21 Transforming to OracleAS Cold Failover Cluster Topologies

21.3.1 Overview of Steps

Transformation steps, at a high level, are:

Step 1: Convert the Single-Instance Database to a Cold Failover Cluster Database

Step 2: Update the Source Oracle Identity Management to Use the New OracleAS Metadata Repository

Step 3: Install New Oracle Identity Management Instance on the Shared Storage

Step 4: Configure Oracle Identity Management and Middle Tiers to Use the Virtual Hostname

Step 5: Deregister the Source Oracle Identity Management

Step 6: (optional) Create Failover Scripts

Step 7: Start the OracleAS Metadata Repository, Oracle Identity Management, and Middle Tiers

Step 8: Verify That All the Components Are Working

Step 9: Decommission the Oracle Homes That Are No Longer Used

21.3.2 Steps in Detail

The following steps use the following names to refer to the different nodes (the names match the ones used in Figure 21-1):

• Node 1 and node 2 are nodes in the source configuration.

• Cluster node 1 and cluster node 2 are nodes in the hardware cluster. At any given time, only one of these nodes has access to the shared storage on which you will install the Oracle Identity Management instance and the Oracle database.

Step 1 Convert the Single-Instance Database to a Cold Failover Cluster Database

After this step, your environment should look like the following (Figure 21-2):

1. Run the Oracle database installer on cluster node 1 to install only the Oracle database software on the shared storage (do not create a database). The database version that you install must be the same version as the source OracleAS Metadata Repository database.

   The database Oracle home created in this step will be referred to as CFC_MR_ORACLE_HOME in subsequent steps.

   If you are using Oracle Database 10g:

   1. Follow the steps in the guide listed below, but note this difference: In the Select Database Configuration screen, do not create a starter database.

      Item	Name
      Book	Oracle Database 10g Quick Installation Guide for your platform This book is available in the Oracle Database 10g documentation set.
      Section	"Install Oracle Database 10g"

      
      

   2. Apply the 10.1.0.4 patch set to the database software that you just installed by following the instructions in the README that comes with the patch set. Note: Perform the steps in the section "Required Post-Installation Tasks" in the README, up to, but not including, the section "Upgrade the Database". You have not created the database yet. You will do this later

   If you are using Oracle9i Database:

   1. Install the Oracle9i Release 2 (9.2.0.1) software. In the installer, select "Database Configuration: Software Only" because you are not creating the database yet.

   2. Apply the Oracle9i Release 2 (9.2.0.6) patch set. Perform these steps:

      • In the README file for the patch set, perform the steps in the section "Before You Install This Patch Set" if they apply to you.

      • Install the 9.2.0.6 patch set.

      • Perform the steps in the section "Required Post-Installation Tasks" in the README, up to, but not including, the section "Upgrade the Database". You have not created the database yet. You will do this later.

   
   

   Downtime 1 Starts: The next step starts the first downtime.

   
   

2. Stop the middle tier and the Oracle Identity Management instances so that they are not modifying the OracleAS Metadata Repository database while you are backing it up.

   To stop the middle tier:

   > MT_ORACLE_HOME/bin/emctl stop iasconsole
   > MT_ORACLE_HOME/opmn/bin/opmnctl stopall
   
   

   To stop the Oracle Identity Management:

   > SRC_IM_ORACLE_HOME/bin/emctl stop iasconsole
   > SRC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
   
   

3. Back up the source Oracle Identity Management and middle tiers. You can use any backup tools. For example, you can use the OracleAS Backup and Recovery Tool, described in the Oracle Application Server Administrator's Guide.

4. Perform a cold backup of the OracleAS Metadata Repository datafiles and the oraInventory directory.

5. Back up the source OracleAS Metadata Repository by using DBCA to create a database template from the OracleAS Metadata Repository database.

   1. On node 1, start up DBCA.

      > SRC_MR_ORACLE_HOME/bin/dbca
      
      

   2. Select Manage Templates.

   3. Select Create a Database Template and select From an existing database (structure as well as data).

   4. Select the name of your database instance.

   5. Enter a name for the template.

      DBCA generates two files, template_name.dbc and template_name.dfb, in the SRC_MR_ORACLE_HOME/assistants/dbca/templates directory.

   6. Select Convert the file locations to use OFA structure.

6. Copy (or ftp in binary mode) the two files generated in the previous step to the shared storage and place them in the CFC_MR_ORACLE_HOME/assistants/dbca/templates directory on the shared storage.

7. Create a database listener.

   1. Start up Network configuration assistant.

      > CFC_MR_ORACLE_HOME/bin/netca
      
      

   2. Select Listener Configuration.

   3. Select the protocol and port.

   4. Exit the Network configuration assistant.

   5. In the CFC_MR_ORACLE_HOME/network/admin/listener.ora file, update the hostname in the listening address from the local host (cluster node 1) to the virtual hostname.

