DefaultAuthenticator
). However, for an enterprise deployment, Oracle recommends that you use a dedicated, centralized LDAP-compliant authentication provider.SOA Administrators
) as a member to the policy.Updater
role in the wsm-pm
application stripe.Parent topic: Configuring the Enterprise Deployment
Before you create the initial Infrastructure domain, be sure to review the following key concepts.
You create the initial Infrastructure domain for an enterprise deployment using the Oracle Fusion Middleware Infrastructure distribution. This distribution contains both the Oracle WebLogic Server software and the Oracle JRF software.
The Oracle JRF software consists of Oracle Web Services Manager, Oracle Application Development Framework (Oracle ADF), Oracle Enterprise Manager Fusion Middleware Control, the Repository Creation Utility (RCU), and other libraries and technologies required to support the Oracle Fusion Middleware products.
Later in this guide, you can then extend the domain to support the Oracle Fusion Middleware products required for your enterprise deployment.
For more information, see "Understanding Oracle Fusion Middleware Infrastructure" in Understanding Oracle Fusion Middleware.
The following table lists some of the key characteristics of the domain you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures used to configure the domain.
Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.
Characteristic of the Domain | More Information |
---|---|
Uses a separate virtual IP (VIP) address for the Administration Server. |
Configuration of the Administration Server and Managed Servers Domain Directories |
Uses separate domain directories for the Administration Server and the Managed Servers in the domain. |
Configuration of the Administration Server and Managed Servers Domain Directories |
Includes a dedicated cluster for Oracle Web Services Manager |
|
Uses a per host Node Manager configuration. |
About the Node Manager Configuration in a Typical Enterprise Deployment |
Requires a separately installed LDAP-based authentication provider. |
Understanding OPSS and Requests to the Authentication and Authorization Stores |
As you perform the tasks in this chapter, you will be referencing the directory variables listed in this section.
These directory variables are defined in File System and Directory Variables Used in This Guide.
ORACLE_HOME
ASERVER_HOME
MSERVER_HOME
APPLICATION_HOME
JAVA_HOME
NM_HOME
In addition, you'll be referencing the following virtual IP (VIP) addresses and host names defined in Physical and Virtual IP Addresses Required by the Enterprise Topology:
ADMINHOST
SOAHOST1
SOAHOST2
DBHOST1
DBHOST2
SCAN Address for the Oracle RAC Database (DB-SCAN.examle.com)
Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for an enterprise deployment.
Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system. See the following sections for more information:
To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.
After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:
http://www.oracle.com/technetwork/java/index.html
Be sure to navigate to the download for the Java SE JDK.
Install the JDK in the following locations:
On the shared storage device, where it will be accessible from each of the application tier host computers. Install the JDK in the /u01/oracle/products/jdk
directory.
On the local storage device for each of the Web tier host computers.
The Web tier host computers, which reside in the DMZ, do not necessarily have access to the shared storage on the application tier.
For more information about the recommended location for the JDK software, see the Understanding the Recommended Directory Structure for an Enterprise Deployment.
The following example describes how to install a recent version of JDK 1.8.0_101.
To start the installation program, perform the following steps.
When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.
The installation program displays a series of screens, in the order listed in the following table.
If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.
Table 10-1 Navigating the Infrastructure Installation Screens
Screen | Description |
---|---|
On UNIX operating systems, this screen appears if you are installing any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location. For more information about the central inventory, see Understanding the Oracle Central Inventory in Oracle Fusion Middleware Installing Software with the Oracle Universal Installer. |
|
This screen introduces you to the product installer. |
|
Use this screen to search My Oracle Support automatically for available patches or automatically search a local directory for patches that you’ve already downloaded for your organization. |
|
Use this screen to specify the location of your Oracle home directory. For the purposes of an enterprise deployment, enter the value of the ORACLE_HOME variable listed in Table 7-2. |
|
Use this screen to select the type of installation and as a consequence, the products and feature sets you want to install. For this topology, select Fusion Middleware Infrastructure. Note: The topology in this document does not include server examples. Oracle strongly recommends that you do not install the examples into a production environment. |
|
This screen verifies that your system meets the minimum requirements. If there are any warning or error messages, refer to the Oracle Fusion Middleware System Requirements and Specifications document on the Oracle Technology Network (OTN). |
|
If you already have an Oracle Support account, use this screen to indicate how you would like to receive security updates. If you do not have one and are sure that you want to skip this step, clear the check box and verify your selection in the follow-up dialog box. |
|
Use this screen to verify the installation options that you have selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation. For more information about silent or command-line installation, see Using the Oracle Universal Installer in Silent Mode in Oracle Fusion Middleware Installing Software with the Oracle Universal Installer. |
|
This screen allows you to see the progress of the installation. |
|
This screen appears when the installation is complete. Review the information on this screen, then click Finish to dismiss the installer. |
If you have configured a separate shared storage volume or partition for SOAHOST2, then you must also install the Infrastructure on SOAHOST2.
