Oracle® Identity Management Concepts and Deployment Planning Guide
10g Release 2 (10.1.2) Part No. B14084-01 |
|
![]() Previous |
![]() Next |
This Appendix describes how to deploy Oracle Application Server 10g Release 2 (10.1.2) Identity Management with multimaster replication in a configuration that includes multiple components.Before attempting the tasks described in this document, you should become familiar with all components of Oracle Application Server 10g Release 2 (10.1.2), including: Oracle Internet Directory, Oracle Application Server Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration and Provisioning. You should also be familiar with replication concepts.
See Also: Replication information in the Oracle Internet Directory Administrator's Guide and the Oracle Application Server Installation Guide. |
Keep the following points in mind when using the commands-line tools mentioned in this document:
The ORACLE_HOME
, MASTER_HOME
, and REPLICA_HOME
variables designate absolute Oracle home paths.
Use the appropriate path separator while running the tools. The notation in this appendix is based on the UNIX patch variable notation. For example, the ldifadd
tool is located in the $ORACLE_HOME/bin
directory in the UNIX environment. In the Windows environment, this tool is located in the ORACLE_HOME\bin
directory.
The PATH
environment variable should include ORACLE_HOME\bin
, ORACLE_HOME\ldap\bin
and ORACLE_HOME\opmn\bin
directories.
Include $ORACLE_HOME/lib
in the appropriate library environment variable. For example, in the Solaris environment, include $ORACLE_HOME/lib
in the LD_LIBRARY_PATH
environment variable.
This appendix includes the following sections:
In Figure A-1, The Oracle Identity Management master node includes Host 1 and Host 2. Oracle Identity Management and Metadata Repository, Oracle Internet Directory, and Oracle Directory Integration and Provisioning are installed on Host 1. Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, are installed on Host 2.
Similarly, the Oracle Identity Management replica node includes Host 3 and Host 4. Oracle Identity Management and Metadata Repository, Oracle Internet Directory, and Oracle Directory Integration and Provisioning are installed on Host 3. Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, are installed on Host 4.
Install Oracle Internet Directory and Oracle Directory Integration and Provisioning on the master node as follows:
Install Oracle Application Server 10g Release 2 (10.1.2). Select Oracle Internet Directory, Identity Management and Metadata Repository, and Oracle Directory Integration and Provisioning on Host 1 using MASTER_HOME as the Oracle home.
Do not install any other Oracle Identity Management components such as Oracle Application Server Single Sign-On, or Oracle Delegated Administration Services
Install and Oracle Internet Directory with Metadata Repository on the replica node as follows:
Install Oracle Application Server 10g Release 2 (10.1.2). Select Oracle Internet Directory, Identity Management and OracleAS Metadata Repository, and Oracle Directory Integration and Provisioning on Host 3 using REPLICA_HOME as the Oracle home. This installation will have only Oracle Internet Directory with Metadata Repository and Oracle Directory Integration and Provisioning. The Replica node Metadata Repository database should have a unique global database name.
Do not install any other Oracle Identity Management components, such as Oracle Application Server Single Sign-On, and Oracle Delegated Administration Services.
Note: While installing the replica, select HA in the advanced configuration screen. Oracle Universal Installer will ask you to choose Replica install. When you select that, it will allow you to choose ASR Replica or LDAP Replica. Select ASR Replica and continue. |
Use the following procedure to set up replication between the master node and the replica node.
Prepare both the master node and the replica node for replication, as described in Task 3, Installing and Configuring a Multimaster Replication Group, in the "Oracle Internet Directory Replication Administration" chapter of Oracle Internet Directory Administrator's Guide.
Set up replication by using the following command on both nodes:
$MASTER_HOME/bin/remtool -asrsetup
Start up the Oracle Internet Directory replication server at the master node and at the replica node.
Verify that the replication setup is correct.
See Also: Replication information in the Oracle Internet Directory Administrator's Guide and the Oracle Application Server Installation Guide. |
Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, as follows:
On Host 2, install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services so that those components use the Metadata Repository and Oracle Internet Directory on the master node. To do that, select Oracle Identity Management (without the Metadata Repository). When prompted for the Oracle Internet Directory information, provide the hostname and port of Host 1.
Select the Load Balancer configuration option and provide the load balancer name when prompted.
Repeat this procedure to install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on additional replicas.
To synchronize the Oracle Application Server Single Sign-On schema password, follow Step 2 under "Configuring the Identity Management Database for Replication" in Oracle Application Server Single Sign-On Administrator's Guide. This will synchronize Oracle Application Server Single Sign-On schema passwords between the master Metadata Repository database (MDS) and the replica Metadata Repository database (RMS).
After you performed this step on the master node, do it on each replica node.
Note: If you encounter errors, the Metadata Repository might be misconfigured. Either the MDS or RMS might not have the correct database information, as used by Oracle Application Server Single Sign-On. |
Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services, as follows:
On Host 4, install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services so that those components use the Metadata Repository and Oracle Internet Directory on the master node. To do that, select Oracle Identity Management (without the Metadata Repository).
Select the Load Balancer configuration option and provide the load balancer name when prompted.
Synchronize the mod_osso
configuration from the master mid-tier, as described in the section on reregistering mod_osso
for the single sign-on middle tiers, in Oracle Application Server Single Sign-On Administrator's Guide.
