Oracle® Fusion Middleware Installation Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E12002-06 |
|
|
View PDF |
This chapter explains how to install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory (OID) 11g Release 1 (11.1.1).
Note:
If you already have Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) installed against Oracle Internet Directory Release 10g, refer to the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management for information on upgrading to Oracle Internet Directory 11g Release 1 (11.1.1).This chapter includes the following topics:
You must use the inspre11.pl Perl script when installing Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g Release 1 (11.1.1). This topic describes how to use the inspre11.pl script.
The inspre11.pl script is located in the $ORACLE_HOME/ldap/bin/
directory on the host where Oracle Internet Directory 11g Release 1 (11.1.1) is installed. Perl is located in the $ORACLE_HOME/perl/bin/
directory.
Before you execute the inspre11.pl script, you must set the following environment variables:
ORACLE_INSTANCE to the Oracle Internet Directory 11g Release 1 (11.1.1) Oracle Instance location.
ORACLE_HOME to the Oracle Internet Directory 11g Release 1 (11.1.1) Oracle Home location.
The following is the syntax for the inspre11.pl script:
$OID11gR1_ORACLE_HOME/perl/bin/perl \ $OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \ OID_COMPONENT TNS_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD \ {-op1 | -op2 | -op3}
The following list defines each of the options for the inspre11.pl script:
Identifies the host where Oracle Internet Directory 11g Release 1 (11.1.1) is installed.
The SSL or non-SSL Oracle Internet Directory port.
Indicates the port identified by OID_PORT is the Oracle Internet Directory SSL port.
Indicates the port identified by OID_PORT is the Oracle Internet Directory non-SSL port.
The name of the Oracle Internet Directory component, such as oid1. You can identify the name of the Oracle Internet Directory component using the $ORACLE_INSTANCE/bin/opmnctl status command.
Represents the Oracle Internet Directory database connect string defined in the ORACLE_INSTANCE/config/tnsnames.ora file. The default value is oiddb.
Note:
Only use the Oracle Internet Directory database connect string defined in the ORACLE_INSTANCE/config/tnsnames.ora file—do not use any other tnsnames.ora file to identify the connect string.The password for the ODS schema.
The password for the Oracle Internet Directory administrator, which is typically cn=orcladmin.
Enables anonymous bind and disables entry caching. While the -op1 option does not use the TNS_CONNECT_STRING value, you must include it when executing inspre11.pl with the -op1 option.
Resets the Oracle Internet Directory version to allow you to install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0). This option also sets the seealso attribute to point to the database identified by the TNS_CONNECT_STRING option.
Sets the Oracle Internet Directory version back to 11g Release 1 (11.1.1) and enables entry caching.
Perform the following steps to install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g Release 1 (11.1.1):
Install Oracle Internet Directory 11g Release 1 (11.1.1). Refer to Chapter 6, "Configuring Oracle Internet Directory" for more information.
Execute the inspre11.pl script with -op1. This will enable anonymous bind in Oracle Internet Directory and allow the Oracle OracleAS RepCA to load schema into the database for Oracle Single Sign-On and Oracle Delegated Administration Services. Execute the script as follows:
$OID11gR1_ORACLE_HOME/perl/bin/perl \ $OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \ OID_COMPONENT TNS_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD -op1
When this command completes successfully, the following message is displayed:
'Use RepCA to load SSO and other schemas against DB before running -op2'
Note:
If desired, you can disable anonymous bind in Oracle Internet Directory in the last step of this procedure.Use the OracleAS RepCA Release 10.1.4.3.1 to create and load Oracle Single Sign-On 10.1.4.0.1 schema in the database. You can get OracleAS RepCA 10.1.4.3.1 from the Oracle Technology Network (OTN) Web site:
http://www.oracle.com/technology/software/products/middleware/htdocs/111110_fmw.html#
You must use only this specific version of MRCA for installing Oracle Single Sign-On (10.1.4.x) against Oracle Internet Directory 11g Release 1 (11.1.1) in an Oracle Fusion Middleware 11g deployment. This MRCA cannot be used as a generic replacement for MRCA 10g in an Application Server 10g deployment because it only carries only a subset of the original MRCA 10g schemas to support Oracle Single Sign-On (10.1.4.x) for Oracle Fusion Middleware 11g deployment.
Note:
While there is no documentation specifically for OracleAS RepCA Release 10.1.4.3.1, you can use the Oracle Application Server Metadata Repository Creation Assistant User's Guide for Release 10g (10.1.4.0.1) for general information on how to use OracleAS RepCA. Be aware that the database requirements listed in this document do not apply to the OracleAS RepCA Release 10.1.4.3.1.You can get the Oracle Application Server Metadata Repository Creation Assistant User's Guide for Release 10g (10.1.4.0.1) from the Oracle Identity Management 10g (10.1.4) Documentation Library located on the OTN Web site.
If an already existing Identity Management 10g (10.1.4 or 10.1.2) option is chosen, a separate Oracle Internet Directory 10g and separate Oracle Database may need to be managed along with other options. See the certification, installation and planning guides for more information.
After MRCA 10.1.4.3.1 is installed, you can perform an Identity Management 10g (10.1.4.0.1) installation and choose SSO+DAS only. For information on performing this installation and installing the required patches, see the note that follows Step 6 in this procedure.
When you run OracleAS RepCA 10.1.4.3.1:
You must register the Oracle Single Sign-On schema with Oracle Internet Directory using its SSL port. This is required for various Oracle Single Sign-On and Oracle Internet Directory interdependencies.
