| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12035-06 |
|
|
View PDF |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12035-06 |
|
|
View PDF |
This chapter describes how to extend the domain with Oracle Virtual Directory (OVD) in the enterprise deployment.
This chapter includes the following topics:
Section 8.1, "Prerequisites for Configuring Oracle Virtual Directory Instances"
Section 8.2, "Configuring the Oracle Virtual Directory Instances"
Section 8.4, "Validating the Oracle Virtual Directory Instances"
Section 8.5, "Backing Up the Oracle Virtual Directory Configuration"
Follow these steps to configure the Oracle Virtual Directory components, OVDHOST1 and OVDHOST2 on the directory tier with Oracle Virtual Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.
Before configuring the Oracle Virtual Directory instances on OVDHOST1 and OVDHOST2, ensure that the following tasks have been performed:
Install and upgrade the software on OVDHOST1 and OVDHOST2 as described in Section 4.5.4 and Section 4.6.1.
If you plan on provisioning the Oracle Internet Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on OIDHOST1 and OIDHOST2 as described in Section 2.4.
Make sure that the load balancer is configured.
This section contains the following topics:
Section 8.2.1, "Configuring the First Oracle Virtual Directory Instance"
Section 8.2.2, "Configuring an Additional Oracle Virtual Directory"
The steps for configuring Oracle Virtual Directory instances are as follows:
Install and upgrade the software on OIDHOST1 and OIDHOST2 as described in the following sections:
If you plan on provisioning the Oracle Internet Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on OIDHOST1 and OIDHOST2 as described inSection 2.4, "Shared Storage and Recommended Directory Structure."
Make sure that the load balancer is configured as describe inSection 2.2.2, "Configuring Virtual Server Names and Ports on the Load Balancer."
Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "6501" netstat -an | grep "7501"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On UNIX:
Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components,"or restart the computer.
Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.
Edit the staticports.ini file that you copied to the temporary directory to assign ports 6501 and 7501, as follows:
# The non-SSL port for Oracle Virtual Directory Oracle Virtual Directory port = 6501 # The SSL port for Oracle Virtual Directory Oracle Virtual Directory (SSL) port = 7501
Start the Oracle Identity Management 11g Configuration Assistant by running ORACLE_HOME/bin/config.sh.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/OVD_inst1
Oracle Instance Name: OVD_inst1
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the checkbox next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and then click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full pathname to the staticports.ini file that you edited in the temporary directory.
Click Next.
On the Specify Virtual Directory screen: In the Client Listeners section, enter:
LDAP v3 Name Space: dc=mycompany,dc=com
In the OVD Administrator section, enter:
Administrator User Name: cn=orcladmin
Password: *******
Confirm Password: *******
Select Configure the Administrative Server in secure mode.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Virtual Directory instance on OVDHOST1, issue these commands:
ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q
Note:
See the "Configuring Your Environment" section of Oracle Fusion Middleware Reference for Oracle Identity Management for a list of the environment variables you must set before using the
ldapbind command.The schema database must be running before you perform this task. Follow these steps to install Oracle Virtual Directory on OVDHOST2:
Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "6501" netstat -an | grep "7501"
If the ports are in use (that is, if the command returns output identifying either port), you must free them.
Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.
On UNIX, remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components,"or restart the computer.
Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:
# The non-SSL port for Oracle Virtual Directory Oracle Virtual Directory port = 6501 # The SSL port for Oracle Virtual Directory Oracle Virtual Directory (SSL) port = 7501
Start the Oracle Identity Management 11g Configuration Assistant by running ORACLE_HOME/bin/config.sh.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/ovd_inst1
Oracle Instance Name: ovd_inst1
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the checkbox next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full pathname to the staticports.ini file that you edited in the temporary directory.
Click Next.
On the Specify Virtual Directory screen: In the Client Listeners section, enter:
LDAP v3 Name Space: dc=mycompany,dc=com
In the OVD Administrator section, enter:
Administrator User Name: cn=orcladmin
Password: *******
Confirm Password: *******
Select Configure the Administrative Server in secure mode.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Virtual Directory instance on OVDHOST2, issue these commands:
ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h ovdhost2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
Note:
See the "Configuring Your Environment" section of Oracle Fusion Middleware Reference for Oracle Identity Management for a list of the environment variables you must set before using theldapbind command.This section contains the following topics:
Section 8.3.1, "Registering Oracle Virtual Directory with the Oracle WebLogic Server Domain"
Section 8.3.2, "Creating Server Certificates for the Oracle Virtual Directory Instances"
Section 8.3.3, "Configuring Adapters in Oracle Virtual Directory"
All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Virtual Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.
To register the Oracle Virtual Directory instances installed on OVDHOST1 and OVDHOST2, follow these steps:
Set the ORACLE_HOME variable. For example, on OVDHOST1 and OVDHOST2, issue this command:
export ORACLE_HOME=/u01/app/oracle/product/fmw/idm
Set the ORACLE_INSTANCE variable. For example:
On OVDHOST1, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst1
On OVDHOST2, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst2
Execute the opmnctl registerinstance command on both OVDHOST1 and OVDHOST2:
ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName -adminPort WLSPort -adminUsername adminUserName
For example, on OVDHOST1 and OVDHOST2:
ORACLE_INSTANCE/bin/opmnctl registerinstance \
-adminHost idmhost1.mycompany.com-adminPort 7001 -adminUsername weblogic
The command requires login to WebLogic admin server (idmhost1.mycompany.com)
Username: weblogic
Password: ******* (enter the password)
Note:
For additional details on registering Oracle Virtual Directory components with a WebLogic Server domain, see the "Registering an Oracle Instance Using OPMNCTL" section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.Update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.
