F Auxiliary Procedures for Changing Infrastructure Services

This appendix contains auxiliary procedures that are referred to in Chapter 8, "Changing Infrastructure Services".

It contains the following topics:

About LDAP-based Replicas
Installing and Setting Up an LDAP-based Replica
Migrating SSO and DIP Data
Migrating Oracle Internet Directory Data

F.1 About LDAP-based Replicas

This section describes how to install and configure an LDAP-based Replica, specifically for use by the following procedures:

F.1.1 What is an LDAP-based Replica?

Oracle Internet Directory replication is the process of copying and maintaining the same data (or naming context) on multiple directory servers. Simply put, replication is a means of having two identical directories that contain the same information. One directory is called the master (or supplier). This directory contains the master copy of the naming context. The other directory is called the replica (or consumer). The master supplies replication updates to the replica, which keeps the master and replica in sync.

There are different types of replicas. This procedure uses an LDAP-based Replica, which means the protocol for transferring data between the master and the replica is LDAP.

See Also:

Oracle Internet Directory Administrator's Guide for more information on directory replication and LDAP-based Replicas

For the purposes of this procedure, the master and replica directories are part of a larger environment that includes the Identity Management installations that contain the directories, and the Metadata Repositories that support them. This is called the LDAP-based Replica Environment, and it contains the following:

Master—The Identity Management installation containing the Oracle Internet Directory that holds the master copy of the naming context. It supplies replication updates to the Replica.

Master Repository—The Metadata Repository that the Master uses to store its Identity Management schemas.

Replica—The Identity Management installation containing the replicated Oracle Internet Directory.

Replica Repository—The Metadata Repository that the Replica uses to store its Identity Management schemas.

Figure F-1 illustrates the LDAP-based Replica environment.

Figure F-1 LDAP-based Replica Environment

Description of the illustration asadm008.gif

F.1.2 How is the LDAP-based Replica Used for Changing Infrastructure Services?

Typically, an LDAP-based Replica is used to provide high availability and improved performance for directory users. For the purposes of changing Infrastructure services, the LDAP-based Replica is used as follows:

For Section 8.4, "Moving Identity Management to a New Host", the LDAP-based Replica is created as a way of moving Identity Management from one host to another. The Master is the original Identity Management installation, and the Replica is the new Identity Management installation. In this case, replication is used to create an identical copy of the original Identity Management on a new host. You can then change your middle tiers from the old Identity Management (Master) to the new Identity Management (Replica) and discard the Master.
For Section 8.5, "Changing from a Test to a Production Environment", the Replica is used to create a Test to Production environment. The Master is the Production Identity Management, and the Replica is the Test Identity Management. When you are ready to merge your Test Environment into your Production Environment, you can migrate data from your Test Identity Management (Replica) to your Production Identity Management (Master) and change your middle-tiers from the Test Identity Management to the Production Identity Management. You can then discard the Test Identity Management or continue to use it for testing.

F.2 Installing and Setting Up an LDAP-based Replica

This section describes how to install and set up an LDAP-based Replica environment.

F.2.1 Things to Know Before You Start

You should be aware of these important items before you start the procedure:

This procedure uses a single Infrastructure Oracle home that contains Identity Management and the Metadata Repository. However, it is fine to split the Infrastructure installation so Identity Management is in one Oracle home and the Metadata Repository is in another Oracle home. You can also distribute the Identity Management components (SSO, OID, DAS, DIP) across different hosts. If you do this, perform the operations on each component in their respective Oracle homes.
The Replica always uses port 389 for the non-SSL OID port, and 636 for the SSL OID port, regardless of what is reported by Oracle Universal Installer, or printed in ORACLE_HOME/install/portlist.ini. Make sure no other processes are using ports 389 and 636 on the Replica host before you start the procedure.
On Windows, you must install the MKS Toolkit before performing this procedure.
The commands in this procedure are in UNIX format. Invert the slashes for Windows format.
Make sure you use the ldapsearch and ldapmodify commands that are in ORACLE_HOME/bin. (Some operating systems ship their own version of these commands—do not use those.)
These procedures use the remtool and oidpasswd commands. The messages returned by these commands are in UTF-8 encoding and are unreadable in most non-English environments. To workaround this, set the NLS_LANG environment variable to american_america.character_set before running these commands. Most character sets (for example, US7ASCII) will work.

See Also:
Oracle Application Server 10g Globalization Guide
The procedure contains many Oracle Internet Directory operations and requires a familiarity with Oracle Internet Directory administration and replication.
The procedure contains many steps. It is important to follow each step precisely and not skip any steps.
The procedure includes Validation Steps. You should perform these checks to verify that you are proceeding successfully.
Make sure the ORACLE_HOME and ORACLE_SID environment variables are set. This applies to all platforms.
The procedure requires you to provide many parameters. Rather than describe these parameters multiple times throughout the procedure, they are listed in Table F-1, in the order in which they are first used. As you work through the procedure, each time you encounter a new parameter, you can refer to the table to learn how to obtain its value. Make a note of each value as you obtain it, and refer back to your notes as you continue through the procedure.