You might receive error messages that some database session parameters do not have appropriate values. If you receive these errors, you should reset the parameters identified by OracleAS RepCA, adhering to the minimum values that are given. After you reset the parameters, exit OracleAS RepCA and start it again. If you used SPFILE as the scope in any of the alter
commands, you may also have to restart the database.
Only the schema required for Oracle Single Sign-On will be loaded, not all schema.
Reset the ODS password to the value that was set when Oracle Internet Directory was installed and restart Oracle Internet Directory. You must reset the password because it was randomized when you loaded the Oracle Single Sign-On 10.1.4.0.1 schema in the database.
Perform the following steps:
Use SQL*PLUS to connect the database as the SYS user.
Change the ODS password using alter user ods
identified by PASSWORD, where PASSWORD represents the ODS schema password before running the OracleAS RepCA.
Set the TNS_ADMIN environment variable to point to the $ORACLE_INSTANCE/config directory.
Execute the following command, where TNS_CONNECT_STRING represents the Oracle Internet Directory database connect string defined in the ORACLE_INSTANCE/config/tnsnames.ora file. You can set the TNS_ADMIN environment variable if you want to use a different location.
$OID11gR1_ORACLE_HOME/ldap/bin/oidpasswd \ connect=TNS_CONNECT_STRING create_wallet=true
Restart Oracle Internet Directory.
Execute the inspre11.pl script with -op2, which resets the Oracle Internet Directory version and allows you to install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1). The -op2 option will also verify the orcldirectoryversion attribute has a value of OID 10.1.4.0.1.
Execute the script as follows:
$OID11gR1_ORACLE_HOME/perl/bin/perl \ $OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \ OID_COMPONENT TNS_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD -op2
When this command completes successfully, the following message is displayed:
'Install SSO/DAS against 11g OID before running -op3'
Install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1) in an ORACLE_HOME directory that is different from the ORACLE_HOME where you installed Oracle Internet Directory. Do not install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1) in the same ORACLE_HOME where you installed Oracle Internet Directory 11g Release 1 (11.1.1).
You can get Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1) from the Oracle Technology Network (OTN) Web site. To access the OTN Web site, go to the following URL:
http://www.oracle.com/technetwork/index.html
Note:
After MRCA 10.1.4.3.1 is installed, you can perform an Identity Management 10g (10.1.4.0.1) installation and choose SSO+DAS only, rather than a full Infrastructure. This is available in the 10g download location (http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html
).
If you are installing Oracle Single Sign-On and Oracle Delegated Administration Services against a Release 11.x database, you must apply Patch 5649850 for release 10.1.0.5 to the Oracle Single Sign-On ORACLE_HOME directory. Patch 5649850 updates the 10.1.0.5 JDBC driver, allowing connectivity to a Release 11.x database. If you are unable to apply this patch due to a prerequisite failure, apply Patch 6880880 for release 1 before applying patch 5649850.
When you install Oracle Single Sign-On and Oracle Delegated Administration Services, apply patch 5649850 when you are prompted to run the root.sh
script on UNIX systems. On Windows systems, you should wait for the Configuration Assistant to fail, apply the patch and rerun the Configuration Assistant. Do not shutdown nor restart either OID nor its DB.
You can get Patch 5649850 for release 10.1.0.5 from My Oracle Support (formerly MetaLink), located at:
The 10.1.4.3 Patchset (Patch 7215628) is then applied to the SSO+DAS home. To apply the 10.1.4.3 Patchset with where a 11.2 database is associated, you must first download Patch 6265268, following its readme file. This final 10.1.4.3.0 SSO+DAS home is used in conjunction with the OID 11g and MRCA 10.1.4.3.1 previously installed.
Upgrade Oracle Single Sign-On and Oracle Delegated Administration Services to Release 10g (10.1.4.3.0) by applying the Oracle Identity Management 10g (10.1.4.3.0) Patch Set. You can get the Oracle Identity Management 10g (10.1.4.3.0) Patch Set from My Oracle Support (formerly MetaLink) by searching for Bug or Patch Number 7215628.
You can access My Oracle Support (formerly MetaLink) at:
Execute the inspre11.pl script with -op3, which sets the Oracle Internet Directory version back to 11g Release 1 (11.1.1). For example:
$OID11gR1_ORACLE_HOME/perl/bin/perl \ $OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \ OID_COMPONENT TNS_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD -op3
When this command completes successfully, the following message is displayed:
'Finished all actions!'
Executing the inspre11.pl script with -op1 in step 2 enables anonymous bind in Oracle Internet Directory. If desired, you can disable anonymous bind in Oracle Internet Directory by referring to "Managing Anonymous Binds" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Verify the Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) installation against Oracle Internet Directory 11g Release 1 (11.1.1) by logging in to Oracle Delegated Administration Services. You will be redirected to Oracle Single Sign-On and prompted to log in. If you have access to the Oracle Delegated Administration Services content after logging in to Oracle Single Sign-On, the installation against Oracle Internet Directory 11g Release 1 (11.1.1) was successful.
The following information describes how to get started after installing Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g Release 1 (11.1.1).
After installing Oracle Single Sign-On Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g Release 1 (11.1.1) as described in this chapter, refer to the "Basic Administration" chapter in the Oracle Application Server Single Sign-On Administrator's Guide 10g Release 10.1.4.0.1 available at:
http://www.oracle.com/technology/documentation/oim1014.html
After installing Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g Release 1 (11.1.1) as described in this chapter, refer to the "Getting Started with Oracle Delegated Administration Services" chapter in the Oracle Identity Management Guide to Delegated Administration 10g Release 10.1.4.0.1 available at:
http://www.oracle.com/technology/documentation/oim1014.html