   6. Stop and restart the listener for the changes in the previous step to take effect.

      > CFC_MR_ORACLE_HOME/bin/lsnrctl stop
      > CFC_MR_ORACLE_HOME/bin/lsnrctl start
      
      

8. Restore the templates to the database that you installed in step 1.

   1. On cluster node 1, run DBCA to create a database using the templates you created in step 5.

      > CFC_MR_ORACLE_HOME/bin/dbca
      
      

   2. Select Create Database.

   3. Select the template name for the files that you copied to the shared storage.

   4. When prompted for the global database name and SID, enter the same names as your source OracleAS Metadata Repository.

   5. Accept the default values for the remaining screens.

9. On cluster node 2, create or edit the oratab file so that it includes a line for the Oracle database. The location of the file is platform-dependent:

   • Solaris: /var/opt/oracle/oratab

   • Other UNIX operating systems: /etc/oratab

   See the Oracle Database Installation Guide for the format of this file.

Step 2 Update the Source Oracle Identity Management to Use the New OracleAS Metadata Repository

In this step, you update the source Oracle Identity Management so that it uses the OracleAS Metadata Repository that you just installed in the hardware cluster. At the end of this step, your environment should be functional and look like the following (Figure 21-3):

1. Unlock the accounts in the new OracleAS Metadata Repository without changing the passwords. These accounts are listed in the SRC_IM_ORACLE_HOME/config/unlock.sql file, where SRC_IM_ORACLE_HOME is the home directory for the source Oracle Identity Management.

   To unlock the accounts without changing the passwords, perform these steps:

   1. Log into the database as the SYS user.

      > sqlplus SYS/password as sysdba
      
      

   2. Run the following commands for each user listed in the SRC_IM_ORACLE_HOME/config/unlock.sql file:

      • Determine the password for the user.

        SQL> select password from dba_users where username = 'username';
        
        

        Replace username with the name of the account.

      • Run the "alter user" command.

        SQL> alter user username identified by values 'password' account unlock;
        
        

        Replace username with the name of the account.

        Replace password with the password determined from the previous step.

   
   

   Note: Do not change the passwords for these accounts.

   
   

2. In the SRC_IM_ORACLE_HOME/network/admin/tnsnames.ora file, update the HOST parameter in the OracleAS Metadata Repository connect string to use the fully qualified virtual hostname.

3. Update the OracleAS Metadata Repository connect string in Oracle Internet Directory.

   1. Start the OPMN daemon (note that you run "opmnctl start", not "opmnctl startall").

      > SRC_IM_ORACLE_HOME/opmn/bin/opmnctl start
      
      

   2. Start Oracle Internet Directory.

      > SRC_IM_ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID
      
      

   3. Start Oracle Directory Manager.

      > SRC_IM_ORACLE_HOME/bin/oidadmin
      
      

   4. Log in as cn=orcladmin.

   5. Expand the following: Entry Management > cn=OracleContext.

   6. Select cn=dbName on the left side.

   7. In the Properties tab on the right side, update the HOST parameter in orclnetdescstring with the fully qualified virtual hostname.

4. Verify that the following items have the same connect string:

   • orclnetdescstring value in Oracle Internet Directory (see previous step)

   • the tnsnames.ora file in SRC_IM_ORACLE_HOME/network/admin

   • the tnsnames.ora file in CFC_MR_ORACLE_HOME/network/admin

5. Stop and restart Oracle Identity Management and middle tier.

   > MT_ORACLE_HOME/opmn/bin/opmnctl stopall
   > SRC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
   > SRC_IM_ORACLE_HOME/opmn/bin/opmnctl startall
   > MT_ORACLE_HOME/opmn/bin/opmnctl startall
   
   

6. Test OracleAS Infrastructure and middle-tier components. They should be working normally.

   
   

   Downtime 1 Ends: This ends the first downtime.

   
   

Step 3 Install New Oracle Identity Management Instance on the Shared Storage

Figure 21-4 shows the environment at the completion of this step.

1. Create an OracleAS Cluster (Identity Management) on the source Oracle Identity Management instance.

   > SRC_IM_ORACLE_HOME/dcm/bin/dcmctl createcluster -cluster cluster_name
   
   

   You create this OracleAS Cluster (Identity Management) as a means to copy configuration information from the source Oracle Identity Management to the new Oracle Identity Management.

2. Make the Oracle Identity Management instance the first member of the OracleAS Cluster (Identity Management).

   > SRC_IM_ORACLE_HOME/dcm/bin/dcmctl joincluster -cluster cluster_name
   
   

3. Create a staticports.ini file to specify the ports that you are using on node 1 for Oracle Identity Management. You will specify this file in the installer.