Table F-1 Parameters for Setting Up an LDAP-based Replica

Document Convention	Description
`REPLICA_HOME`	Replica Oracle home
`replica_db_name`	Name of the entry for the Replica Repository in `REPLICA_HOME``/network/admin/tnsnames.ora.`For example, the `replica_db_name` is `asdb.myco.com` if the entry looks like this: ASDB.MYCO.COM = (DESCRIPTION = ....
`replica_ods_passwd`	Password for the ODS schema in the Replica Repository. The default is "`ods`".
`replica_orcladmin_passwd`	Replica `orcladmin` password. The default is "`welcome`".
`replica_oid_port`	Replica non-SSL OID port number. This value is always 389.
`master_host`	Master hostname (you can use the plain or fully-qualified hostname)
`master_oid_port`	Master non-SSL OID port number This is listed as `OIDport` in `MASTER_HOME`/config/ias.properties
`master_ods_passwd`	Password for the ODS schema in the Master Repository. The default value is the `ias_admin` password you supplied while installing the Master.
`replica_host`	Replica hostname
`MASTER_HOME`	Master Oracle home
`master_orcladmin_passwd`	Replica `orcladmin` password. The default value is the `ias_admin` password you supplied while installing the Master.
`master_replicaid`	Master replica ID. You obtain this value during the procedure.
`master_agreementid`	Master agreement identifier. You obtain this value during the procedure.
`replica_replicaid`	Replica replica ID. You obtain this value during the procedure.
`replica_repository_dn`	Replica Repository dn. You obtain this value during the procedure.
`replica_ssl_oid_port`	Replica SSL OID port number. This value is always 636.
`replica_http_port`	Oracle HTTP Server Listen port on the Replica. This value is listed in `REPLICA_HOME``/install/portlist.ini.` The default is 7777.
`replica_em_port`	Application Server Control Console port on the Replica. This value is listed in `REPLICA_HOME``/install/portlist.ini`. The default is 1810.

F.2.2 Procedure

This section contains the procedure for setting up an LDAP-based Replica. It contains the following tasks:

Task 1: Obtain the Master and Master Repository
Task 2: Install Middle-Tier Instances (Optional)
Task 3: Install and Configure the Replica
Task 4: Configure and Start Replication
Task 5: Register the Replica OID with the Application Server Control Console
Task 6: Enable SSO, DAS, and DIP on the Replica

Task 1: Obtain the Master and Master Repository

Most likely, you already have your Master and Master Repository.

If you are following the procedure in Section 8.4, "Moving Identity Management to a New Host", the Master and Master Repository are the installations you would like to move to a new host, and the LDAP-base Replica will be the relocated installations.
If you are following the procedure in Section 8.5, "Changing from a Test to a Production Environment", the Master and Master Repository are your Production environment, and the Replica will be your Test environment.

If you are starting from scratch, you can install a Master and Master Repository as follows:

Install Oracle Application Server using Oracle Universal Installer.
Choose the Infrastructure Installation.
Choose to install Identity Management and OracleAS Metadata Repository.
Choose to configure the following components: Oracle Internet Directory, OracleAS Single Sign-On, Delegated Administration Services, and Directory Integration and Provisioning

Task 2: Install Middle-Tier Instances (Optional)

Most likely, you already have middle-tier instances using the Master for Identity Management services. This is fine, and, if desired, you can install and configure additional instances to use the Master now, or at the end of this procedure after you have configured the Replica, or both.

These middle-tier instances can use the Master Repository for their product metadata, or they can use a different repository.

Task 3: Install and Configure the Replica

In this task, you install and configure the Replica and Replica Repository. The general procedure is to install an Infrastructure and choose Identity Management and Metadata Repository. However, you deselect all Identity Management components (OID, SSO, DAS, and DIP). After installation, you perform manual steps to configure and start up OID, SSO, DAS, and DIP.

Install the Replica.

Be sure to install the Replica on a different host than the Master.
1. Install Oracle Application Server using Oracle Universal Installer.
2. Choose the Infrastructure Installation.
3. Choose to install Identity Management and OracleAS Metadata Repository.
4. Deselect all of the components that you can, so only OracleAS Metadata Repository, Oracle HTTP Server, and OracleAS Containers for J2EE are selected.
5. When asked if you would like to register the Metadata Repository with Oracle Internet Directory, check Yes and supply the connection information for the Master Oracle Internet Directory.

Start OID on the Replica.

Create a wallet for the ODS password:

REPLICA_HOME/bin/oidpasswd connect=replica_db_name create_wallet=TRUE current_password=replica_ods_passwd

Make sure OPMN is running:

REPLICA_HOME/opmn/bin/opmnctl ping

If OPMN is not running, start it:

REPLICA_HOME/opmn/bin/opmnctl start

Enable OID by editing the following file:
```
REPLICA_HOME/opmn/conf/opmn.xml
```
Modify the ias-component entry for OID so the status is enabled, as follows:
```
<ias-component id="OID" status="enabled">
```
Save and close the file.

Run the following command:

REPLICA_HOME/dcm/bin/dcmctl updateConfig

Reload opmn.xml:
```
REPLICA_HOME/opmn/bin/opmnctl reload
```

Start OID:

REPLICA_HOME/opmn/bin/opmnctl startproc ias-component=OID

Validation Step: Make sure the Replica OID is started:
```
REPLICA_HOME/bin/ldapbind -D cn=orcladmin -w replica_orcladmin_passwd -p replica_oid_port
```
If the command fails, check the following files for information on why the server did not start:
```
REPLICA_HOME/ldap/log/oidmon.log
REPLICA_HOME/ldap/log/oidldap01*.log
```
You can check the files manually, or use Log Viewer (refer to Section 4.2, "Listing and Viewing Log Files With Enterprise Manager")

See Also:
Oracle Internet Directory Administrator's Guide, appendix on Syntax for LDIF and Command Line Tools, for more information

Enable SSL for OID.