For more information, see Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.
To install the software on the other host computers in the topology, log in to each host, and use the instructions in Starting the Infrastructure Installer on SOAHOST1 and Navigating the Infrastructure Installation Screens to create the Oracle home on the appropriate storage device.
Note:
In previous releases, the recommended enterprise topology included a colocated set of Oracle HTTP Server instances. In those releases, there was a requirement to install the Infrastructure on the Web Tier hosts (WEBHOST1 and WEBHOST2). However, for this release, the enterprise deployment topology assumes that the Web servers are installed and configured in standalone mode, so they are not considered part of the application tier domain. For more information, see Configuring Oracle HTTP Server for an Enterprise Deployment
After you install the Oracle Fusion Middleware Infrastructure and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options you selected during the installation.
To check the directory structure:
Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.
Metadata Services (MDS)
Audit Services (IAU)
Audit Services Append (IAU_APPEND)
Audit Services Viewer (IAU_VIEWER)
Oracle Platform Security Services (OPSS)
User Messaging Service (UMS)
WebLogic Services (WLS)
Common Infrastructure Services (STB)
Use the Repository Creation Utility (RCU) to create the schemas. This utility is installed in the Oracle home for each Oracle Fusion Middleware product. For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Oracle Fusion Middleware Creating Schemas with the Repository Creation Utility.
Complete the following steps to install the required schemas:
Make sure you have installed and configured a certified database, and that the database is up and running.
For more information, see the Preparing the Database for an Enterprise Deployment.
To start the Repository Creation Utility (RCU):
Follow the instructions in this section to create the schemas for the Fusion Middleware Infrastructure domain:
Review the Welcome screen and verify the version number for RCU. Click Next to begin.
If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges.
If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option will generate a SQL script, which can be provided to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility.
Tip:
For more information about the options on this screen, see Create repository in Creating Schemas with the Repository Creation Utility.
On the Database Connection Details screen, provide the database connection details for RCU to connect to your database.
In the Host Name field, enter the SCAN address of the Oracle RAC Database.
Click Next to proceed, then click OK in the dialog window confirming that connection to the database was successful.
Tip:
For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.
Specify the custom prefix you want to use to identify the Oracle Fusion Middleware schemas.
The custom prefix is used to logically group these schemas together for use in this domain. For the purposes of this guide, use the prefix FMW12212
.
Tip:
Make a note of the custom prefix you choose to enter here; you will need this later, during the domain creation process.
For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility.
Select AS Common Schemas.
When you select AS Common Schemas, all of the schemas in this section are automatically selected.
If the schemas in this section are not automatically selected, then select the required schemas.
A schema called Common Infrastructure Services is also automatically created; this schema is grayed out and cannot be selected or deselected. This schema (the STB schema) enables you to retrieve information from RCU during domain configuration. For more information, see Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.
Tip:
For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility.
Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.
Specify how you want to set the schema passwords on your database, then specify and confirm your passwords.
Tip:
You must make a note of the passwords you set on this screen; you will need them later on during the domain creation process.
Navigate through the remainder of the RCU screens to complete schema creation.
For the purposes of this guide, you can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas.
Note:
You can configure a Fusion Middleware component to use JDBC stores for JMS servers and Transaction Logs, by using the Configuration Wizard. These JDBC stores are placed in the WLS Services component tablespace. Depending on the environment load, you can change the default size of the <PREFIX>_WLS tablespace.
For more information about RCU and its features and concepts, see About the Repository Creation Utility in Oracle Fusion Middleware Creating Schemas with the Repository Creation Utility.
When you reach the Completion Summary screen, click Close to dismiss RCU.
The following topics provide instructions for creating a WebLogic Server domain using the Fusion Middleware Configuration wizard.
For more information on other methods available for domain creation, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.
To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home on SOAHOST1.
ORACLE_HOME/oracle_common/common/bin/config.sh
Follow the instructions in the following sections to create and configure the domain for the topology, with static clusters.
Follow the instructions in this section to create and configure the domain for the topology.
Domain creation and configuration includes the following tasks.Task 1, "Selecting the Domain Type and Domain Home Location"
Task 8, "Providing the GridLink Oracle RAC Database Connection Details"
Task 11, "Configuring the Administration Server Listen Address"
Task 24, "Reviewing Your Configuration Specifications and Configuring the Domain"
Task 25, "Writing Down Your Domain Home and Administration Server URL"
On the Configuration Type screen, select Create a new domain.
In the Domain Location field, specify the value of the ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide.
Tip:
More information about the other options on this screen of the Configuration Wizard, see Configuration Type in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates:
Oracle Enterprise Manager - 12.2.1.2.0[em]
Selecting this template automatically selects the following dependencies:
Oracle JRF - 12.2.1.2[oracle_common]
WebLogic Coherence Cluster Extension - 12.2.1.2[wlserver]
Oracle WSM Policy Manager - 12.2.1.2.0[oracle_common]
Tip:
More information about the options on this screen can be found in Templates in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide.
