A Deploying Oracle Identity Management with Multimaster Replication

This Appendix describes how to deploy Oracle Application Server 10g Release 2 (10.1.2) Identity Management with multimaster replication in a configuration that includes multiple components.Before attempting the tasks described in this document, you should become familiar with all components of Oracle Application Server 10g Release 2 (10.1.2), including: Oracle Internet Directory, Oracle Application Server Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration and Provisioning. You should also be familiar with replication concepts.

See Also:

Replication information in the Oracle Internet Directory Administrator's Guide and the Oracle Application Server Installation Guide.

Keep the following points in mind when using the commands-line tools mentioned in this document:

The ORACLE_HOME, MASTER_HOME, and REPLICA_HOME variables designate absolute Oracle home paths.
Use the appropriate path separator while running the tools. The notation in this appendix is based on the UNIX patch variable notation. For example, the ldifadd tool is located in the $ORACLE_HOME/bin directory in the UNIX environment. In the Windows environment, this tool is located in the ORACLE_HOME\bin directory.
The PATH environment variable should include ORACLE_HOME\bin, ORACLE_HOME\ldap\bin and ORACLE_HOME\opmn\bin directories.
Include $ORACLE_HOME/lib in the appropriate library environment variable. For example, in the Solaris environment, include $ORACLE_HOME/lib in the LD_LIBRARY_PATH environment variable.

This appendix includes the following sections:

Multimaster Identity Management Replication Configuration
Adding a Node to a Multimaster Replication Group
Deleting a Node from a Multimaster Replication Group

A.1 Multimaster Identity Management Replication Configuration

In Figure A-1, The Oracle Identity Management master node includes Host 1 and Host 2. Oracle Identity Management and Metadata Repository, Oracle Internet Directory, and Oracle Directory Integration and Provisioning are installed on Host 1. Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, are installed on Host 2.

Similarly, the Oracle Identity Management replica node includes Host 3 and Host 4. Oracle Identity Management and Metadata Repository, Oracle Internet Directory, and Oracle Directory Integration and Provisioning are installed on Host 3. Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, are installed on Host 4.

Figure A-1 Multimaster Replication Configuration with Two Hosts Per Node

A.1.1 Master Node Installation

Install Oracle Internet Directory and Oracle Directory Integration and Provisioning on the master node as follows:

Install Oracle Application Server 10g Release 2 (10.1.2). Select Oracle Internet Directory, Identity Management and Metadata Repository, and Oracle Directory Integration and Provisioning on Host 1 using MASTER_HOME as the Oracle home.
Do not install any other Oracle Identity Management components such as Oracle Application Server Single Sign-On, or Oracle Delegated Administration Services

A.1.2 Replica Node Installation

Install and Oracle Internet Directory with Metadata Repository on the replica node as follows:

Install Oracle Application Server 10g Release 2 (10.1.2). Select Oracle Internet Directory, Identity Management and OracleAS Metadata Repository, and Oracle Directory Integration and Provisioning on Host 3 using REPLICA_HOME as the Oracle home. This installation will have only Oracle Internet Directory with Metadata Repository and Oracle Directory Integration and Provisioning. The Replica node Metadata Repository database should have a unique global database name.
Do not install any other Oracle Identity Management components, such as Oracle Application Server Single Sign-On, and Oracle Delegated Administration Services.

Note:

While installing the replica, select HA in the advanced configuration screen. Oracle Universal Installer will ask you to choose Replica install. When you select that, it will allow you to choose ASR Replica or LDAP Replica. Select ASR Replica and continue.

A.1.3 Multimaster Replication Installation

Use the following procedure to set up replication between the master node and the replica node.

Prepare both the master node and the replica node for replication, as described in Task 3, Installing and Configuring a Multimaster Replication Group, in the "Oracle Internet Directory Replication Administration" chapter of Oracle Internet Directory Administrator's Guide.
Set up replication by using the following command on both nodes:
```
$MASTER_HOME/bin/remtool -asrsetup
```
Start up the Oracle Internet Directory replication server at the master node and at the replica node.
Verify that the replication setup is correct.

See Also:

Replication information in the Oracle Internet Directory Administrator's Guide and the Oracle Application Server Installation Guide.

A.1.4 Installing Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on the Master Node

Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, as follows:

On Host 2, install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services so that those components use the Metadata Repository and Oracle Internet Directory on the master node. To do that, select Oracle Identity Management (without the Metadata Repository). When prompted for the Oracle Internet Directory information, provide the hostname and port of Host 1.
Select the Load Balancer configuration option and provide the load balancer name when prompted.

Repeat this procedure to install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on additional replicas.

A.1.5 Synchronizing the Single Sign-On Schema Password

To synchronize the Oracle Application Server Single Sign-On schema password, follow Step 2 under "Configuring the Identity Management Database for Replication" in Oracle Application Server Single Sign-On Administrator's Guide. This will synchronize Oracle Application Server Single Sign-On schema passwords between the master Metadata Repository database (MDS) and the replica Metadata Repository database (RMS).

After you performed this step on the master node, do it on each replica node.

Note:

If you encounter errors, the Metadata Repository might be misconfigured. Either the MDS or RMS might not have the correct database information, as used by Oracle Application Server Single Sign-On.

A.1.6 Installing Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on the Replica Node

Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, as follows:

On Host 4, install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services so that those components use the Metadata Repository and Oracle Internet Directory on the master node. To do that, select Oracle Identity Management (without the Metadata Repository).
Select the Load Balancer configuration option and provide the load balancer name when prompted.
Synchronize the mod_osso configuration from the master mid-tier, as described in the section on reregistering mod_osso for the single sign-on middle tiers, in Oracle Application Server Single Sign-On Administrator's Guide.