On the Replica host, create a file named mod.ldif that contains the following lines:

dn:cn=configset0,cn=osdldapd,cn=subconfigsubentry
changetype:modify
replace:orclsslenable
orclsslenable:2

Run the following command:

REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd -p replica_oid_port -v -f mod.ldif

Restart OID:

REPLICA_HOME/opmn/bin/opmnctl restartproc ias-component=OID

Validation Step: Make sure the SSL port is enabled on the Replica OID:
```
REPLICA_HOME/bin/ldapbind -D cn=orcladmin -w replica_orcladmin_passwd -U 1 -p replica_ssl_oid_port
```
If the command fails, perform Step 4, "Enable SSL for OID" again.

Task 4: Configure and Start Replication

In this task, you register the Replica with the Master.

Set environment variables.
1. Make sure the ORACLE_HOME environment variable is set.
2. Set the library path.
  - On HPUX systems, make sure the SHLIB_PATH environment variable includes $ORACLE_HOME/lib32
  - On all other UNIX systems, make sure the LD_LIBRARY_PATH environment variable includes $ORACLE_HOME/lib

Run the following command to configure replication:

(UNIX) REPLICA_HOME/ldap/bin/remtool -paddnode
(Windows) REPLICA_HOME\bin\remtool -paddnode

The tool prompts for information, as shown Table F-2.

Table F-2 Prompts for the remtool Command

At this prompt...	Enter...
Enter supplier directory details: Enter hostname of host running OID server	Master hostname (*`master_host`*)
Enter port on which OID server is listening	Master non-SSL OID port number (*`master_oid_port`*)
Enter replication dn password	Master Repository `ODS` schema password (*`master_ods_passwd`*)
Enter consumer directory details: Enter hostname of host running OID server	Replica hostname (*`replica_host`*)
Enter port on which OID server is listening	Replica non-SSL OID port number (*`replica_oid_port`*`)`
Enter replication dn password	Replica Repository `ODS` schema password (*`replica_ods_passwd`*)
Enter naming context (e-end, q-quit)	* (Enter the asterisk character.)
Enter naming context (e-end, q-quit)	e
Following naming contexts will be included for replication: 1. * Do you want to continue? [y/n]	y

Validation Step: Check if replication is configured:
```
REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h replica_host -p replica_oid_port -b "cn=replication configuration" -s sub "objectclass=orclreplnamectxconfig" dn orclincludednamingcontexts
```
This command should return two entries of the following types:
```
orclincludednamingcontexts=cn=oraclecontext
orclincludednamingcontexts=*
```
If it only returns one entry, and it is of the first listed type, there was a problem configuring replication. To recover, delete the Replica and repeat step 2, "Run the following command to configure replication".

To delete the Replica:
```
(UNIX) REPLICA_HOME/ldap/bin/remtool -pdelnode
(Windows) REPLICA_HOME\bin\remtool -pdelnode
```
See Also:
Oracle Internet Directory Administrator's Guide, appendix on Syntax for LDIF and Command Line Tools, for more information on remtool

Change the server on the Replica to read-write mode.

On the Replica host, create a file named mod.ldif that contains the following lines:
```
dn:
changetype:modify
replace:orclservermode
orclservermode:rw
```

Run the following command:

REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd -p replica_oid_port -v -f mod.ldif

Obtain the Master replica ID by running the following command:

MASTER_HOME/bin/ldapsearch -h master_host -p master_oid_port -D cn=orcladmin -w master_orcladmin_passwd -b "" -s base "objectclass=*" orclreplicaid

The replica ID will look something like "myhost_asdb".

Obtain the Master agreement identifier by running the following command:

MASTER_HOME/bin/ldapsearch -h master_host -p master_oid_port -D cn=orcladmin -w master_orcladmin_passwd -b "orclreplicaid=master_replicaid,cn=replication configuration" -s sub "objectclass=orclreplagreemententry" dn

Where master_replicaid is the Master replica ID you obtained in the previous step.

The agreement identifier will look something like "000002".

Perform this step on the Master.
1. Create a file named mod.ldif that contains the following lines:
```
dn:cn=includednamingcontext000001,cn=replication namecontext,
orclagreementid=master_agreementid,orclreplicaid=master_replicaid,cn=replication configuration
changetype:modify
replace:orclexcludednamingcontexts
orclexcludednamingcontexts:orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,cn=oraclecontext
```
  Where master_agreementid is the Master agreement identifier and master_replicaid is the Master replica ID you obtained in the previous steps.
  
  Note that in the above code example, the first 3 lines should be a single line in your file; the next line is a single line; the next line is a single line; and the final two lines should be a single line in your file.
2. Run the following command:
```
MASTER_HOME/bin/ldapmodify -D cn=orcladmin -w master_orcladmin_passwd -p master_oid_port -v -f mod.ldif
```

Obtain the Replica replica ID by running the following command:

REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D cn=orcladmin -w replica_orcladmin_passwd -b "" -s base "objectclass=*" orclreplicaid

The replica ID will look something like "myhost_asdb".

On the Replica host, modify the replica subentry to configure bootstrap.

