-policy.env which contains the following variables:
```
DOMAIN_NAME=access_domain
ADMIN_USER=weblogic
ADMIN_PASSWORD=<password>
ADMIN_LISTEN_HOST=oamadmin
ADMIN_LISTEN_PORT=7001
MANAGEDSERVER_PORT=15100
MANAGED_SERVER_CONTAINER=true
MS_NAME=oam_policy_mgr1
MS_HOST=oampolicy
```
where:
a) DOMAIN_NAME is the name of the WebLogic domain created earlier
b) ADMIN_USER and ADMIN_PASSWORD are the weblogic user/pwd for the OAM Administration Server
c) ADMIN_LISTEN_HOST is the hostname of the OAM Administration Server container
d) ADMIN_LISTEN_PORT is the port number of the OAM WebLogic Administration Server
e) MANAGEDSERVER_PORT is the port number for the OAM Policy Manager Managed Server
f) MANAGED_SERVER_CONTAINER is set to true for healthcheck reasons
g) MS_NAME is the name of the policy manager managed server
h) MS_HOST is the hostname for this container. This should match the --name parameter passed in the docker run command below
Run the following command to create and start the OAM Policy Manager container:
```
$ docker run -d -p 15100:15100 --network=OamNET --env-file /scratch/oam-policy.env --volumes-from oamadmin --name oampolicy oam:12.2.1.4.0 "/u01/oracle/dockertools/startMS.sh"
```
In the above example:
a) -d starts the container detached as a background process
b) --name is the name given to the docker container once started. For ease of use name this the same as passed in the MS_HOST variable
c) --volumes-from is the name of the OAM Administration Server container
d) oam:12.2.1.4.0 is the name of the OAM image
e) --network is the name of the network bridge we created earlier
f) /u01/oracle/dockertools/startMS.sh - is passed as a CMD to docker run. The script startMS.sh establishes connection with ADMIN_LISTEN_HOST:ADMIN_LISTEN_PORT using credentials ADMIN_USER and ADMIN_PASSWORD to start the MS_NAME managed server. The output will look similar to the following:
```
b673528bfc828d172759e86fcb942d5333ad80adc8a43202ddbd66428cecc81a
```
Note: In the above example the environment variables are passed with the --env-file parameter which points a file containing the environment variables. Alternatively, you can to pass the environment variables on the command line as follows:
```
$ docker run -d -p 15100:15100 --network=OamNET --volumes-from oamadmin --name oampolicy --env DOMAIN_NAME=access_domain --env ADMIN_USER=weblogic --env ADMIN_PASSWORD=<password> \
--env ADMIN_LISTEN_HOST=oamadmin --env ADMIN_LISTEN_PORT=7001 --env MANAGEDSERVER_PORT=15100 --env MANAGED_SERVER_CONTAINER=true --env MS_NAME=oam_policy_mgr1 --env MS_HOST=oampolicy oam:12.2.1.4.0 "/u01/oracle/dockertools/startMS.sh"
```

Validate the container is running by issuing the following command:

$ docker ps

The output should look similar to the following:

							
CONTAINER ID IMAGE          COMMAND                     CREATED        STATUS        PORTS                    NAMES
307b29018f3b oam:12.2.1.4.0 "/u01/oracle/dockert\u2026" 2 minutes ago  Up 2 minutes  0.0.0.0:15100->15100/tcp oampolicy
7e735093a950 oam:12.2.1.4.0 "/u01/oracle/dockert\u2026" 14 seconds ago Up 13 seconds 0.0.0.0:14100->14100/tcp oamms
74653360d1fa oam:12.2.1.4.0 "sh -c ${SCRIPT_DIR}\u2026" 2 hours ago Up 2 hours       0.0.0.0:7001->7001/tcp   oamadmin

Run the docker logs command to see the status of the server creation:
```
$ docker logs oampolicy
```
The OAM Managed Server creation will take several minutes. Run the above command until you see the following output to confirm the OAM Policy Manager Server is running:
```
INFO: Starting the managed server oam_policy_mgr1
INFO: Logs = /u01/oracle/user_projects/domains/access_domain/logs/oam_policy_mgr1-ms-oampolicy.log
INFO: Waiting for the Managed Server to accept requests...
<Mar 4, 2020 3:48:47,940 PM GMT> <Notice> <WebLogicServer> <BEA-000360> <The server started in RUNNING mode.> started
```
Note: If after a while the oampolicy container disappears then it's likely the container failed to start. If so run "docker ps -a". This should show the status of all the containers started, stopped, or exited. You can then run "docker logs oampolicy" to view the log to try and work out what went wrong. Most problems are caused by typo's in the docker run command, or incorrect setting of environment variables.