Tip:
More information about the options on this screen can be found in Application Location in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
On the Administrator Account screen, specify the user name and password for the default WebLogic Administrator account for the domain.
Make a note of the user name and password specified on this screen; you will need these credentials later to boot and connect to the domain's Administration Server.
On the Domain Mode and JDK screen:
Select Production in the Domain Mode field.
Select the Oracle Hotspot JDK in the JDK field.
Selecting Production Mode on this screen gives your environment a higher degree of security, requiring a user name and password to deploy applications and to start the Administration Server.
Tip:
More information about the options on this screen, including the differences between development mode and production mode, can be found in Domain Mode and JDK in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
In production mode, a boot identity file can be created to bypass the need to provide a user name and password when starting the Administration Server. For more information, see Creating the boot.properties File.
Select RCU Data to activate the fields on this screen.
The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain.
Note:
If you choose to select Manual Configuration on this screen, you will have to manually fill in the parameters for your schema on the JDBC Component Schema screen.
After selecting RCU Data, fill in the fields as shown in the following table.
Field | Description |
---|---|
DBMS/Service |
Enter the service name for the Oracle RAC database where you will install the product schemas. For example: orcl.example.com Specify the service name that you created for the application you are deploying. Do not use the default database service name. For more information, see Preparing the Database for an Enterprise Deployment. |
Host Name |
Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook. |
Port |
Enter the port number on which the database listens. For example, |
Schema Owner Schema Password |
Enter the user name and password for connecting to the database's Service Table schema. This is the schema user name and password that was specified for the Service Table component on the "Schema Passwords" screen in RCU (see Creating the Database Schemas). The default user name is |
Click Get RCU Configuration when you are finished specifying the database connection information. The following output in the Connection Result Log indicates that the operating succeeded:
Connecting to the database server...OK Retrieving schema data from database server...OK Binding local schema components with retrieved data...OK Successfully Done.
Click Next if the connection to the database is successful.
Tip:
More information about the RCU Data option can be found in Understanding the Service Table Schema in Oracle Fusion Middleware Creating Schemas with the Repository Creation Utility.
More information about the other options on this screen can be found in Datasource Defaults in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Verify that the values on the JDBC Component Schema screen are correct for all schemas.
The schema table should be populated, because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain.
At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment.
In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in theOracle Fusion Middleware High Availability Guide.
To convert the data sources to GridLink:
Select all the schemas by selecting the checkbox at in the first header row of the schema table.
Click Convert to GridLink and click Next.
On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown in following table.
Element | Description and Recommended Value |
---|---|
SCAN, Host Name, and Port |
Select the SCAN check box. In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database. In the Port field, enter the SCAN listening port for the database (for example, |
ONS Host and Port |
In the ONS Host field, enter the SCAN address for the Oracle RAC database. In the Port field, enter the ONS Remote port (typically, |
Enable Fan |
Verify that the Enable Fan check box is selected, so the database can receive and process FAN events. |
For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in the Oracle Fusion Middleware High Availability Guide.
You can also click Help to display a brief description of each field on the screen.
Use the JDBC Component Schema Test screen to test the data source connections you have just configured.
A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.
Tip:
More information about the other options on this screen can be found in Test Component Schema in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard
To complete domain configuration for the topology, select the following options on the Advanced Configuration screen:
Administration Server
This is required to properly configure the listen address of the Administration Server.
Node Manager
This is required to configure Node Manager.
Topology
This is required to add, delete, or modify the Settings for Server Templates, Managed Servers, Clusters, Virtual Targets, and Coherence.
File Store
This is required to configure the appropriate shared storage for JMS persistent stores.
Note:
When using the Advanced Configuration screen in the Configuration Wizard:
If any of the above options are not available on the screen, then return to the Templates screen, and be sure you selected the required templates for this topology.
Do not select the Domain Frontend Host Capture advanced configuration option. You will later configure the frontend host property for specific clusters, rather than for the domain.
On the Administration Server screen:
In the Server Name field, retain the default value - AdminServer.
In the Listen Address field, enter the virtual host name that corresponds to the VIP of the ADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment.
For more information on the reasons for using the ADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment.
Leave the other fields at their default values.
In particular, be sure that no server groups are assigned to the Administration Server.
Select Manual Node Manager Setup as the Node Manager type.
Tip:
For more information about the options on this screen, see Node Manager in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment.
For additional information, see Configuring Node Manager on Multiple Machines in Oracle Fusion Middleware Administering Node Manager for Oracle WebLogic Server.
Use the Managed Servers screen to create two new Managed Servers:
Click the Add button to create a new Managed Server.
Specify WLS_WSM1
in the Server name column.
In the Listen Address column, enter SOAHOST1.