   You only need to specify the ports for Oracle Internet Directory in this file. The port numbers must match those for Oracle Internet Directory on node 1. You can copy the lines from the SRC_IM_ORACLE_HOME/install/portlist.ini file in the source Oracle Identity Management. For example:

   Oracle Internet Directory port = 389
   Oracle Internet Directory (SSL) port = 636
   
   

4. On cluster node 1, run the Oracle Application Server installer to install an Oracle Identity Management instance on the shared storage, and during installation, set this instance to belong to the OracleAS Cluster (Identity Management) that you created in the previous step. Essentially, you are installing a second instance in an OracleAS Cluster (Identity Management).

   Important details:

   • Install the Oracle Identity Management instance on the shared storage.

   • In the Select Configuration Options screen, select Oracle Internet Directory, OracleAS Single Sign-On, Oracle Delegated Administration Services, Oracle Directory Integration and Provisioning, and High Availability and Replication.

   • In the Specify Port Configuration Options screen, select Manual and enter the fullpath to the staticports.ini file that you created in step 3.

   • In the Specify Repository screen, connect to the database on cluster node 1 using the virtual hostname.

   • In the Specify Existing Oracle Application Server Cluster Name screen, enter the name of the cluster that you created in step 1.

   • In the Specify ODS Password screen, enter the password for the ODS account.

   • In the Specify LDAP Virtual Host and Ports screen, specify node 1's hostname and the Oracle Internet Directory port.

   • In the Specify HTTP Listen Port, Load Balancer Host and Port screen, enter the fully qualified virtual hostname in the HTTP Load Balancer: Hostname field. Enter the HTTP port in HTTP Load Balancer: Port field.

5. Remove the source Oracle Identity Management instance (on node 1) from the cluster. You added it to the cluster in step 2.

   > SRC_IM_ORACLE_HOME/dcm/bin/dcmctl leaveCluster -c clustername
   > SRC_IM_ORACLE_HOME/dcm/bin/dcmctl removeCluster -c clustername
   
   

6. (optional) You can take a backup of your environment at this time, if desired.

   1. Stop all processes.

      To stop the middle tier:

      > MT_ORACLE_HOME/opmn/bin/opmnctl stopall
      
      

      To stop the source Oracle Identity Management instance:

      > SRC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
      
      

      To stop the new Oracle Identity Management instance:

      > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
      
      

      To stop the OracleAS Metadata Repository database:

      > CFC_MR_ORACLE_HOME/bin/sqlplus /nolog
      SQL> connect / as sysdba
      SQL> shutdown
      
      

      To stop the listener:

      > CFC_MR_ORACLE_HOME/bin/lsnrctl stop
      
      

   2. Back up the Oracle Identity Management instance that you just installed.

   3. Back up the OracleAS Metadata Repository data files.

   4. Start up all the components (listener, OracleAS Metadata Repository, Oracle Identity Management, middle tier).

Step 4 Configure Oracle Identity Management and Middle Tiers to Use the Virtual Hostname

After installation, configure the Oracle Identity Management and middle-tier components for OracleAS Cold Failover Cluster. After this step, your environment should be functional and look like this (Figure 21-5):

1. On cluster node 1, configure the Oracle Internet Directory in the new Oracle Identity Management instance to use the virtual hostname.

   1. Stop all Oracle Identity Management components.

      > CFC_IM_ORACLE_HOME/bin/emctl stop iasconsole
      > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
      
      

   2. Make these edits in the CFC_IM_ORACLE_HOME/opmn/conf/opmn.xml file.

      In these categories:

      category id="oidctl-parameters"

      and

      category id="oidmon-parameters"

      add the following line (including the < and > characters):

      <data id="host" value="fully_qualified_virtual_hostname"/>

      Replace fully_qualified_virtual_hostname with your fully qualified virtual hostname.

2. On cluster node 1, edit the CFC_IM_ORACLE_HOME/config/ias.properties file as follows:

   • Edit the OIDhost entry to use the virtual hostname.

3. Update the DIRECTORY_SERVERS parameter in the CFC_IM_ORACLE_HOME/ldap/admin/ldap.ora file to use the virtual hostname.

4. On cluster node 1, check that the ORACLE_HOME environment variable is set correctly before running the chgiphost.sh script:

   > echo $ORACLE_HOME
   > CFC_IM_ORACLE_HOME/chgip/scripts/chgiphost.sh -idm -noconfig
   
   

   When prompted, provide the following information:

   Table 21-3 Prompts from chgiphost

   Prompt from chgiphost	Response
   Enter fully qualified hostname (hostname.domainname) of destination	Enter the fully qualified virtual hostname.
   Enter fully qualified hostname (hostname.domainname) of source	Enter the fully qualified cluster node 1's hostname.
   Enter valid IP address of destination	Enter the IP associated with the virtual hostname.
   Enter valid IP address of source	Enter the IP for cluster node 1.
   OID Admin Password	Enter the password for the cn=orcladmin user.