Create a file named mod.ldif that contains the following lines:
```
dn:orclreplicaid=replica_replicaid,cn=replication configuration
changetype:modify
replace:orclreplicastate
orclreplicastate:0
```
replica_replicaid is the Replica replica ID you obtained in the previous step.

Run the following command:

REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd -p replica_port -v -f mod.ldif

Start the Replica:

REPLICA_HOME/bin/oidctl connect=replica_db_name server=oidrepld instance=1 flags="-p replica_oid_port" start

Wait for the Replica to bootstrap before proceeding to the next step. You can monitor the progress of the bootstrap by watching the messages appended to the oidrepld log file with the following command:

tail -f REPLICA_HOME/ldap/log/oidrepld00.log

For example:

Starting scheduler...
Start to BootStrap from supplier=pdsun-qa5_orcl to consumer=pdsun-qa8_repsid
gslrbssSyncDIT:Replicating namingcontext=cn=oraclecontext......
gslrbssSyncDIT:Sync done successfully for cn=oraclecontext, 266 entries matched
gslrbssSyncDIT:Replicating namingcontext=dc=com ......
gslrbssSyncDIT:Sync done successfully for dc=com, 197 entries matched
gslrbssSyncDIT:Replicating namingcontext=cn=oracleschemaversion ......
gslrbssSyncDIT:Sync done successfully for cn=oracleschemaversion, 10 entries matched

Note that if you cannot locate the above log file, the Replica may have failed to start. Check the command you used at the beginning of this step to start the Replica and retry if you find any problems.

Validation Step: Verify the Replica has bootstrapped successfully.

The following commands should each return entries:

REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h replica_host -p replica_oid_port -b "dc=com" -s sub "objectclass=*" dn

REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h replica_host -p replica_oid_port -b "cn=oraclecontext" -s sub "objectclass=*" dn

If either of the above commands does not return entries then there was a problem with the bootstrap.

Validation Step: Verify the SSO server entry is excluded from replication.

The following search against the Replica should not return an entry. It should return two entries: "No such object" and a matched entry.

REPLICA_HOME/bin/ldapsearch -D cn=orcladmin -w replica_orcladmin_passwd -h replica_host -p replica_oid_port -b "orclapplicationcommonname=orasso_ssoserver, cn=sso, cn=products, cn=oraclecontext" -s base "objectclass=*" dn

The same search, when performed against the Master, should return an entry.

MASTER_HOME/bin/ldapsearch -D cn=orcladmin -w master_orcladmin_passwd -h master_host -p master_oid_port -b "orclapplicationcommonname=orasso_ssoserver, cn=sso, cn=products, cn=oraclecontext" -s base "objectclass=*" dn

If there are any problems, repeat steps 7, 8, and 9 in Task 4, then restart the Replica as follows:

REPLICA_HOME/bin/oidctl connect=replica_db_name server=oidrepld instance=1 flags="-p replica_oid_port" restart

Task 5: Register the Replica OID with the Application Server Control Console

In this task, you enable the Replica OID to show up in the Application Server Control Console.

Create the ldaptarget.xml file by making a copy of the template:

cd REPLICA_HOME/ldap/templates
cp ldaptarget.xml.template ldaptarget.xml

Edit the ldaptarget.xml file and replace the following variables with values for your installation:

s_instanceName is the instance name of the Replica. You can obtain this name with the following command:

REPLICA_HOME/dcm/bin/dcmctl whichInstance

s_hostName is the fully qualified Replica host name—the same value as replica_host.

ORACLE_HOME is the Replica Oracle home—the same value as REPLICA_HOME.

s_odsPwd is the password for the Replica ODS schema—the same value as replica_ods_passwd.

s_tnsAddress is the Net Description string for the Replica repository. You can obtain this from REPLICA_HOME/network/admin/tnsnames.ora. For example:

(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.myco.com) (PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=infra.myco.com)))

Note you should enter the entire string with no new-line characters and no white-space characters.

For example:

<Target TYPE="oracle_ldap" NAME="infra.myhost.myco.com_LDAP" DISPLAY_NAME="OID" VERSION="2.5" ON_HOST="myhost.myco.com">
  <Property NAME="OracleHome" VALUE="/home/infra"/>
  <Property NAME="password" VALUE="ods" ENCRYPTED="FALSE"/>
  <Property NAME="LDAPScriptsPath" VALUE="/sysman/admin/scripts"/>
  <Property NAME="host" VALUE="myhost.myco.com"/>
  <Property NAME="UserName" VALUE="ods" ENCRYPTED="FALSE"/>
  <Property NAME="LDAPBindDN" VALUE="cn=emd admin,cn=oracle internet directory" ENCRYPTED="FALSE"/>
  <Property NAME="LDAPBindPwd" VALUE=""/>
  <Property NAME="version" VALUE="9.0.4"/>
  <Property NAME="ConnectDescriptor" VALUE="(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.myco.com)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=asdb.myco.com)))"/>
  <CompositeMembership>
     <MemberOf TYPE="oracle_ias" NAME="infra.myhost.myco.com" ASSOCIATION=" "/>
  </CompositeMembership>
</Target>

Upload the OID target using the following command (note that the following is a single command; type it all on one line):
```
REPLICA_HOME/bin/emctl config addtarget REPLICA_HOME/ldap/templates/ldaptarget.xml REPLICA_HOME
```
Verify that OID shows up in the Application Server Control Console:
1. Make sure the Application Server Control Console is started:
```
REPLICA_HOME/bin/emctl startifdown iasconsole
```
2. Navigate to the Application Server Control Console:
```
http://replica_host:replica_em_port
```
  The ias_admin password on the Replica is set to the value specified during the Replica installation.
3. Use the Application Server Control to navigate to the Instance Home Page for the Replica instance.
4. Verify that Oracle Internet Directory is listed in the System Components section.
Remove the ldaptarget.xml file; it contains secure information such as the ODS schema password:
```
rm REPLICA_HOME/ldap/templates/ldaptarget.xml
```

Task 6: Enable SSO, DAS, and DIP on the Replica

In this task, you enable SSO, DAS, and DIP on the Replica.