Be sure to enter the host name that corresponds to SOAHOST1; do not use the IP address.
In the Listen Port column, enter 7010
.
In the Server Groups drop-down list, select JRF-MAN-SVR and WSMPM-MAN-SVR.
These server groups ensure that the Oracle JRF and Oracle Web Services Manager (OWSM) services are targeted to the Managed Servers you are creating.
Server groups target Fusion Middleware applications and services to one or more servers by mapping defined groups of application services to each defined server group. Any application services that are mapped to a given server group are automatically targeted to all servers that are assigned to that group. For more information, see Application Service Groups, Server Groups, and Application Service Mappings in Oracle Fusion Middleware Domain Template Reference.
Note:
Nonce caching for Oracle Web Services is initialized automatically by the WSM-CACHE-SVR server group and is suitable for most custom applications. This initialization is automatically performed in SOA, OSB and other FMW servers that run JRF and create a coherence cluster. Nonce is a unique number that can be used only once in a SOAP request and is used to prevent replay attacks. Nonce caching will naturally scale with the number of added Managed Servers running Web service applications.
For advanced caching configurations, see Caching the Nonce with Oracle Coherence in Oracle Fusion Middleware Securing Web Services and Managing Policies with Oracle Web Services Manager, which provides additional guidance for the use of nonce caching and the WSM-CACHE-SVR server-group in custom WLS servers.
Repeat this process to create a second Managed Server named WLS_WSM2
.
For the Listen Address, enter SOAHOST2. For the Listen Port, enter 7010. Apply the same server groups you applied to the first managed server to the WLS_WSM2.
The Managed Server names suggested in this procedure (WLS_WSM1 and WLS_WSM2) will be referenced throughout this document; if you choose different names then be sure to replace them as needed.
Tip:
More information about the options on this screen can be found in Managed Servers in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Use the Clusters screen to create a new cluster:
Click the Add button.
Specify WSM-PM_Cluster
in the Cluster Name field.
From the Dynamic Server Groups drop-down list, select Unspecified
.
Tips:
For more information about the options on this screen, see Clusters in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Click Next to continue.
Confirm that the Dynamic Cluster, Calculated Listen Port, and Calculated Machine Names checkboxes on this screen are unchecked.
Confirm the Server Template selection is Unspecified.
Click Next.
Use the Assign Servers to Clusters screen to assign WLS_WSM1
and WLS_WSM2
to the new cluster WSM-PM_Cluster
:
In the Clusters pane, select the cluster to which you want to assign the servers; in this case, WSM-PM_Cluster
.
In the Servers pane, assign WLS_WSM1
to WSM-PM_Cluster
by doing one of the following:
Click once on WLS_WSM1
to select it, then click on the right arrow to move it beneath the selected cluster (WSM-PM_Cluster
) in the Clusters pane.
OR
Double-click on WLS_WSM1
to move it beneath the selected cluster (WSM-PM_Cluster
) in the clusters pane.
Repeat these steps to assign the WLS_WSM2 Managed Server to the WSM-PM_Cluster.
Tip:
More information about the options on this screen can be found in Assign Servers to Clusters in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain.
In the Cluster Listen Port, enter 9991
.
Note:
For Coherence licensing information, Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual.
Use the Machines screen to create new machines in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers.
Select the Unix Machine tab.
Click the Add button to create new UNIX machines.
Use the values in Table 10-2 to define the Name and Node Manager Listen Address of each machine.
Verify the port in the Node Manager Listen Port field.
The port number 5556
, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number as needed.
Table 10-2 Values to Use When Creating Unix Machines
Name | Node Manager Listen Address | Node Manager Listen Port |
---|---|---|
ADMINHOST |
Enter the value of the ADMINVHN variable. |
5556 |
SOAHOST1 |
The value of the SOAHOST1 host name variable. For example, |
5556 |
SOAHOST2 |
The value of the SOAHOST2 host name variable. For example, |
5556 |
Tip:
More information about the options on this screen can be found in Machines in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Use the Assign Servers to Machines screen to assign any statically defined managed servers to the appropriate machines.
The Assign Servers to Machines screen is similar to the Assign Managed Servers to Clusters screen. Select the target machine in the Machines column, select the server name in the left column, and click the right arrow to assign the server to the appropriate machine.
Assign the servers as follows:
Assign the AdminServer to the ADMINHOST machine.
Assign the WLS-WSM1 Managed Server to the SOAHOST1 machine.
Assign the WLS-WSM2 Managed Server to the SOAHOST2 machine.
Tip:
More information about the options on this screen can be found in Assign Servers to Machines in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Click Next.
Click Next.
When you configure the infrastructure domain by using the Oracle WSM Policy Manager configuration template, only the MDS OWSM file store is created. This file store is used only in development mode. Retain the default value and click Next to continue.
Note:
You do not need to customize the MDS file store locations. They are used only in development mode. In the production environments, MDS is persisted in the database.