   
   

5. Configure OracleAS Single Sign-On to use the virtual hostname.

   1. Start Oracle Internet Directory (note that the first command is "opmnctl start", not "opmnctl startall").

      > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl start
      > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID
      
      

   2. Start Oracle Directory Manager:

      > CFC_IM_ORACLE_HOME/bin/oidadmin
      
      

   3. Connect using virtual hostname. Log in as cn=orcladmin.

   4. Get the password for the orasso schema.

      • In Oracle Directory Manager, expand Entry Management > cn=OracleContext > cn=Products > cn=IAS > cn=IAS Infrastructure Databases > orclReferenceName=DBServiceName > orclResourceName=ORASSO.

      • Note the password in the orclpasswordattribute field. You will use it in the next step.

   5. On cluster node 1, log in to the OracleAS Metadata Repository database as ORASSO and run the ssooconf.sql script.

      > cd CFC_IM_ORACLE_HOME/sso/admin/plsql/sso
      > CFC_IM_ORACLE_HOME/bin/sqlplus orasso/password@mrdbInstanceName
      SQL> @ssooconf.sql
      
      

      For password, enter the password for the orasso schema.

      For mrdbInstanceName, enter the instance name of the database as defined in the CFC_IM_ORACLE_HOME/network/admin/tnsnames.ora file

      ssooconf.sql prompts you for the following information:

      Table 21-4 ssooconf.sql Prompts

      Prompt from ssooconf.sql	Your Response
      Enter value for new_oid_host:	Enter the fully qualified virtual hostname and press Return.
      Enter value for new_oid_port:	Enter the Oracle Internet Directory port number and press Return. You can enter an SSL port or a non-SSL port. In the last prompt (see below), you indicate whether this port is an SSL port or a non-SSL port.
      Enter value for new_ssoserver_password:	Press Return so that the password is not changed.
      Enter value for new_ldapusessl:	Enter n if the port you entered above is not an SSL port. Enter y if the port you entered above is an SSL port.

      
      

6. On cluster node 1, run:

   > CFC_IM_ORACLE_HOME/dcm/bin/dcmctl resetHostInformation
   
   

7. Update the Oracle Directory Integration and Provisioning registration to use the virtual hostname.

   1. Run one of the following commands to update Oracle Directory Integration and Provisioning:

      Non-SSL:

      > CFC_IM_ORACLE_HOME/bin/odisrvreg -D cn=orcladmin -w adminPasswd
          -lhost FQvirtualHostname -p oidPort -h FQvirtualHostname
      
      

      SSL:

      > CFC_IM_ORACLE_HOME/bin/odisrvreg -D cn=orcladmin -w adminPasswd
          -lhost FQvirtualHostname -p oidSSLPort -h FQvirtualHostname
          -U sslMode -W walletLocation -P walletPassword
      
      

   2. Start the Oracle Directory Integration and Provisioning server.

      > oidctl connect=connectString server=odisrv inst=1 host=FQvirtualHostname
          flags="port=port host=FQvirtualHostname" start
      
      

      Replace connectString with the connect string to the Oracle Internet Directory database.

      Replace FQvirtualHostname with the fully qualified virtual hostname for the OracleAS Cold Failover Cluster.

      Replace port with the Oracle Internet Directory port.

8. Update the OracleAS Metadata Repository.

   Check that the ORACLE_HOME environment variable is set correctly:

   > echo $ORACLE_HOME
   
   

   Non-SSL:

   > CFC_IM_ORACLE_HOME/sso/bin/ssocfg.sh http FQvirtualHostname port
   
   

   SSL:

   > CFC_IM_ORACLE_HOME/sso/bin/ssocfg.sh https FQvirtualHostname port
   
   

   Replace FQvirtualHostname with the virtual hostname (fully qualified).

   Replace port with either the SSL or the non-SSL port used by Oracle HTTP Server.

9. Skip this step if you are transforming to a distributed OracleAS Cold Failover Cluster (Identity Management) topology.

   Change the URL for OracleAS Single Sign-On and Oracle Delegated Administration Services.

   1. Start Oracle Directory Manager:

      > CFC_IM_ORACLE_HOME/bin/oidadmin
      
      

   2. Connect using cluster node 1's hostname. Log in as cn=orcladmin.

   3. In Oracle Directory Manager, expand Entry Management > cn=OracleContext > cn=Products > cn=DAS > cn=OperationURLs.

   4. Update the value of the orcldasurlbase attribute to the virtual hostname.

10. Skip this step if you are transforming to a distributed OracleAS Cold Failover Cluster (Identity Management) topology.

    Update mod_osso registration by running the following command (all on one line).

    > CFC_IM_ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path im_oracle_home
       -site_name virtual_hostname:http_port
       -config_mod_osso TRUE
       -mod_osso_url http://virtual_hostname:port
       -u root
    
    

    Replace im_oracle_home with the full path of the Oracle Identity Management Oracle home.