Repeat this procedure to install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on additional replicas.

A.1.7 Oracle Directory Integration and Provisioning Event Propagation in a Multimaster Scenario

Oracle Directory Integration and Provisioning supports high availability in an Oracle Internet Directory multimaster replicated scenario, with certain drawbacks. In this high availability scenario, when changes are applied to Oracle Internet Directory on one node, the changes get propagated to the other consumer nodes. The Oracle Directory Integration and Provisioning server running on each node is responsible for event propagation to the configured applications on that node. That is, the applications that have provisioning profiles on that Oracle Internet Directory node will be informed of the changes happening on that Oracle Internet Directory node.

A.2 Adding a Node to a Multimaster Replication Group

To add a replication node to a functioning directory replication group (DRG), follow these steps.

First, install the new node.

Install Oracle Application Server 10g Release 2 (10.1.2) Identity Management and Metadata Repository. This installation will have only the Metadata Repository, Oracle Internet Directory and Oracle Directory Integration and Provisioning. The replica node Metadata Repository should have a unique global database name.

Do not install other Identity Management components such as Oracle Application Server Single Sign-On or Oracle Delegated Administration Services.
Prepare the environment for adding a node.
1. Configure the Oracle Net Services environment as described in Task 3, Installing and Configuring a Multimaster Replication Group, in the "Oracle Internet Directory Replication Administration" chapter of Oracle Internet Directory Administrator's Guide.
2. Stop the directory replication server on all nodes
3. Identify a sponsor node and switch the sponsor node to read-only mode
  
  Note: While the sponsor node is in read-only mode, do not make any updates to it. You may, however, update any of the other nodes, but those updates are not replicated immediately. Also, the sponsor node and the MDS can be the same node.
4. Back up the sponsor node by using ldifwrite. Enter the following command:
```
$ORACLE_HOME/bin/ldifwrite -c connect_string  \
         -b "orclagreementid=000001,cn=replication configuration" \
         -f output_ldif_file
```

Add the node into the replication group.

Perform the Advanced Replication add node setup on the sponsor node by typing:

$ORACLE_HOME/ldap/bin/remtool -addnode

The Replication Environment Management Tool adds the node to the DRG.

Note:

Note: If you encounter errors, then use remtool -asrverify. If it reports errors, then rectify them by using remtool -asrrectify. Both of those options list all the nodes in the DRG. If the new node is not in the list, then add it by running remtool -addnode again.

Switch the sponsor node to updatable mode.
Start the directory replication server on all nodes except the new node.
Stop oidmon

Load data into the new node, as follows:

First do a check and generate by typing:

$ORACLE_HOME/ldap/bin/bulkload.sh \
  -connect <db_connect_string_of_new_node> \
  -check -generate -restore  \
  absolute_path_to_the_ldif_file_generated_by_ldifwrite

Note:

Verify that the $ORACLE_HOME/ldap/log/bulkload.log does not report any errors. It's possible that you might see Duplicate entry errors in the log for some of the entries. You can safely ignore this error and proceed with the load.

Now load the data on the target node by typing:

$ORACLE_HOME/ldap/bin/bulkload.sh \
  -connect db_connect_string_of_new_node \
  -load -restore  \
  absolute_path_to_the_ldif_file_generated_by_ldifwrite

Start the directory server on the new node by typing the following command:
```
$ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID
```

Start the directory replication server on the new node by typing:

$ORACLE_HOME/bin/oidctl connect=db_connect_string_of_new_node \
   server=oidrepld instance=1 \
   flags='-h host_name_of_new_node -p port'  start

Install a new mid-tier, based on the new replica node.
1. Synchronize the Oracle Application Server Single Sign-On schema passwords from MDS to the new node as described in "Synchronizing the Single Sign-On Schema Password".
2. Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services as described in "Installing Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on the Replica Node".
3. Configure the HTTP load balancer to distribute incoming traffic to this newly installed node.

A.3 Deleting a Node from a Multimaster Replication Group

You can delete a node from a DRG, provided the DRG contains more than two nodes. You might need to do so if the addition of a new node did not fully succeed as a result of system errors. To delete a replication node, perform these steps:

Stop the directory replication server on all nodes. To do that, run the following command on each node in the DRG:
```
$ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld instance=1 stop
```
Note:
Note: The instance number may vary.
Stop all processes on the node to be deleted.
1. Stop all processes in the associated mid-tier Oracle home.
```
$ORACLE_HOME/opmn/bin/opmnctl stopall
```
2. On the node to be deleted, stop all Oracle Application Server processes including Oracle Internet Directory Monitor and all directory server instances.
```
$ORACLE_HOME/opmn/bin/opmnctl stopall
```

Delete the node from the master definition site. From the MDS, run the following command:

$ORACLE_HOME/ldap/bin/remtool -delnode

Note:

If you encounter errors, then use remtool -asrverify. If it reports errors, then rectify them by using remtool -asrrectify. Both of those options list all nodes in the DRG. If the new node is not in the list, then add it by running remtool -addnode again.

Start the directory replication server on all nodes by typing the following command:

$ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld \
  instance=1 flags='-h host -p port' start

Decommission the removed node and its associated mid-tier. You can optionally decommission the removed replicated node and associated mid-tier by deinstalling the corresponding Oracle homes.

See Also:

Replication information in the Oracle Internet Directory Administrator's Guide and the Oracle Application Server Installation Guide.