The Configuration Summary screen contains the detailed configuration information for the domain you are about to create. Review the details of each item on the screen and verify that the information is correct.
You can go back to any previous screen if you need to make any changes, either by using the Back button or by selecting the screen in the navigation pane.
Domain creation will not begin until you click Create.
Tip:
More information about the options on this screen can be found in Configuration Summary in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
The Configuration Success screen will show the following items about the domain you just configured:
Domain Location
Administration Server URL
You must make a note of both items as you will need them later; the domain location is needed to access the scripts used to start the Administration Server.
Click Finish to dismiss the Configuration Wizard.
For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager.
For more information about the advantages of a per host Node Manager, see About the Node Manager Configuration in a Typical Enterprise Deployment
startNodeManager.sh
file.boot.properties
if you want to start the Administrator Server without being prompted for the Administrator Server credentials. This step is required in an enterprise deployment. The credentials you enter in this file are encrypted when you start the Administration Server.startNodeManager.sh
script.The step in configuring a per-host Node Manager is to create a configuration directory and two new node manager configuration files. You must also edit the default startNodeManager.sh
file.
To create a per-host Node Manager configuration, perform the following tasks, first on SOAHOST1, and then on SOAHOST2:
Example 10-1 Contents of the nodemanager.properties File
DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains LogLimit=0 PropertiesVersion=12.2.1.2.0 AuthenticationEnabled=true NodeManagerHome=/u02/oracle/config/nodemanager #Include the specific JDK home JavaHome=/u01/oracle/products/jdk LogLevel=INFO DomainsFileEnabled=true StartScriptName=startWebLogic.sh #Leave blank for listening on ANY ListenAddress= NativeVersionEnabled=true ListenPort=5556 LogToStderr=true SecureListener=false LogCount=1 StopScriptEnabled=false QuitEnabled=false LogAppend=true StateCheckInterval=500 CrashRecoveryEnabled=true StartScriptEnabled=true LogFile=/u02/oracle/config/nodemanager/nodemanager.log LogFormatter=weblogic.nodemanager.server.LogFormatter ListenBacklog=50
You must create a boot.properties
if you want to start the Administrator Server without being prompted for the Administrator Server credentials. This step is required in an enterprise deployment. The credentials you enter in this file are encrypted when you start the Administration Server.
To create a boot.properties
file for the Administration Server:
After you manually set up the Node Manager to use a per-host Node Manager configuration, you can start the Node Manager on SOAHOST1, using the startNodeManager.sh
script.
By default, a per-host Node Manager configuration does not use Secure Socket Layer (SSL) for Node Manager-to-server communications. As a result, you must configure each machine in the domain to use a communication type of “plain,” rather than SSL. In addition, you have to set the Node Manager credentials so you can connect to the Administration Server and Managed Servers in the domain.
The following procedure temporarily starts the Administration Server with the default start script, so you can perform these tasks. After you perform these tasks, you can stop this temporary session and use the Node Manager to start the Administration Server.
After the domain is created and the node manager is configured, you can then configure the additional domain directories and start the Administration Server and the Managed Servers on SOAHOST1.
After you have configured the domain and configured the Node Manager, you can start the Administration Server, using the Node Manager. In an enterprise Deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
To start the Administration Server using the Node Manager:
Before proceeding with the configuration steps, validate that the Administration Server has started successfully by making sure you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, which both are installed and configured on the Administration Servers.
To navigate to Fusion Middleware Control, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:
ADMINVHN:7001/em
To navigate to the Oracle WebLogic Server Administration Console, enter the following URL, and log in with the same administration credentials:
ADMINVHN:7001/console
When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory will be used to run the Administration Server. You can now create a copy of the domain on the local storage for both SOAHOST1 and SOAHOST2. The domain directory on the local (or private) storage will be used to run the Managed Servers.
Placing the MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead cause by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that Managed Servers use from the domain directory is processed quicker.
As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the MSERVER_HOME variable.
To create the Managed Server domain directory:
After you start and validate the Administration Server and WLS_WSM1 Managed Server on SOAHOST1, you can then perform the following tasks on SOAHOST2.
This procedure assumes you have copied the file that you created earlier in a location that is accessible from both SOAHOST1 and SOAHOST2; such as the ASERVER_HOME directory, which is located on the shared storage filer:
Use the procedure in Starting and Validating the WLS_WSM1 Managed Server on SOAHOST1 to start and validate the WLS_WSM2 Managed Server on SOAHOST2.
After configuring the domain and unpacking it to the Managed Server domain directories on all the hosts, verify and update the upload and stage directories for Managed Servers in the new clusters.
This step is necessary to avoid potential issues when performing remote deployments and for deployments that require the stage mode.
To update these directory paths for all the Managed Servers in the Managed Server domain home directory:
Log in to the Oracle WebLogic Server Administration Console.