    Replace virtual_hostname with the fully qualified virtual hostname.

    Replace port with the Oracle HTTP Server port. Note that if you are using port 80, you must not specify the port number because port 80 is the default value.

11. Restart Oracle Identity Management components.

    > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
    > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl startall
    
    

12. Configure the middle tiers to use the new Oracle Identity Management.

    1. Stop all the middle-tier instances.

       > MT_ORACLE_HOME/bin/emctl stop iasconsole
       > MT_ORACLE_HOME/opmn/bin/opmnctl stopall
       
       

    2. In each middle-tier instance, in the MT_ORACLE_HOME/config/ias.properties file, update the OIDhost parameter to use the fully qualified virtual hostname.

    3. In each middle-tier instance, update the DIRECTORY_SERVERS parameter in the MT_ORACLE_HOME/ldap/admin/ldap.ora file to use the virtual hostname.

    4. Start OPMN and Application Server Control Console on all the middle-tier instances.

       Note that the first command is "opmnctl start", not "opmnctl startall", because at this time you want to start up only OPMN and the Application Server Control Console. The middle tiers cannot be started yet.

       > MT_ORACLE_HOME/opmn/bin/opmnctl start
       > MT_ORACLE_HOME/bin/emctl start iasconsole
       
       

    5. For each middle tier:

       • Use the Application Server Control Console and navigate to the home page for the middle tier.

       • Click the Infrastructure link.

       • In the Identity Management section, click Change.

       • Follow the wizard for entering a new hostname. You enter the virtual hostname here.

       • When the wizard completes, it asks you to restart the components. You can do this by running the following commands:

         > MT_ORACLE_HOME/opmn/bin/opmnctl stopall
         > MT_ORACLE_HOME/opmn/bin/opmnctl startall
         
         

    
    

    Downtime 2 Ends: This ends the second downtime.

    
    

Step 5 Deregister the Source Oracle Identity Management

In this step, you deregister the source Oracle Identity Management from the OracleAS Metadata Repository. Figure 21-6 shows the environment at the completion of this step.

1. If you are running Oracle Directory Integration and Provisioning, you need to stop it:

   > ORACLE_HOME/bin/oidctl connect=dbConnect flags="host=OIDhost port=OIDport"
        server=odisrv instance=1 stop
   
   

2. Make the following edits to the SRC_IM_ORACLE_HOME/deconfig/DeconfigWrapper.properties file, where SRC_IM_ORACLE_HOME refers to the source Oracle Identity Management home on node 1.

   • Comment out the line that begins with "SSO=". For example, the line might look like this:

     SSO=/scratch/iastrans/im/jdk/bin/java
      -jar /scratch/iastrans/im/sso/lib/ossoca.jar deinstall
      /scratch/iastrans/im "%OID_USER%" %OID_PASSWORD%
     
     

     Comment out the line by adding a # character at the beginning of the line:

     #SSO=/scratch/iastrans/im/jdk/bin/java
      -jar /scratch/iastrans/im/sso/lib/ossoca.jar deinstall
      /scratch/iastrans/im "%OID_USER%" %OID_PASSWORD%
     
     

   • Comment out the line that begins with "MOD_OSSO=". For example, the line might look like this:

     MOD_OSSO=/scratch/iastrans/im/jdk/bin/java -jar 
      /scratch/iastrans/im/jlib/infratool.jar de -f 
      /scratch/iastrans/im/deconfig/deconfig_modosso.properties -o 
      /scratch/iastrans/im -u "%OID_USER%" -obf %OID_PASSWORD%
     
     

     Comment out the line by adding a # character at the beginning of the line:

     #MOD_OSSO=/scratch/iastrans/im/jdk/bin/java -jar 
      /scratch/iastrans/im/jlib/infratool.jar de -f 
      /scratch/iastrans/im/deconfig/deconfig_modosso.properties -o 
      /scratch/iastrans/im -u "%OID_USER%" -obf %OID_PASSWORD%
     
     

3. On node 1, run deconfig.pl to deregister the source Oracle Identity Management from the OracleAS Metadata Repository.

   > cd SRC_IM_ORACLE_HOME/bin
   > SRC_IM_ORACLE_HOME/perl/bin/perl deconfig.pl -u oidUser -w passwd
    -dbp sysPasswd [-r realm]
   
   

   The -u option specifies the name of the Oracle Internet Directory user. This user must have privileges for deinstalling the Oracle Identity Management components. To run as the Oracle Internet Directory superuser, specify the user as cn=orcladmin.

   The -w option specifies the password of the user.

   The -dbp option specifies the password of the SYS user in the OracleAS Metadata Repository database.

   The -r option is required only if your Oracle Internet Directory contains multiple realms. Use it to specify the realm in Oracle Internet Directory against which the user should be validated.

   See the "Deinstallation and Reinstallation" appendix in the Oracle Application Server Installation Guide for details about deconfig.pl.