Modify the replication configuration for SSO.
1. Obtain the Replica Repository dn:
```
REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D cn=orcladmin -w replica_orcladmin_passwd -b "cn=oraclecontext" -s one "objectclass=orcldbserver" dn
```
  This command will return two DNs in the form of:
```
cn=short_gdbname,cn=oraclecontext
```
  Find the one that corresponds to the Replica Repository.
  
  Note that if this command returns the error "ldap_search: No such object" you should go back to the previous step and make sure the Replica was started properly.
2. On the Replica host, create a file named mod.ldif that contains the following lines:
```
dn:orclreplicaid=replica_replicaid,cn=replication configuration
changetype:modify
replace:seeAlso
seeAlso:replica_repository_dn
```
  Where replica_repository_dn is the Replica Repository dn you obtained in the previous step.
3. Run the following command:
```
REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd -p replica_oid_port -v -f mod.ldif
```
Edit REPLICA_HOME/config/ias.properties to reflect the Replica OID server host and port. Change the following lines:
```
OIDhost=replica_host
OIDport=replica_oid_port
OIDsslport=replica_ssl_oid_port
VirtualHostName=replica_host
```

Stop the Replica instance:

REPLICA_HOME/bin/emctl stop iasconsole
REPLICA_HOME/opmn/bin/opmnctl stopall

Edit REPLICA_HOME/network/admin/ldap.ora to reflect the Replica OID server host and port. Change the following line:
```
DIRECTORY_SERVERS = (replica_host:replica_oid_port:replica_ssl_oid_port)
```

Start the Replica instance:

REPLICA_HOME/opmn/bin/opmnctl startall
REPLICA_HOME/bin/emctl start iasconsole

Configure SSO in the Application Server Control Console.
1. Make sure the Application Server Control Console is started:
```
REPLICA_HOME/bin/emctl startifdown iasconsole
```
2. Navigate to the Application Server Control Console:
```
http://replica_host:replica_em_port
```
3. Use the Application Server Control Console to navigate to the Instance Home Page for the Replica instance.
4. On the Instance Home Page, in the System Components section, click Configure Component.
5. On the Select Component screen, select Single Sign-On Server in the dropdown menu. Click Continue.
6. On the Login screen:
  - In the User Name field, enter cn=orcladmin.
  - In the Password field, enter the Replica cn=orcladmin password ("welcome").
7. Click Finish.
8. When the confirmation message appears, click OK.
Validation Step: If the confirmation message does not appear, or there is an error displayed, there are a few possible reasons. Check the following log files for errors:
```
REPLICA_HOME/sysman/log/emias.log
REPLICA_HOME/sso/log/ssoem.log
REPLICA_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1
```
- If the error messages on the screen or in the log files indicate an LDAP or OID error, check that the Replica OID server is running and that you supplied a valid password for cn=orcladmin. Also check that you updated ias.properties correctly in step 2 and that you configured the OID replica correctly. Then repeat step 6.
- If the error messages in the log files indicate a database error, check that the Replica Repository is running and that you updated the ldap.ora file correctly in step 4. Then repeat step 6.

Perform this step only if your Replica is on an HPUX system.

Edit the following file:
```
REPLICA_HOME/opmn/conf/opmn.xml
```
Locate the entry for OC4J_SECURITY.

In the environment element, replace LD_LIBRARY_PATH with SHLIB_PATH. For example, change:

<process-type id="OC4J_SECURITY" module-id="OC4J">
  <environment>
    <variable id="LD_LIBRARY_PATH" value="/private/oracleas/lib"/>

To:

<process-type id="OC4J_SECURITY" module-id="OC4J">
  <environment>
    <variable id="SHLIB_PATH" value="/private/oracleas/lib32"/>

Save and close the file.

Run the following command:

REPLICA_HOME/dcm/bin/dcmctl updateConfig

Reload OPMN:
```
REPLICA_HOME/opmn/bin/opmnctl reload
```

Register mod_osso.
1. Set environment variables.
  - On HPUX systems, make sure the SHLIB_PATH environment variable includes $ORACLE_HOME/lib32
  - On all other UNIX systems, make sure the LD_LIBRARY_PATH environment variable includes $ORACLE_HOME/lib
2. Run the following command:
```
REPLICA_HOME/jdk/bin/java -jar REPLICA_HOME/sso/lib/ossoreg.jar
-oracle_home_path REPLICA_HOME
-site_name replica_host
-config_mod_osso TRUE
-mod_osso_url http://replica_host:replica_http_port
-u user
```
  Note that user is the user that starts Oracle HTTP Server. On UNIX, if the Oracle HTTP Server port number is < 1024, this user is root. Otherwise, it is usually the user that installed Oracle Application Server.
Configure DAS in the Application Server Control Console.
1. Navigate to the Application Server Control Console:
```
http://replica_host:replica_em_port
```
2. Use the Application Server Control Console to navigate to the Instance Home Page for the Replica instance.
3. On the Instance Home Page, in the System Components section, click Configure Component.
4. On the Select Component screen, select Delegated Administration Service in the dropdown menu. Click Continue.
5. On the Login screen:
  - In the User Name field, enter cn=orcladmin.
  - In the Password field, enter the Replica cn=orcladmin password ("welcome").
6. Click Finish.
7. When the confirmation message appears, click OK.