In the left navigation tree, expand Domain, and then Environment.
Click Lock & Edit.
Navigate to and edit the appropriate objects for your cluster type.
For Static Clusters, navigate to Servers and click on the name of the Managed Server to be edited.
Click the Configuration tab, and then click the Deployment tab.
Verify that the Staging Directory Name is set to the following:
MSERVER_HOME/servers/server_or_template_name/stage
Replace MSERVER_HOME
with the directory path for the MSERVER_HOME
directory; If using static clusters, update with the correct name of the Managed Server you are editing.
Update the Upload Directory Name to the following value:
ASERVER_HOME/servers/AdminServer/upload
Replace ASERVER_HOME
with the directory path for the ASERVER_HOME directory.
Click Save.
Return to the Summary of Servers or Summary of Server Templates screen as applicable.
When you have modified all of the appropriate objects, click Activate Changes.
Restart all Managed Servers effected by these change.
When you configure an Oracle Fusion Middleware domain, the domain is configured by default to use the WebLogic Server authentication provider (DefaultAuthenticator
). However, for an enterprise deployment, Oracle recommends that you use a dedicated, centralized LDAP-compliant authentication provider.
The following topics describe how to use the Oracle WebLogic Server Administration Console to create a new authentication provider for the enterprise deployment domain. This procedure assumes you have already installed and configured a supported LDAP directory, such as Oracle Unified Directory or Oracle Internet Directory.
Oracle Fusion Middleware supports a variety of LDAP authentication providers. For more information, see Identity Store Types and WebLogic Authenticators in Securing Applications with Oracle Platform Security Services.
The instructions in this guide assume you will be using one of the following providers:
Oracle Unified Directory
Oracle Internet Directory
Oracle Virtual Directory
Note:
By default, the instructions here describe how to configure the identity service instance to support querying against a single LDAP identity store with an unencrypted connection.
If the connection to your identity provider has to be secured through SSL, then additional keystone configuration is required for role management in the Enterprise Manager Fusion Middleware Control to function correctly. For additional configuration information, see Doc ID 1670789.1 at support.oracle.com.
Also, you can configure the service to support a virtualized identity store, which queries multiple LDAP identity stores, by using LibOVD.
For more information about configuring a Multi-LDAP lookup, refer to Configuring the Identity Store Service in Securing Applications with Oracle Platform Security Services.
The following topics provide important information on the purpose and characteristics of the enterprise deployment administration users and groups.
When you use a central LDAP user store, you can provision users and groups for use with multiple Oracle WebLogic Server domains. As a result, there is a possibility that one WebLogic administration user can have access to all the domains within an enterprise.
Such an approach is not recommended. Instead, it is a best practice to assign a unique distinguished name (DN) within the directory tree for the users and groups you provision for the administration of your Oracle Fusion Middleware domains.
For example, if you plan to install and configure an Oracle SOA Suite enterprise deployment domain, then create a user called weblogic_soa
and an administration group called SOA Administrators
.
Oracle recommends that you create a separate domain connector user (for example, soaLDAP
) in your LDAP directory. This user allows the domain to connect to the LDAP directory for the purposes of user authentication. It is recommended that this user be a non-administrative user.
In a typical Oracle Identity and Access Management deployment, you create this user in the systemids
container. This container is used for system users that are not normally visible to users. Placing the user into the systemids
container ensures that customers who have Oracle Identity Manager do not reconcile this user.
After you configure a central LDAP directory to be the authenticator for the enterprise domain, then you should add all new users to the new authenticator and not to the default WebLogic Server authenticator.
To add new users to the central LDAP directory, you cannot use the WebLogic Administration Console. Instead, you must use the appropriate LDAP modification tools, such as ldapbrowser or JXplorer.
When you are using multiple authenticators (a requirement for an enterprise deployment), login and authentication will work, but role retrieval will not. The role is retrieved from the first authenticator only. If you want to retrieve roles using any other authenticator, then you must enable virtualization for the domain.
To enable virtualization:
Locate and open the following configuration file with a text editor:
ASERVER_HOME/config/fmwconfig/jps-config.xml
Find the following section:
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
Add the following line under the serviceInstance
section or update the virtualize property as follows:
<property name="virtualize" value="true"/>
For more information about the virtualize property, see OPSS System and Configuration Properties in Securing Applications with Oracle Platform Security Services.
Each Oracle Fusion Middleware product implements its own predefined roles and groups for administration and monitoring.
As a result, as you extend the domain to add additional products, you can add these product-specific roles to the SOA Administrators
group. After they are added to the SOA Administrators
group, each product administrator user can administer the domain with the same set of privileges for performing administration tasks.
Instructions for adding additional roles to the SOA Administrators
group are provided in Common Configuration and Management Tasks for an Enterprise Deployment.