Step 6 (optional) Create Failover Scripts

Create scripts to perform failover and start up Oracle Application Server components on the standby node. The scripts are dependent on the clusterware that you are running. If you do not create the failover scripts, you will have to perform the failover steps manually.

Step 7 Start the OracleAS Metadata Repository, Oracle Identity Management, and Middle Tiers

Start the OracleAS Metadata Repository and the Oracle Identity Management on cluster node 1, and start also the middle tiers. The components and applications should be functioning properly. To test failover, fail cluster node 1. The failover scripts created in step 6 should failover the processes to cluster node 2.

Step 8 Verify That All the Components Are Working

Verify that the Oracle Identity Management and middle-tier components are working.

1. Test Oracle Identity Management components.

   • Test Oracle Delegated Administration Services by accessing its URL, http://virtual_host_name:port/oiddas, and try to perform some operations. Example: http://infra.mydomain.com:7777/oiddas.

   • Test OracleAS Single Sign-On by accessing its URL, http://virtual_host_name:port/pls/orasso, and try to perform some operations. Example: http://infra.mydomain.com:7777/pls/orasso.

2. Test middle-tier components. For example, to test OracleAS Portal, access its URL, http://portalhost.mydomain.com:7777/pls/portal, and try to perform some operations.

Step 9 Decommission the Oracle Homes That Are No Longer Used

At the end of the transformation procedure, you no longer need these Oracle homes:

• Oracle home for the source OracleAS Metadata Repository database

  If you are not using this Oracle home for other purposes (that is, if you were using this Oracle home only for the OracleAS Metadata Repository database), then you can deinstall it. See the "Removing Oracle Software" chapter in the Oracle Database Installation Guide for details.

• Oracle home for the source Oracle Identity Management

  You can deinstall it by following the procedures in the "Deinstallation and Reinstallation" appendix in the Oracle Application Server Installation Guide.

21.4.1 Overview of Steps

Transformation steps, at a high level, are:

Step 1: Install Oracle Fail Safe and Create a Failover Group on the Nodes in the Hardware Cluster

Step 2: Convert the Single-Instance Database to a Cold Failover Cluster Database

Step 3: Set up the New Database for High Availability

Step 4: Change the Source Oracle Identity Management to Use the New OracleAS Metadata Repository

Step 5: Install a New Oracle Identity Management Instance on the Shared Storage

Step 6: Configure Oracle Identity Management to Use the Virtual Hostname

Step 7: Make the Oracle Identity Management Highly Available

Step 8: Configure the Middle Tiers to Use the New Oracle Identity Management

Step 9: Deregister the Source Oracle Identity Management

Step 10: Start the OracleAS Metadata Repository, Oracle Identity Management, and Middle Tiers

Step 11: Verify That All the Components Are Working

Step 12: Decommission the Oracle Homes That Are No Longer Used

21.4.2 Steps in Detail

The following steps use the following names to refer to the different nodes (the names match the ones used in Figure 21-7):

• Node 1 and node 2 are nodes in the source configuration.

• Cluster node 1 and cluster node 2 are nodes in the hardware cluster. At any given time, only one of these nodes has access to the shared storage, which will contain the Oracle Identity Management home and the data files for the OracleAS Metadata Repository database.

Step 1 Install Oracle Fail Safe and Create a Failover Group on the Nodes in the Hardware Cluster

After this step, your environment should look like the following (Figure 21-8):

1. Verify that Microsoft Cluster Server (MSCS) is installed on cluster node 1 and cluster node 2. You can do this by launching the Cluster Administrator from the Start menu:

   Windows 2000: Start > Programs > Administrative Tools > Cluster Administrator

   Windows 2003: Start > Administrative Tools > Cluster Administrator

2. Get the name of the cluster by invoking the Cluster Administrator on either cluster node 1 or cluster node 2. The cluster name appears at the top of the left frame.

3. Install Oracle Fail Safe on both cluster nodes, and verify the cluster.

   You install it on the local storage (not the shared storage) of each node. For instructions on installing Oracle Fail Safe, see the following guide:

   Item	Name
   Book	Oracle Application Server Installation Guide for Microsoft Windows This guide is available on Disk 1 of the Oracle Application Server distribution.
   Chapter	11, "Installing in High Availability Environments: OracleAS Cold Failover Cluster"
   Sections	11.2.5, "Determine a Domain User to Administer Oracle Fail Safe" 11.2.6, "Install Oracle Fail Safe on the Local Storage of Each Node" (this section includes steps on verifying the cluster)

   
   

4. Create a failover group in Oracle Fail Safe. For steps, see the following guide:

   Item	Name
   Book	Oracle Application Server Installation Guide for Microsoft Windows This guide is available on Disk 1 of the Oracle Application Server distribution.
   Chapter	11, "Installing in High Availability Environments: OracleAS Cold Failover Cluster"
   Section	11.2.7, "Create a Group in Oracle Fail Safe"

   
   

Step 2 Convert the Single-Instance Database to a Cold Failover Cluster Database

After this step, your environment should be functional and look like the following (Figure 21-9):

1. Run the Oracle database installer on cluster node 1 to install only the Oracle database software on the local storage (do not create a database). The database version that you install must be the same version as the source OracleAS Metadata Repository database.