Update the DAS URL entry.

On the Replica host, create a file named mod.ldif with the following lines:

dn:cn=OperationURLs,cn=DAS,cn=Products,cn=OracleContext
changetype:modify
replace:orcldasurlbase
orcldasurlbase:http://replica_host:replica_http_port/

Note the slash at the end of the URL.

Run the following command:

REPLICA_HOME/bin/ldapmodify -D cn=orcladmin -w replica_orcladmin_passwd -p replica_oid_port -v -f mod.ldif

Restart the Replica instance:

REPLICA_HOME/opmn/bin/opmnctl stopall
REPLICA_HOME/opmn/bin/opmnctl startall

Validation Step: Verify that SSO was configured successfully.

Navigate to the following URL and click Login:
```
http://replica_host:replica_http_port/pls/orasso
```
Log in as orcladmin and use the password you specified during the installation of the Master. If the page does not appear or the login fails, check the following log files:
```
REPLICA_HOME/Apache/Apache/logs/error_log.most_recent_timestamp
REPLICA_HOME/sso/log/ssoServer.log
```
See Also:
Oracle Application Server Single Sign-On Administrator's Guide
Validation Step: Verify that DAS was configured successfully.

Using the Application Server Control Console, navigate to the Instance Home Page where DAS is running. Verify that OC4J_SECURITY is listed in the System Components section. Verify that the Farm value displayed on the page is the Replica Repository.

Verify DAS is running properly:
1. Log in to DAS using the following URL:
```
http://replica_host:replica_http_port/oiddas
```
  You can log in as orcladmin. The password is master_orcladmin_passwd.
2. Click the My Profile tab
3. Make sure the correct login user information is shown on this page
4. Click on the Directory tab
5. Type in a keyword in the "Search for user" field and click the Go button
6. Make sure the correct list of users is shown on the search result table
If these steps fail, turn on DAS debugging mode by setting the DEBUG flag to true in the following file:
```
REPLICA_HOME/ldap/das/das.properties
```
and restart DAS as follows:
```
REPLICA_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY
REPLICA_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
```
Repeat the steps for verifying DAS is running properly to reproduce the problem. Examine the errors in the DAS log file:
```
REPLICA_HOME/ldap/log/das.log
```

Migrate the DIP data:

MASTER_HOME/bin/dipassistant reassociate -src_ldap_host master_host -src_ldap_port master_oid_port -dst_ldap_host replica_host -dst_ldap_port replica_oid_port -src_ldap_passwd master_orcladmin_passwd -dst_ldap_passwd replica_orcladmin_passwd

This command prints log messages to:

MASTER_HOME/ldap/odi/log/reassociate.log

Configure DIP in the Application Server Control Console.
1. Navigate to the Application Server Control Console:
```
http://replica_host:replica_em_port
```
2. Use the Application Server Control Console to navigate to the Instance Home Page for the Replica instance.
3. On the Instance Home Page, in the System Components section, click Configure Component.
4. On the Select Component screen, select Directory Integration and Provisioning in the dropdown menu. Click Continue.
5. On the Login screen:
  - In the User Name field, enter cn=orcladmin.
  - In the Password field, enter the Replica cn=orcladmin password ("welcome").
6. Click Finish.
7. When the confirmation message appears, click OK.

Start the DIP server on the Replica:

REPLICA_HOME/bin/oidctl server=odisrv instance=1 flags="port=replica_oid_port" start

Restart the Application Server Control Console:

REPLICA_HOME/bin/emctl stop iasconsole
REPLICA_HOME/bin/emctl start iasconsole

Validation Step: Verify that DIP was configured successfully.

Navigate to the Directory Integration Page on the Application Server Control Console. The DIP server instance "1" should have a status of "UP", the DIP host should be the Replica host, and the OID node should be the Replica host. If this is not the case, the DIP server was not registered and brought up on the Replica host successfully. To debug this problem, check the DIP server log file:
```
REPLICA_HOME/ldap/log/odisrv01.log
```
All provisioning profiles should be getting executed successfully. If any of the profiles show a "Database connection error" in the errors field, then the reassociation of the profiles was not successful. To debug this problem, check the application-specific trace file in this directory:
```
REPLICA_HOME/ldap/odi/log
```
The trace file names are of the form application_name_realm_name_E.trc or application_name_realm_name_E.aud.

You have finished setting up an LDAP-based Replica. You can return the main procedure you are following in either Section 8.4, "Moving Identity Management to a New Host" or Section 8.5, "Changing from a Test to a Production Environment".

F.3 Migrating SSO and DIP Data

This procedure describes how to migrate SSO and DIP data from a source Infrastructure to a target Infrastructure.

If you are using this procedure in conjunction with Section 8.4, "Moving Identity Management to a New Host", you should migrate the SSO and DIP data from the Master (old host) to the Replica (new host).