Validating the OAM Services

In this section you validate that OAM is running and functioning.

Find the the relevant IP Addresses for each docker container using the following command:

$ docker inspect -f '{{.Name}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' < name of docker containers separated by space >

For example:

$ docker inspect -f '{{.Name}} - {{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' oamadmin oamms oampolicy

The output will look similar to the following:

/oamadmin - 192.168.0.3
/oamms - 192.168.0.4
/oampolicy - 192.168.0.5

Launch a browser on the Docker host Linux server. Edit the browsers' network proxy preferences and add the ip addresses from above to the "No proxy for" section.

Access the following URL's using the relevant ip address for the container. Login with weblogic/<password>

Console or Page	URL
WebLogic Administration Console	`http://<oamadmin_ip>:7001/console`
Oracle Enterprise Manager Console	`http://<oamadmin_ip>:7001/em`
Oracle Access Management Console	`http://<oamadmin_ip>:7001/oamconsole`
OAM Server Logout	`http://<oamms_ip>:14100/oam/server/logout`
Policy Manager Access	`http://<oampolicy_ip>:15100/access`

Alternatively services can be accessed through:
a) localhost only from the docker host itself with

http://localhost:7001/<uri>

b) From outside the docker host if container ports were mapped to the host ports (through -p parameter for docker run. For example

http://<hostname>:<ADMIN_LISTEN_PORT>/<uri>

Note: In order to stop and start the Administration Server and OAM Managed Servers use the docker stop <container> and docker start <container> command.

Updating OAM Containers with a New Image

In this section you start the OAM containers with a new docker image.

Install the new image in the repository e.g oam:12.2.1.4-new :

$ docker images

REPOSITORY    TAG               IMAGE ID         CREATED       SIZE 
oam           12.2.1.4.0        d285e4354f9d     4 months ago    3.38GB
oam           12.2.1.4.0-new    b6de6dd37fea     1 day ago       3.32GB

Run the following commands to stop and remove the containers:

$ docker stop oampolicy
$ docker stop oamms
$ docker stop oamadmin
$ docker rm oampolicy
$ docker rm oamms
$ docker rm oamadmin

Follow sections 3-5 to start the containers but pass the the new image name e.g oam:12.2.1.4-new. For example for the OAM Administration Server:
```
$ docker run -d -p 7001:7001 --name oamadmin --network=OamNET --env-file /scratch/oam-admin.env --volume /scratch/user_projects:/u01/oracle/user_projects oam:12.2.1.4.0-new
```
As you are passing the volume parameter the OAM servers will start with your previous configuration.

Removing an OAM Docker Setup

If you need to remove an OAM Docker setup perform the following steps:

Run the following commands to stop the OAM containers:
```
$ docker stop oamadmin oamms oampolicy
```
Remove the OAM containers using the following command:
```
$ docker rm oamadmin oamms oampolicy
```
Remove all the directories from where you mapped the --volume parameter when creating the oamadmin container, for example /scratch/user_projects.
```
$ sudo rm -rf /scratch/user_projects/*
```
If using an external database and want to create a new environment, make sure you use choose a different RCUPREFIX in the oam-admin.env

Want to Learn More?

Oracle Access Management

Feedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.

Creating Oracle Access Management Docker Containers

Before You Begin

Background

What Do You Need?

Validate the OAM Image

Create a Bridged Network

Create and Run the OAM Administration Server Container

Create and Run the OAM WebLogic Managed Server Container

Create and Run the OAM Policy Manager Container

Validating the OAM Services

Updating OAM Containers with a New Image

Removing an OAM Docker Setup

Want to Learn More?

Feedback

Associated Learning Paths