   The database Oracle home created in this step will be referred to as CFC_MR_ORACLE_HOME in subsequent steps.

   If you are using Oracle Database 10g:

   1. Follow the steps in the guide listed below, but note this difference: In the Select Database Configuration screen, do not create a starter database.

      Item	Name
      Book	Oracle Database 10g Quick Installation Guide for your platform This book is available in the Oracle Database 10g documentation set.
      Section	"Install Oracle Database 10g"

      
      

   2. Apply the 10.1.0.4 patch set to the database software that you just installed by following the instructions in the README that comes with the patch set. Note: Perform the steps in the section "Required Post-Installation Tasks" in the README, up to, but not including, the section "Upgrade the Database". You have not created the database yet. You will do this later.

   If you are using Oracle9i Database:

   1. Install the Oracle9i Release 2 (9.2.0.1) software. In the installer, select "Database Configuration: Software Only" because you are not creating the database yet.

   2. Apply the Oracle9i Release 2 (9.2.0.6) patch set. Perform these steps:

      • In the README file for the patch set, perform the steps in the section "Before You Install This Patch Set" if they apply to you.

      • Install the 9.2.0.6 patch set.

      • Perform the steps in the section "Required Post-Installation Tasks" in the README, up to, but not including, the section "Upgrade the Database". You have not created the database yet. You will do this later.

2. Install and patch the database Oracle home on the local storage of cluster node 2 by repeating step 1 for cluster node 2.

   
   

   Downtime 1 Starts: The next step starts the first downtime.

   
   

3. Stop the middle tier and the Oracle Identity Management instances so that they are not modifying the OracleAS Metadata Repository database while you are backing it up.

   To stop the middle tier:

   > MT_ORACLE_HOME\bin\emctl stop iasconsole
   > MT_ORACLE_HOME\opmn\bin\opmnctl stopall
   
   

   To stop the Oracle Identity Management:

   > SRC_IM_ORACLE_HOME\bin\emctl stop iasconsole
   > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
   
   

4. Back up the source Oracle Identity Management and middle tiers. You can use any backup tools. For example, you can use the OracleAS Backup and Recovery Tool, described in the Oracle Application Server Administrator's Guide.

5. Perform a cold backup of the OracleAS Metadata Repository datafiles and the oraInventory directory.

6. Back up the source OracleAS Metadata Repository by using DBCA to create a database template from the OracleAS Metadata Repository database.

   1. On node 1, start up DBCA from the Start menu:

      Start > Programs > Oracle - SRC_MR_ORACLE_HOME_NAME > Database Administration > Database Configuration Assistant

   2. Select Manage Templates.

   3. Select Create a Database Template and select From an existing database (structure as well as data).

   4. Select the name of your database instance.

   5. Enter a name for the template.

      DBCA generates two files, template_name.dbc and template_name.dfb, in the SRC_MR_ORACLE_HOME\assistants\dbca\templates directory.

   6. Add a user-defined variable called TARGET_DB_LOCATION:

      • On the page where you entered the name of the template, click the File Location Variable button.

      • In the File Location Variable dialog, enter TARGET_DB_LOCATION in the first non-grey row of the Variable column.

      • Enter the fully qualified directory path on the shared disk where you want the database data files on the target system to reside. For example, if S: is the shared disk, you can enter a directory path such as S:\oracle.

   7. Select Convert the file locations to use OFA structure.

7. Copy the template_name.dbc and template_name.dfb files generated in the previous step to the CFC_MR_ORACLE_HOME\assistants\dbca\templates directory on the local storage of cluster node 1.

8. On cluster node 1, edit the template_name.dbc file as follows:

   • Replace all instances of {ORACLE_BASE} with {TARGET_DB_LOCATION}. For example, this:

         {ORACLE_BASE}\admin

     would be changed to:

         {TARGET_DB_LOCATION}\admin

   • For the SPfile line, replace {ORACLE_HOME} with {TARGET_DB_LOCATION}. For example, change it from this:

       <SPfile useSPFile="true">{ORACLE_HOME}\database\spfile{SID}.ora</SPfile>
     
     

     To this:

       <SPfile useSPFile="true">{TARGET_DB_LOCATION}\database\spfile{SID}.ora</SPfile>
     
     

     Do not replace other occurrences of {ORACLE_HOME}.

