Oracle by Example brandingDeploying Oracle Access Management on Oracle Cloud Infrastructure

section 0Before You Begin

This tutorial shows you how to deploy the Oracle Access Management (OAM) 12.2.1.4.0 application on Oracle Cloud Infrastructure (OCI).

Background

The Oracle Access Management application is available on the Oracle Cloud Infrastructure Marketplace and allows you to quickly deploy an instance of Oracle Access Management.

At present this image can be only be used for testing and development purposes and should only be used with non-sensitive data. In the current OCI MarketPlace release, SSL is not enabled at the Load Balancer or any other integration point.

OAM on OCI is deployed in a Kubernetes (K8S) cluster using the Oracle Kubernetes Engine (OKE). Lifecycle operations are performed with the Oracle WebLogic Server Kubernetes Operator.

What Do You Need?

  • An Oracle Cloud Infrastructure account.
  • A basic understanding of OCI

section 1Database Prerequisites

Before deploying OAM on OCI MarketPlace the following database prerequisites must be met:

  1. An Oracle Database instance must exist with connectivity from OCI. If you need to create a database in OCI there are multiple ways you can perform this task. One such way is outlined in Creating Bare Metal and Virtual Machine DB Systems.

    The database must be a supported version for OAM as outlined in Oracle Fusion Middleware 12c certifications.

    The database must be made publicly accessible and be in the same region where the OAM stack will be installed.
  2. Once the database is provisioned, create an Ingress rule to allow external communication to the database port on 1521. This is a requirement so OAM can create RCU schemas in the database. To create an Ingress rule:

    1. Access the OCI console, and from the Navigation Menu select Networking > Virtual Cloud Networks.
    2. Under the Name column click the link that corresponds to your virtual network vcn-xxxx.
    3. Under Resources, select Security Lists.
    4. Under Security Lists click the relevant Security List for example: Default Security List vcn-xxxx.
    5. Under Ingress Rules click Add Ingress Rules.
    6. In the Add Ingress Rules window accept the default values, but change the following fields:

      Name Value
      SOURCE CIDR 0.0.0.0/0
      DESTINATION PORT RANGE 1521
    7. Click Add Ingress Rules.

  3. Obtain the public IP address of the database host. In the OCI Console navigate to Bare Metal, VM and Exadata > DB Systems. Click the link for your DB System, and under the Resources list click Nodes. This public IP address will be used later when configuring the DB connection details during OAM provisioning.
  4. If using an Oracle database with CDB enabled then you must obtain the connection string for the PDB administration service. To find this connection string follow the section titled: To derive the connection string for a PDB administration service or an application service. This PDB connection string will be used later as the value for the OAM_DB_URL parameter during OAM provisioning.

    Note: If you are unsure of the name of the PDB administration service see Viewing Information About PDBs.
  5. Using SQL*Plus or SQL Developer test a connection to the database using the PDB connect string.

section 2OCI Prerequisites

Before deploying OAM on OCI MarketPlace the following OCI prerequisites must be met:

  1. OAM requires two (2) or more compute nodes for the Node Pool and three (3) compute nodes for the Bastion in the respective Availability Domain. To check you have enough compute nodes available:
    1. Access the OCI console and from the Navigation Menu navigate to Governance > Limits, Quota and Usage.
    2. From the SERVICE drop down menu select Compute.
    3. From the SCOPE menu select the appropriate Availability Domain.
    4. From the COMPARTMENT menu select the compartment you wish to deploy to.
    5. Check the Available column and make sure you have sufficient computes available for the Node Shape you wish to deploy.
    For more information on the compute shapes available refer to Compute Shapes.
  2. OAM requires two (2) Virtual Cloud Network (VCN) resources to be available:
    1. From the SERVICE drop down menu select Virtual Cloud Network.
    2. From the SCOPE menu select your tenancy.
    3. From the RESOURCE menu select Virtual Cloud Networks Count.
    4. Check the Available column and make sure at least two (2) VCN's are available.
  3. OAM requires one 100Mbps Load Balancer resource to be available:
    1. From the SERVICE drop down menu select LbaaS.
    2. From the SCOPE menu select your tenancy.
    3. From the RESOURCE menu select 100Mbps Load Balancer Count.
    4. Check the Available column and make sure at least one (1) Load Balancer is available.
  4. OAM requires one (1) OKE Cluster resource to be available.
    1. From the SERVICE drop down menu select Container Engine.
    2. From the SCOPE menu select your tenancy.
    3. From the RESOURCE menu select Cluster Count.
    4. Check the Available column and make sure one (1) or more are available.
  5. OAM requires one (1) File System resource and one (1) Mount Target resource to be available:
    1. From the SERVICE drop down menu select File Storage.
    2. From the SCOPE menu select your Availability Domain.
    3. Check the Available column and make sure at least one (1) resource is available for both File System Count and Mount Target Count.
    For more information on resources see Compartment Quotas.