In this guide, the examples assume that you provision the following administration user and group with the DNs shown below:
Admin User DN:
cn=weblogic_soa,cn=users,dc=example,dc=com
Admin Group DN:
cn=SOA Administrators,cn=groups,dc=example,dc=com
cn=soaLDAP,cn=systemids,dc=example,dc=com
This is the user you will use to connect WebLogic Managed Servers to the LDAP authentication provider. This user must have permissions to read and write to the Directory Trees:
cn=users,dc=example,dc=com cn=groups,dc=example,dc=com
Note:
When using Oracle Unified Directory, this user will need to be granted membership in the following groups to provide read and write access:
cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com
Before you create a new LDAP authentication provider, back up the relevant configuration files:
ASERVER_HOME/config/config.xml ASERVER_HOME/config/fmwconfig/jps-config.xml ASERVER_HOME/config/fmwconfig/system-jazn-data.xml
In addition, back up the boot.properties
file for the Administration Server in the following directory:
ASERVER_HOME/servers/AdminServer/security
This example shows how to create a user called soaLDAP
in the central LDAP directory.
To provision the user in the LDAP provider:
Create an ldif file named domain_user.ldif
with the contents shown below and then save the file:
dn: cn=soaLDAP,cn=systemids,dc=example,dc=com changetype: add orclsamaccountname: soaLDAP userpassword: password objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 mail: soaLDAP@example.com givenname: soaLDAP sn: soaLDAP cn: soaLDAP uid: soaLDAP
Note:
If you are using Oracle Unified Directory, then add the following four group memberships to the end of the LDIF file to grant the appropriate read/write privileges:
dn: cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com dn: cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com dn: cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com dn: cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com
Provision the user in the LDAP directory.
For example, for an Oracle Unified Directory LDAP provider:
OUD_INSTANCE_HOME/bin/ldapmodify -a \ -h oudhost.example.com -D "cn=oudadmin" \ -w password \ -p 1389 \ -f domain_user.ldif
For Oracle Internet Directory:
OID_ORACLE_HOME/bin/ldapadd -h oidhost.example.com \ -p 3060 \ -D cn="orcladmin" \ -w password \ -c \ -v \ -f domain_user.ldif
To configure a new LDAP-based authentication provider:
Log in to the WebLogic Server Administration Console.
Click Security Realms in the left navigational bar.
Click the myrealm default realm entry.
Click the Providers tab.
Note that there is a DefaultAuthenticator
provider configured for the realm. This is the default WebLogic Server authentication provider.
Click Lock & Edit in the Change Center.
Click the New button below the Authentication Providers table.
Enter a name for the provider.
Use one of the following names, based on the LDAP directory service you are planning to use as your credential store:
OUDAuthenticator
for Oracle Unified Directory
OIDAuthenticator
for Oracle Internet Directory
OVDAuthenticator
for Oracle Virtual Directory
Select the authenticator type from the Type drop-down list.
Select one of the following types, based on the LDAP directory service you are planning to use as your credential store:
OracleUnifiedDirectoryAuthenticator
for Oracle Unified Directory
OracleInternetDirectoryAuthenticator
for Oracle Internet Directory
OracleVirtualDirectoryAuthenticator
for Oracle Virtual Directory
Click OK to return to the Providers screen.
On the Providers screen, click the newly created authenticator in the table.
Select SUFFICIENT from the Control Flag drop-down menu.
Setting the control flag to SUFFICIENT indicates that if the authenticator can successfully authenticate a user, then the authenticator should accept that authentication and should not continue to invoke any additional authenticators.
If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flags set to SUFFICIENT; in particular, check the DefaultAuthenticator
and make sure that its control flag is set to SUFFICIENT.
Click Save to save the control flag settings.
Click the Provider Specific tab and enter the details specific to your LDAP server, as shown in the following table.
Note that only the required fields are discussed in this procedure. For information about all the fields on this page, consider the following resources:
To display a description of each field, click Help on the Provider Specific tab.
For more information on setting the User Base DN, User From Name Filter, and User Attribute fields, see Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.
Parameter | Sample Value | Value Description |
---|---|---|
Host |
For example: |
The LDAP server's server ID. |
Port |
For example: |
The LDAP server's port number. |
Principal |
For example: |
The LDAP user DN used to connect to the LDAP server. |
Credential |
Enter LDAP password. |
The password used to connect to the LDAP server. |
SSL Enabled |
Unchecked (clear) |
Specifies whether SSL protocol is used when connecting to the LDAP server. |
User Base DN |
For example: |
Specify the DN under which your users start. |
All Users Filter |
|
Instead of a default search criteria for All Users Filter, search all users based on the If the User Name Attribute for the user object class in the LDAP directory structure is a type other than For example, if the User Name Attribute type is (&(cn=*)(objectclass=person))) |
User From Name Filter |
For example: (&(uid=%u)(objectclass=person)) |
If the User Name Attribute for the user object class in the LDAP directory structure is a type other than For example, if the User Name Attribute type is
|
User Name Attribute |
For example: |
The attribute of an LDAP user object that specifies the name of the user. |
Group Base DN |
For example: |
Specify the DN that points to your Groups node. |
Use Retrieved User Name as Principal |
Checked |
Must be turned on. |
GUID Attribute |
|
This value is prepopulated with |
Click Save to save the changes.