In this case, the Master is the source and the Replica is the target. You can convert the parameters in the procedure as follows:
- Convert SOURCE_param to MASTER_param
- Convert TARGET_param to REPLICA_param
If you are using this procedure in conjunction with Section 8.5, "Changing from a Test to a Production Environment", you should migrate the SSO and DIP data from the Replica (Test) to the Master (Production).

In this case, the Replica is the source and the Master is the target. You can convert the parameters in the procedure as follows:
- Convert SOURCE_param to REPLICA_param
- Convert TARGET_param to MASTER_param

Refer to Table F-1 to obtain the values for the various parameters used in this procedure.

This procedure contains the following tasks:

Task 1: Migrate the SSO Data
Task 2: Migrate the DIP Data

Note:
Make sure the ORACLE_HOME and ORACLE_SID environment variables are set before you begin. This applies to all platforms.

Task 1: Migrate the SSO Data

Obtain the ORASSO schema password on the source:

SOURCE_HOME/bin/ldapsearch -p source_oid_port -h source_host -D "cn=orcladmin" -w source_orcladmin_passwd -b "orclresourcename=orasso, orclreferencename=source_global_db_name, cn=ias infrastructure databases, cn=ias, cn=products, cn=oraclecontext" -s base "objectclass=*" orclpasswordattribute

This command prints the ORASSO password in a line like the following:

orclpasswordattribute=LAetjdQ5

Export the SSO data from the source (make sure ORACLE_HOME is set before you run this command):
```
SOURCE_HOME/sso/bin/ssomig -export -s orasso -p source_orasso_passwd -c source_db_name -log_d $SOURCE_HOME/sso/log
```
source_orasso_passwd is the ORASSO password obtained in the previous step.

Copy the ssomig.dmp and ssoconf.log files from the source to the target, preserving the exact full path for each file:

cp SOURCE_HOME/sso/log/ssomig.dmp TARGET_HOME/sso/log/ssomig.dmp
cp SOURCE_HOME/sso/log/ssoconf.log TARGET_HOME/sso/log/ssoconf.log

Obtain the ORASSO schema password on the target:

TARGET_HOME/bin/ldapsearch -p target_oid_port -h target_host -D "cn=orcladmin" -w target_orcladmin_password -b "orclresourcename=orasso, orclreferencename=target_global_db_name, cn=ias infrastructure databases, cn=ias, cn=products, cn=oraclecontext" -s base "objectclass=*" orclpasswordattribute

Import the SSO data to the target:

TARGET_HOME/sso/bin/ssomig -import -overwrite -s orasso -p target_orasso_passwd -c target_db_name -log_d $TARGET_HOME/sso/log -discoforce

target_orasso_passwd is the ORASSO password obtained in the previous step.

Validation Step: Verify that the export and import of SSO succeeded.

Verify that the SSO migration tool reported success. You can also check the following log files for errors:
```
SOURCE_HOME/sso/log/ssomig.log
TARGET_HOME/sso/log/ssomig.log
```
See Also:
Oracle Application Server Single Sign-On Administrator's Guide for information on interpreting messages in the log files

Task 2: Migrate the DIP Data

This task describes how to migrate your DIP data.

See Also:

If the OID non-SSL port is disabled, then refer to the DIP documentation in Oracle Internet Directory Administrator's Guide for running the following commands using the OID SSL port.

Stop the DIP server on the source:

SOURCE_HOME/bin/oidctl server=odisrv instance=1 stop

Migrate the DIP data:

SOURCE_HOME/bin/dipassistant reassociate -src_ldap_host source_host -src_ldap_port source_oid_port -dst_ldap_host target_host -dst_ldap_port target_oid_port -src_ldap_passwd source_orcladmin_passwd -dst_ldap_passwd target_orcladmin_passwd

This command prints log messages to:

SOURCE_HOME/ldap/odi/log/reassociate.log

Stop the DIP server on the target:

TARGET_HOME/bin/oidctl server=odisrv instance=1 stop

TARGET_HOME/bin/odisrvreg -D "cn=orcladmin" -w target_orcladmin_passwd -h target_host -p target_oid_port

Start the DIP server on the target:

TARGET_HOME/bin/oidctl server=odisrv instance=1 flags="port=target_oid_port" start

F.4 Migrating Oracle Internet Directory Data

This section describes how to migrate Oracle Internet Directory data from an Replica (Test) to the Master (Production). This procedure is used in conjunction with the procedure in Section 8.5, "Changing from a Test to a Production Environment".

Refer to Table F-1 to obtain the values for the various parameters used in this procedure.

Note:

Make sure the ORACLE_HOME and ORACLE_SID environment variables are set before you begin. This applies to all platforms.

End the Pilot Mode on the Replica.

Obtain the Replica replica ID by running the following command:

REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D cn=orcladmin -w replica_orcladmin_passwd -b "" -s base "objectclass=*" orclreplicaid

The replica ID will look something like "myhost_asdb".

On the Replica host, create a file named mod.ldif that contains the following lines:
```
dn:orclreplicaid=replica_replicaid,cn=replication configuration
changetype:modify
replace:orclpilotmode
orclpilotmode:0
```
Where replica_replicaid is the Replica replica ID obtained in the previous step.

Run the following command:

REPLICA_HOME/bin/ldapmodify -p replica_oid_port -D cn=orcladmin -w replica_orcladmin_passwd -v -f mod.ldif

Restart OID:

REPLICA_HOME/opmn/bin/opmnctl stopproc ias-component=OID
REPLICA_HOME/opmn/bin/opmnctl startproc ias-component=OID

(Optional) Clean up entries in the Replica OID.