section 3Provision OAM on OCI Marketplace

  1. Access the OCI Marketplace.
  2. Search for the listing Oracle Access Management. Select the Oracle Access Management for Enterprise application.
  3. In the Oracle Access Management listing, check the Version Details show Version: 12.2.1.4.0.
  4. Launch the installation into your tenancy by selecting Get App.
  5. Select the OCI region and sign-in to your tenancy.
  6. In the upper right of the screen select the compartment where the OAM Instance will be deployed. Note: Do not select the default (root) compartment.
  7. Click Launch Stack.
  8. In the Stack Information screen, edit the Name as appropriate and add a Description if required and click Next.
  9. In the Configure Variables screen enter the variables as below:




    Name Value
    REGION The region should be the same as mentioned in the URL of the OCI console
    NODE_POOL_NODE_SHAPE Choose the shape for the node pool computes, for example VM.Standard.E2.2
    NUMBER_OF_NODES

    Two (2) or more. This will be the size of the node pool in the OKE cluster.

    As per the OCI Prerequisites section, make sure you check the availability of the compute resources in the Availability Domain chosen for the NODE_POOL_NODE_SHAPE. For example if you specify two (2) nodes make sure two (2) compute resources of the chosen VM Shape are available.
    BASTION_SHAPE Choose the shape for the bastion, for example:
    VM.Standard2.1

    As per the OCI Prerequisites section, make sure you check the availability of the compute resources in the Availability Domain chosen for the bastion node. Three (3) compute resources of the chosen VM Shape are required.
    AVAILABILITY DOMAIN The Availability Domain where OAM will be deployed
    OAM_DB_URL The connection string for host:port/servicename for the database service. If using a CDB based DB then make sure you use the PDB value determined earlier in the prerequisite section e.g.
    <ipaddress>:1521/pdb1.oimdb.ocik8
    OAM_DB_SYS_USER Name of the Database Admin User e.g. SYS
    OAM_DB_SYS_USER_PASSWORD Password of the Database Admin User
    OAM_RCU_SCHEMA_PREFIX

    Schema Prefix for RCU. This can be a value  of your choice e.g. OAM

    Ensure that this schema name is not already present in the DB.
    OAM_RCU_SCHEMA_PASSWORD Choose a complex password for the RCU Schema that meets the password criteria defined in your database
    OAM_WEBLOGIC_DOMAIN_USER WebLogic Admin User Name e.g. weblogic
    OAM_WEBLOGIC_DOMAIN_USER_PASSWORD Weblogic Admin Password

    The rest of the variables can remain as per their default values but make sure enough resources are available as per the OCI Prerequisites section.

    Once the variables are updated as per above, click Next.
  10. In the Review screen verify the configuration variables and select Create.

    This will trigger a job that will be displayed in the OCI console. The job will show as IN PROGRESS and in the Logs section at the bottom of the screen, details of the deployment progress are displayed. The job will take approximately 45 minutes to complete. Once the job is successful the job status will show SUCCEEDED.
  11. If the job fails with status FAILED, refer to the Troubleshooting section later in this tutorial.

section 4Connecting via SSH to the Bastion Host

To connect via SSH to the bastion host:

  1. Access the OCI console, and from the Navigation Menu select Resource Manager > Stacks.
  2. Select the relevant compartment from the drop down list. A list of stacks in the compartment will be displayed. Select the stack just created e.g. OAM.
  3. In the Jobs section click the View State link for the job.
  4. In the View State window search for the string ‘bastion_ip’ using the browser search (CTRL F). Note down the ipaddress, for example: bastion_ip": "X.X.X.X".
  5. In the same window search for ‘private_key_path’. Copy the value in between the quotes, and save to a file (cluster.key), for example:
    -----BEGIN RSA PRIVATE KEY-----\nXXXXXXXXXXXXYYYYYYYYYYYYYYPPPPPPPPPPP++YYYYY
    YYYYTTTTTTTTTTT\IIIIIIIIIhhhhjjuuuuuu/VVVuuuuuuuuuuu908888/zdS1UCdLr/Q2q9yd12
    etc.....................................................................
+Qjl5\nxOByCUtZ8TbRbQMgEA/6G6wzVQ+mjCPy0n0ykxhWaHVj22ytfxKtApNLjwhtlZm
    \npD58jI0CgYEAv3GvEcfVPg92KmN8OH+hSrkLzz22bemNqioRvKi2mXBwfk0xu0kK\nvTdjVqwbD
    lCeAhISJxXdsT3J83pyeaGm6TrxBwUptJ8SzlZgFptpJffE1acAq8m\nXd7RoF2rBqZ5HHYYYYYkl
    kkk90zedjxPoJW6XxC3ljingatsgJzAixIMSc8=\n-----END RSA PRIVATE KEY-----\n
  6. Issue the following command to convert remove the “\n” characters:
    $ sed -i 's/\\n/\n/g' cluster.key
    Note: Use Windows PowerShell to perform the above command if running on a Windows environment.