Syntax:
/emctl switchOMS <ReposURL>.
For Example:
/emctl switchOMS http://idmhost-vip.mycompany.com:7001/em/upload
Output:
./emctl switchOMS http://idmhost-vip.mycompany.com:7001/em/upload Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. SwitchOMS succeeded.
Validate if the agents on OIDHOST1 and OIDHOST2 are configured properly to monitor their respective targets. Follow the steps below to complete this task:
Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://adminvhn.us.oracle.com:7001/em. Log in as the weblogic user.
From the Domain Home Page navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets
Validate that the hostname in Agent URL under the Agent column matches the hostname under the Host column. In case of a mismatch follow these steps to correct the issue:
Click configure to bring up the Configure Target Page.
On the Configure Target Page, click Change Agent and choose the correct agent for the host.
Click OK to save your changes
Oracle Virtual Directory is configured to use the SSL Server Authentication Only Mode by default. When you use command line tools like ldapbind to validate a connection secured by the SSL Server Authentication Only mode, the server certificate must be stored in an Oracle Wallet. Also, the wallet on each node should contain certificates from both OVDHOST1 and OVDHOST2.
Follow these steps to perform this task:
Create an Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet create -wallet DIRECTORY_FOR_SSL_WALLET -pwd WALLET_PASSWORD
Export the Oracle Virtual Directory server certificate by executing the following command:
IDM_ORACLE_HOME/jdk/jre/bin/keytool -exportcert -keystore OVD_KEYSTORE_FILE -storepass PASSWORD -alias OVD_SERVER_CERT_ALIAS -rfc -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet DIRECTORY_FOR_SSL_WALLET -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Note:
The wallet on each node should contain certificates from bothOVDHOST1 and OVDHOST2.Run the following command to verify that the Oracle Virtual Directory instance is listening on the SSL LDAP port. Use the wallet from Step 3.
ORACLE_HOME/bin/ldapbind -D "cn=orcladmin" -q -U 2 -h HOST -p SSL_PORT -W "file://DIRECTORY_FOR_SSL_WALLET" -Q
Note:
If you are using default settings after installing 11g Release 1 (11.1.1), you can use the following values for the variables described in this section:For OVD_KEYSTORE_FILE, use:
ORACLE_INSTANCE/config/OVD/ovd1/keystores/keys.jks
For OVD_SERVER_CERT_ALIAS, use serverselfsigned.
For PASSWORD used for the -storepass option, use the orcladmin account password.
OVD_SERVER_CERT_FILE refers to the file where the certificate is saved. The keytool utility creates this file under the location and filename specified by the OVD_SERVER_CERT_FILE parameter.
Oracle Virtual Directory uses adapters to connect to underlying data repositories so it can virtualize data and route data to and from the repositories. Oracle Virtual Directory uses an LDAP Adapter to connect to an underlying LDAP repository.
Oracle Virtual Directory Adapters can only be configured after Oracle Directory Services Manager is installed, as described in Chapter 9, "Extending the Domain with Oracle Directory Integration Platform and ODSM."
The LDAP Adapter enables Oracle Virtual Directory to present data as a sub tree of the virtual directory by proving real-time directory structure and schema translations. One LDAP Adapter is required for each distinct LDAP source you want to connect to. For example, if you have two LDAP repositories that are replicas of each other, you would deploy one LDAP Adapter and configure it to list the hostnames and ports of the replicas.
If you plan on using a LDAP repository other than Oracle Internet Directory in your environment, you are required to configure a LDAP Adapter to connect to that repository. For more information on creating and configuring an LDAP Adapter, refer to the "Creating and Configuring Oracle Virtual Directory Adapters" chapter in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory
To validate the OVD instances, ensure that you can connect to each Oracle Virtual Directory instance and the load balancing router using these ldapbind commands
Follow the steps in Section 8.3.2, "Creating Server Certificates for the Oracle Virtual Directory Instances" before running the ldapbind command with the SSL port.
ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h ovdhost1.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 2 -W "file://DIRECTORY_FOR_SSL_WALLET" -Q ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q ldapbind -h ovdhost2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 2 -W "file://DIRECTORY_FOR_SSL_WALLET" -Q ldapbind -h ovd.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h ovd.mycompany.com -p 636 -D "cn=orcladmin" -q -U 2 -W"file://DIRECTORY_FOR_SSL_WALLET" -Q
It is an Oracle best practices recommendation to create a backup file after successfully completing the installation and configuration of each tier or a logical point. Create a backup of the installation after verifying that the install so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. After the enterprise deployment setup is complete, the regular deployment-specific Backup and Recovery process can be initiated. More details are described in the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to Oracle Database Backup and Recovery Advanced User's Guide.
To back up the installation to this point, follow these steps:
Back up the directory tier:
Shut down the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:
ORACLE_INSTANCE/bin/opmnctl stopall
Create a backup of the Middleware home on the directory tier as the root user:
tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
Create a backup of the Instance home on the directory tier as the root user:
tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
Start up the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:
ORACLE_INSTANCE/bin/opmnctl startall
Perform a full database backup (either a hot or cold backup). Oracle recommends that you use Oracle Recovery Manager. You can use an operating system tool such as tar for cold backups.
Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory:
IDMHOST1> tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver
Note:
Create backups on all machines in the directory tier by following the steps shown in this section.For more information about backing up the directory tier configuration, see Section 19.4, "Performing Backups and Recoveries."
|
 Copyright © 2004, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|