Return to the Providers page by clicking Security Realms in the right navigation pane, clicking the default realm name (myrealm), and then Providers.
Click Reorder, and then use the resulting page to make the Provider you just created first in the list of authentication providers.
Click OK.
On the Providers Page, click DefaultAuthenticator.
From the Control Flag drop-down, select SUFFICIENT.
Click Save to update the DefaultAuthenticator settings.
In the Change Center, click Activate Changes.
Restart the Administration Server and all managed servers.
To stop the Managed Servers, log in to Fusion Middleware Control, select the Managed Servers in the Target Navigator and click Shut Down in the toolbar.
To stop and start the Administration Server using the Node Manager:
Start WLST:
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Connect to Node Manager using the Node Manager credentials you defined in when you created the domain in the Configuration Wizard:
wls:/offline>nmConnect('nodemanager_username','nodemanager_password', 'ADMINVHN','5556','domain_name', 'ASERVER_HOME','PLAIN')
Stop the Administration Server:
nmKill('AdminServer')
Start the Administration Server:
nmStart('AdminServer')
Exit WLST:
exit()
To start the Managed Servers, log in to Fusion Middleware Control, select the Managed Servers, and click Start Up in the toolbar.
Note:
If you plan to log in to the system immediately by using the central LDAP user role, you can skip the restart until you have assigned the Administration role to the new enterprise deployment administration group. For more information, see Adding the New Administration User to the Administration Group.
After the restart, review the contents of the following log file:
ASERVER_HOME/servers/AdminServer/logs/AdminServer.log
Verify that no LDAP connection errors occurred. For example, look for errors such as the following:
The LDAP authentication provider named "OUDAuthenticator" failed to make connection to ldap server at ...
If you see such errors in the log file, then check the authorization provider connection details to verify they are correct and try saving and restarting the Administration Server again.
After you restart and verify that no LDAP connection errors are in the log file, try browsing the users and groups that exist in the LDAP provider:
In the Administration Console, navigate to the Security Realms > myrealm > Users and Groups page. You should be able to see all users and groups that exist in the LDAP provider structure.
This example shows how to create a user called weblogic_soa
and a group called SOA Administrators
.
To provision the administration user and group in LDAP provider:
Create an ldif file named admin_user.ldif
with the contents shown below and then save the file:
dn: cn=weblogic_soa,cn=users,dc=example,dc=com changetype: add orclsamaccountname: weblogic_soa userpassword: password objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 mail: weblogic_soa@example.com givenname: weblogic_soa sn: weblogic_soa cn: weblogic_soa uid: weblogic_soa
Provision the user in the LDAP directory.
For example, for an Oracle Unified Directory LDAP provider:
OUD_INSTANCE_HOME/bin/ldapmodify -a \ -h oudhost.example.com -D "cn=oudadmin" \ -w password \ -p 1389 \ -f admin_user.ldif
For Oracle Internet Directory:
OID_ORACLE_HOME/bin/ldapadd -h oidhost.example.com \ -p 3060 \ -D cn="orcladmin" \ -w password \ -c \ -v \ -f admin_user.ldif
Create an ldif
file named admin_group.ldif
with the contents shown below and then save the file:
dn: cn=SOA Administrators,cn=Groups,dc=example,dc=com displayname: SOA Administrators objectclass: top objectclass: GroupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_soa,cn=users,dc=example,dc=com cn:SOA Administrators description: Administrators Group for the Oracle SOA Suite Domain
Provision the group in the LDAP Directory.
For Oracle Unified Directory:
OUD_INSTANCE_HOME/bin/ldapmodify -a \ -D "cn=oudadmin" \ -h oudhost.example.com \ -w password \ -p 1380 \ -f admin_group.ldif
For Oracle Internet Directory:
OID_ORACLE_HOME/bin/ldapadd -h oid.example.com \ -p 3060 \ -D cn="orcladmin" \ -w password \ -c \ -v \ -f admin_group.ldif
Verify that the changes were made successfully:
Log in to the Oracle WebLogic Server Administration Console.
In the left pane of the console, click Security Realms.
Click the default security realm (myrealm).
Click the Users and Groups tab.
Verify that the administrator user and group you provisioned are listed on the page.
After adding the users and groups to Oracle Internet Directory, the group must be assigned the Administration role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for the domain.
To assign the Administration role to the new enterprise deployment administration group:
After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (SOA Administrators
) as a member to the policy.Updater
role in the wsm-pm
application stripe.
For additional steps in preparation for possible scale out scenarios, see Considerations for Cross-Component Wiring.