Repeat this procedure to install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on additional replicas.
Oracle Directory Integration and Provisioning supports high availability in an Oracle Internet Directory multimaster replicated scenario, with certain drawbacks. In this high availability scenario, when changes are applied to Oracle Internet Directory on one node, the changes get propagated to the other consumer nodes. The Oracle Directory Integration and Provisioning server running on each node is responsible for event propagation to the configured applications on that node. That is, the applications that have provisioning profiles on that Oracle Internet Directory node will be informed of the changes happening on that Oracle Internet Directory node.
To add a replication node to a functioning directory replication group (DRG), follow these steps.
First, install the new node.
Install Oracle Application Server 10g Release 2 (10.1.2) Identity Management and Metadata Repository. This installation will have only the Metadata Repository, Oracle Internet Directory and Oracle Directory Integration and Provisioning. The replica node Metadata Repository should have a unique global database name.
Do not install other Identity Management components such as Oracle Application Server Single Sign-On or Oracle Delegated Administration Services.
Prepare the environment for adding a node.
Configure the Oracle Net Services environment as described in Task 3, Installing and Configuring a Multimaster Replication Group, in the "Oracle Internet Directory Replication Administration" chapter of Oracle Internet Directory Administrator's Guide.
Stop the directory replication server on all nodes
Identify a sponsor node and switch the sponsor node to read-only mode
Note: While the sponsor node is in read-only mode, do not make any updates to it. You may, however, update any of the other nodes, but those updates are not replicated immediately. Also, the sponsor node and the MDS can be the same node.
Back up the sponsor node by using ldifwrite
. Enter the following command:
$ORACLE_HOME/bin/ldifwrite -c connect_string \ -b "orclagreementid=000001,cn=replication configuration" \ -f output_ldif_file
Add the node into the replication group.
Perform the Advanced Replication add node setup on the sponsor node by typing:
$ORACLE_HOME/ldap/bin/remtool -addnode
The Replication Environment Management Tool adds the node to the DRG.
Note: Note: If you encounter errors, then useremtool -asrverify . If it reports errors, then rectify them by using remtool -asrrectify . Both of those options list all the nodes in the DRG. If the new node is not in the list, then add it by running remtool -addnode again.
|
Switch the sponsor node to updatable mode.
Start the directory replication server on all nodes except the new node.
Stop oidmon
Load data into the new node, as follows:
First do a check and generate by typing:
$ORACLE_HOME/ldap/bin/bulkload.sh \
-connect <db_connect_string_of_new_node> \
-check -generate -restore \
absolute_path_to_the_ldif_file_generated_by_ldifwrite
Note: Verify that the$ORACLE_HOME/ldap/log/bulkload.log does not report any errors. It's possible that you might see Duplicate entry errors in the log for some of the entries. You can safely ignore this error and proceed with the load.
|
Now load the data on the target node by typing:
$ORACLE_HOME/ldap/bin/bulkload.sh \ -connect db_connect_string_of_new_node \ -load -restore \ absolute_path_to_the_ldif_file_generated_by_ldifwrite
Start the directory server on the new node by typing the following command:
$ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID
Start the directory replication server on the new node by typing:
$ORACLE_HOME/bin/oidctl connect=db_connect_string_of_new_node \ server=oidrepld instance=1 \ flags='-h host_name_of_new_node -p port' start
Install a new mid-tier, based on the new replica node.
Synchronize the Oracle Application Server Single Sign-On schema passwords from MDS to the new node as described in "Synchronizing the Single Sign-On Schema Password".
Install Oracle Application Server Single Sign-On and Oracle Delegated Administration Services as described in "Installing Oracle Application Server Single Sign-On and Oracle Delegated Administration Services on the Replica Node".
Configure the HTTP load balancer to distribute incoming traffic to this newly installed node.
You can delete a node from a DRG, provided the DRG contains more than two nodes. You might need to do so if the addition of a new node did not fully succeed as a result of system errors. To delete a replication node, perform these steps:
Stop the directory replication server on all nodes. To do that, run the following command on each node in the DRG:
$ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld instance=1 stop
Note: Note: The instance number may vary. |
Stop all processes on the node to be deleted.
Stop all processes in the associated mid-tier Oracle home.
$ORACLE_HOME/opmn/bin/opmnctl stopall
On the node to be deleted, stop all Oracle Application Server processes including Oracle Internet Directory Monitor and all directory server instances.
$ORACLE_HOME/opmn/bin/opmnctl stopall
Delete the node from the master definition site. From the MDS, run the following command:
$ORACLE_HOME/ldap/bin/remtool -delnode
Note: If you encounter errors, then useremtool -asrverify . If it reports errors, then rectify them by using remtool -asrrectify . Both of those options list all nodes in the DRG. If the new node is not in the list, then add it by running remtool -addnode again.
|
Start the directory replication server on all nodes by typing the following command:
$ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld \ instance=1 flags='-h host -p port' start
Decommission the removed node and its associated mid-tier. You can optionally decommission the removed replicated node and associated mid-tier by deinstalling the corresponding Oracle homes.
See Also: Replication information in the Oracle Internet Directory Administrator's Guide and the Oracle Application Server Installation Guide. |