    Open the cluster.key file and validate the “\n” characters are removed.
  7. Connect to the bastion host using the cluster.key file:
    $ chmod 400 cluster.key
$ ssh -i cluster.key opc@<bastion_ip>
    Note: On Windows do not run chmod 400 in PowerShell. Change the properties of the file to read-only instead.

    The login should be successful.

section 5Validating the OAM Setup

In this section you confirm everything is running and can access the OAM consoles.

  1. Run the following commands in the bastion host to check everything in the OAM stack is running correctly: 
    $ kubectl get nodes
    If the cluster is up and running, the output should look similar to the following:
    NAME          STATUS      ROLES      AGE     VERSION 
10.0.10.2     Ready       node       23m     v1.15.7
10.0.10.3     Ready       node       24m     v1.15.7

    To check the pods are running:

    $ kubectl get pods -n accessns
    The output should look similar to the following:
    NAME                                                READY   STATUS      RESTARTS AGE
oamcluster-adminserver                                1/1   Running     0        15m
    oamcluster-create-fmw-infra-sample-domain-job-nctlq   0/1   Completed   0        18m
    oamcluster-oam-policy-mgr1                            1/1   Running     0        8m42s
    oamcluster-oam-server1                                1/1   Running     0        8m42s
    oamcluster-oam-server2                                1/1   Running     0        8m42s
    rcu                                                   1/1   Running     0        23m
    Note: It may take 5-10 minutes for all the pods to appear as above and be in READY 1/1 state. By default the AdminServer, two oam servers (oam-server1 and oam-server2 ) and one policy manager server (oam_policy_mgr) are started.

    To check the traefik load balancer status:
    $ kubectl get svc -n oamtraefik
    The output should look similar to the following:
    NAME                         TYPE           CLUSTER-IP     EXTERNAL-IP       PORT(S)                AGE
traefik-operator             LoadBalancer   10.X.X.X       150.X.X.X   443:31830/TCP,80:31304/TCP   85m
traefik-operator-dashboard   ClusterIP      10.X.X.X       <none>      80/TCP                       85m
    Make note of the EXTERNAL-IP of the traefik-operator service. This public IP address is used to connect to Oracle Access Management and its associated consoles.

    Note: You can also find the public IP address of the load balancer by navigating to Networking > Load Balancers in the OCI console.

  2. Launch a browser, access the following URL’s and log in with the associated username and passwords:
    Console URL Login Details
    WebLogic Console http://<external-ip>/consoleweblogic/<password>
    Oracle Enterprise Manager Console* http://<external-ip>/em weblogic/<password>
    Oracle Access Management Console* http://<external-ip>/oamconsoleweblogic/<password>

    * Note: WebLogic Console and Oracle Enterprise Manager Console should only be used to monitor the servers in the OAM install. To control the AdminServer and OAM Managed Servers (start/stop) you must use kubectl commands. For more details see the tutorial Starting and Stopping OAM using kubectl.

section 6Layout of Resources Created in OCI for the OAM Stack

This section provides details on how you can view the resources created in OCI for the OAM Stack.

  1. To see the list of resources created in OCI for the OAM stack, access the OCI console and from the Navigation Menu select Resource Manager > Stacks > Stack_Name >Stack Details > Job_Name > Job Details > Associated Resources.
  2. To see the Virtual Machines created while using the OAM stack, from the Navigation Menu select Compute > Instances.
  3. The following table shows the mapping of OCI resources to VCN and Subnets:

    Input VM Shapes

    Resources

    VCN

    Subnets

    NODE_POOL_NODE_SHAPE

    2 Kubernetes worker nodes(VM)

    tfVcnForClusters

    tfRegionalSubnetForNodePool

     

    BASTION_SHAPE

    1 monitoringnode(VM)

    1 oke-bastion(VM)

    oke-oke vcn

    oke-bastion

    1 mountnode
    (This is where the FS is mounted) (VM)

    tfVcnForClusters

     tflbRegionalSubNet

    N/A

    1 Load Balancer (Default 100 MBPS)*

    tfVcnForClusters

    tflbRegionalSubNet

    The Resource, VCN, and Subnets names assume the default values were not changed during the OAM provisioning configuration.