You can clean up (delete) the data that is modified or added on the Test (Replica) OID so that it is not migrated to the Production (Master) OID. This might be a requirement of a middle-tier component or might be desired by the administrator who maintains OID consistency in the Production OID.

To clean up the data, use the ldapdelete command-line utility and delete entries that should not be migrated.

See Also:
Oracle Internet Directory Administrator's Guide for more information on the ldapdelete command
Quiesce the Distributed Directory Environment.

It is very important to quiesce the Distributed Directory environment while the data migration from the Replica (Test) to the Master (Production) takes place. This ensures that there are no conflicting updates, and therefore no data loss or corruption.

To quiesce the Distributed Directory Environment:
1. Make sure all the Replica and Master are up and running.
2. Change the ldapserver on the Replica (Test) to read-only mode.
  
  On the Replica host, create a file named mod.ldif that contains the following lines:
```
dn:
changetype:modify
replace:orclservermode
orclservermode:r
```
  Run the following command:
```
REPLICA_HOME/bin/ldapmodify -p replica_oid_port -D cn=orcladmin -w replica_orcladmin_passwd -v -f mod.ldif
```
3. Wait until all the pending changes are applied to both nodes and the nodes are completely in sync. There is no tool to automatically detect this, but you can monitor the replication log files and make sure there are no new changes being processed by any node in the Directory Replication Group (DRG), which ensures that the DRG is in a quiesced state.
Make a Backup of the Middle-Tier Data in the Replica (Test)

Once middle-tier component testing is complete, you must identify the Database Access Descriptor (DAD) that has been modified or added locally at the Replica (Test) directory and move this data to the Master (Production) directory. This step describes how to back up the data from the Replica into a flat file.
1. Catalog the modifytimestamp and modifiersname attributes:
```
REPLICA_HOME/ldap/bin/catalog.sh -connect replica_db_name -add -attr modifytimestamp
REPLICA_HOME/ldap/bin/catalog.sh -connect replica_db_name -add -attr modifiersname
```
  Enter "ODS" when the script requests the OID database user password.
  
  Note:
  On Windows, make sure to run this command using the MKS Toolkit, and set the ORACLE_HOME and ORACLE_SID environment variables.
2. Restart OID:
```
REPLICA_HOME/opmn/bin/opmnctl stopproc ias-component=OID
REPLICA_HOME/opmn/bin/opmnctl startproc ias-component=OID
```
3. Retrieve the Pilot Start Time:
```
REPLICA_HOME/bin/ldapsearch -h replica_host -p replica_oid_port -D cn=orcladmin -w replica_orcladmin_passwd -b "orclreplicaid=replica_replicaid,cn=replication configuration" -s base "objectclass=*" pilotstarttime
```
  Where replica_replicaid is the Replica replica ID you obtained earlier in the procedure.
  
  This command returns something like:
```
orclreplicaid=myhost_asdb,cn=replication configuration
pilotstarttime=20031119120647z
```
4. Perform the following search against the Replica to back up the data (this step creates a file called migrate.ldif). Note that the following command should be typed all on one line.
  
  Note:
  On Windows platforms, make sure to run this command using the MKS Toolkit.
```
REPLICA_HOME/bin/ldapsearch -L -h replica_host -p replica_oid_port
-D cn=orcladmin -w replica_orcladmin_passwd -b "" -s sub
"(&(modifytimestamp >= pilot_start_time) (!(modifiersname=cn=replicationdn, orclreplicaid=replica_replicaid, cn=replication configuration)))" \* orclguid > migrate.ldif
```
  pilot_start_time is the Pilot Start Time obtained in a previous step.
  
  replica_replicaid is the Replica replica ID obtained at the beginning of this procedure.
5. Copy the migrate.ldif file, created by the previous command, from the Replica node to the Master node:
```
cp REPLICA_HOME/bin/migrate.ldif MASTER_HOME/bin/migrate.ldif
```
Migrate OID Data to the Master (Production)

Run the following command to migrate data to the Master. Make sure you use the -r flag. Specify the migrate.ldif file created in the previous step.
```
MASTER_HOME/bin/ldapaddmt -h master_host -p master_oid_port -D "cn=orcladmin" -w master_orcladmin_passwd -r -f migrate.ldif
```
Validation Step: Verify that the migration of OID data succeeded.

Verify that ldapaddmt reported success. You can check the add.log file for errors, which is created in the directory from which you ran the ldapaddmt command.
- If add.log is empty, the command succeeded.
- If add.log contains errors such as "Additional Info: Parent entry not found in the directory", then the entries in migrate.ldif are not in the correct order—the child entry is before the parent entry. Run ldapaddmt again and this will take care of adding the child entries.
  
  See Also:
  Oracle Internet Directory Administrator's Guide for information on interpreting messages in log files
If necessary, repeat steps 4, 5, and 6.
Migrate SSO and DIP data from the Replica (Test) to the Master (Production).

See Also:
Section F.3, "Migrating SSO and DIP Data"
(Optional) Post-Migration Cleanup Tasks

Some middle-tier components might have special cleanup requirements after you have changed to the Master (Production). You can perform these cleanup tasks on the Replica (Test) after the middle-tier instances have been changed to the Production Node.