    * Note: The Load Balancer is HTTP only


    The following diagram outlines the OAM OCI Resources:


    Description of layout.jpg follows
    Description of the illustration layout.jpg

section 7Troubleshooting

To troubleshoot a failed OAM deployment:

  1. Revisit the Database Prerequisites section and make sure all prerequisites have been followed. Test that a connection to the database can be made via the PDB connect string in SQL*Plus or similar client tool.
  2. Revisit the OCI Prerequisites section and make sure all steps have been followed and enough resources are available.
  3. Delete the failed deployment by following the section Deleting the OAM Stack.
  4. Retry the deployment by following the section Provision OAM on OCI Marketplace.
  5. In case further debugging is required check the following:

    Note: Some of the steps below may not be possible depending at what stage the deployment failed.

    1. In the Job that failed, view the Logs section at the bottom of the screen.
    2. Connect to the bastion host as per the section Connecting via SSH to the Bastion Host and in $HOME view the idmcli.log.
    3. To view logs for an individual pod, run the following on the bastion host to list the pods: 
      kubectl get pods -n accessns
      Run the following command to view the log for the desired pod: 
      kubectl logs <pod> -n accessns
    4. To view the OAM Domain logs run the following on the bastion host: 
      kubectl -n accessns exec -it oamcluster-adminserver bash
      This will take you into a bash shell inside the oamcluster-adminserver pod. From here you can navigate to the logs directory and look at the OAM server logs: 
      [oracle@oamcluster-adminserver oamcluster]$ cd /u01/oracle/user_projects/domains/logs/oamcluster
[oracle@oamcluster-adminserver oamcluster]$ ls *.log *.out
      AdminServer.log               introspector_nodemanager.out     oam_server1.log              oam_server2.out
      AdminServer.out               oam_policy_mgr1.log              oam_server1.out              oam_server2_nodemanager.log
      AdminServer_nodemanager.log   oam_policy_mgr1.out              oam_server1_nodemanager.log  oam_server2_nodemanager.out
      AdminServer_nodemanager.out   oam_policy_mgr1_nodemanager.log  oam_server1_nodemanager.out  oamcluster.log
      introspector_nodemanager.log  oam_policy_mgr1_nodemanager.out  oam_server2.log
      [oracle@oamcluster-adminserver oamcluster]$

section 8Deleting the OAM Stack

If you need to delete the OAM stack, or if you need to clean up from a failed deployment, perform the following operations:

Note: If cleaning up a failed deployment step 1 and 2 may not be possible if the deployment failed before creating the bastion host. If this is the case, go direct to step 3.

  1. Connect via SSH to the bastion host as per the section Connecting via SSH to the Bastion Host.
  2. Run the following command to delete the OAM OCI components:
    $ ./idmcli_unix install oam oamk8s --config config/idmcli.yaml -d
    The output will look similar to the following:
    Using config file: config/idmcli.yaml
    Task ➡ Prereq Validations: ✅
    Task ➡ Delete Ingress: ✅
    Task ➡ Delete Trafeik Chart: ✅
    Task ➡ Delete Domain Dir: ❌
    Task ➡ Delete Domain Credentials: ❌
    Task ➡ Delete Domain CRD: ✅
    Task ➡ Delete Operator Chart: ✅
    Task ➡ Delete PV: ✅
    Task ➡ Delete Operator Namespace: ✅
    Task ➡ Delete Domain Namespace: ✅
    Task ➡ Delete Traefik Namespace: ❌
    3. Note: This will also delete the RCU Schema from the database.

  3. Access the OCI console and from the Navigation Menu select Resource Manager > Stacks. Click the OAM stack to delete.
  4. In the OAM stack page select the Terraform Actions drop down menu and then Destroy. A Destroy job will be created and run.
  5. Once the job has completed successfully, click on Stack Details and select Delete Stack.
  6. Ensure that clusters are deleted by navigating to Developer Services > Container Clusters. If not, manually delete the clusters.
  7. When the clusters are terminated, the instances should also be automatically terminated. Navigate to Compute > Instances and check the instances are deleted. If not deleted, terminate those manually.
  8. Check the load balancer and file storage by navigating to Network > Load Balancers. If resources still exist, manually terminate them.
  9. Check the VCN’s are destroyed by clicking on the Virtual Cloud Network link on the same page. If not destroyed, then manually terminate the VCNs. If there are problems terminating the VCN’s then follow the Troubleshooting section Subnet or VCN Deletion.
  10. Check if the Identity Policies are removed by navigating to Identity > Policies. If not destroyed then delete manually.
  11. On the same page click the Dynamic Groups link and check the Dynamic Groups are removed. If not destroyed then delete manually.
  12. When the above steps are completed, wait a few minutes to ensure all resources are cleaned up. Then check the limits to ensure those resources are now free by navigating to Governance > Limits, Quota and Usage.

next stepNext Tutorial

Validating a Basic SSO Flow using WebGate

more informationWant to Learn More?

Cloud Infrastructure MarketPlace
Oracle Access Management

feedbackFeedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.