9. Create a database listener.

   1. On cluster node 1, start up Network configuration assistant. You can do this from the Start menu:

      Start > Programs > Oracle - CFC_MR_ORACLE_HOME_NAME > Network Administration > Oracle Net Configuration Assistant

   2. Select Listener Configuration and follow the prompts accepting all defaults with the exception that if you would like to use a port number for the listener other than port 1521 you may choose to do so.

   3. Exit Network configuration assistant.

10. Restore the database on the target system.

    1. Verify that the shared storage is mounted on cluster node 1.

    2. On cluster node 1, run DBCA to create a database using the templates you created. You can start up DBCA from the Start menu:

       Start > Programs > Oracle - CFC_MR_ORACLE_HOME_NAME > Database Administration > Database Configuration Assistant

    3. Select Create Database.

    4. Select the template name that you copied to the local storage and edited.

    5. When prompted for the global database name and SID, enter the same names as your source OracleAS Metadata Repository.

    6. Accept the default values for the remaining screens. Be sure to verify the paths on the following screens:

       - On screen 11, Initialization Parameters, verify that the paths to the control files point to correct locations on the shared disk. Note: If you see an extra line in the control file section, update the extra line so that its path also points to the shared disk.

       - On screen 12, Database Storage, verify that the paths to the data files point to correct locations on the shared disk.

    7. After DBCA creates the database, it displays a summary of information about the database including the fully qualified path of the server parameter file (spfile). Make a note of this fully qualified path. You will need this path in a later step (step h).

    8. On cluster node 1, verify that a pfile named init<SID>.ora exists in the CFC_MR_ORACLE_HOME\database directory (<SID> refers to the SID of the database you restored in step 10), and that the file contains a line that looks like:

       spfile=<fullpath_to_spfile>
       
       

       where <fullpath_to_spfile> is the fully qualified path for the spfile that you noted in the previous step.

11. Unlock the accounts in the new OracleAS Metadata Repository without changing the passwords. These accounts are listed in SRC_IM_ORACLE_HOME\config\unlock.sql, where SRC_IM_ORACLE_HOME is the home directory for the source Oracle Identity Management.

    To unlock the accounts without changing the passwords, perform these steps:

    1. Log into the database as the SYS user.

       > sqlplus SYS/password as sysdba
       
       

    2. Run the following commands for each user listed in the SRC_IM_ORACLE_HOME\config\unlock.sql file:

       • Determine the password for the user.

         SQL> select password from dba_users where username = 'username';
         
         

         Replace username with the name of the account.

       • Run the "alter user" command.

         SQL> alter user username identified by values 'password' account unlock;
         
         

         Replace username with the name of the account.

         Replace password with the password determined from the previous step.

    
    

    Note: Do not change the passwords for these accounts.

    
    

12. You can now perform the remaining steps in the "Required Post-Installation Tasks" section of the README for the database patch set. Specifically, perform the steps in the "Upgrade the Database" section.

13. Copy CFC_MR_ORACLE_HOME\database\init<SID>.ora to TARGET_DB_LOCATION\database\init<SID>.ora.

    The pfile, TARGET_DB_LOCATION\database\init<SID>.ora, is needed by Oracle Fail Safe.

14. Verify the standalone database resource using Oracle Fail Safe Manager by providing the path to the TARGET_DB_LOCATION\database\init<SID>.ora file.

    1. Verify that the PATH environment variable contains CFC_MR_ORACLE_HOME\bin.

    2. Start Oracle Fail Safe Manager.

    3. On the left side, expand the following items (Figure 21-10 shows a sample screen shot):

       Cluster_Name > Nodes > Cluster_node_1 > Standalone Resources > SID

       Figure 21-10 Oracle Fail Safe Manager: Right-click the SID and Select "Verify Standalone Resources"

       
       Description of "Figure 21-10 Oracle Fail Safe Manager: Right-click the SID and Select "Verify Standalone Resources""
       
       

    4. Right-click the database SID, and select Verify Standalone Database. This displays the Verify Standalone Database dialog.

       Figure 21-11 Oracle Fail Safe Manager: Verify Standalone Database dialog

       
       Description of "Figure 21-11 Oracle Fail Safe Manager: Verify Standalone Database dialog"
       
       

    5. In the Verify Standalone Database dialog, enter the database name (example: MRDB) and the full path to the parameter file (example: S:\oracle\database\initMRDB.ora). Ensure that Use operating system authentication is selected. Then click OK.

Step 3 Set up the New Database for High Availability

Figure 21-12 shows the environment at the completion of this step.

1. Add the OracleAS Metadata Repository to the failover group that you created in Oracle Fail Safe. For steps, see the following guide:

   Item	Name
   Book	Oracle Application Server Installation Guide for Microsoft Windows This guide is available on Disk 1 of the Oracle Application Server distribution.
   Chapter	11, "Installing in High Availability Environments: OracleAS Cold Failover Cluster"
   Section	11.12.2, "Make OracleAS Metadata Repository Highly Available"

   
   

2. Add the shared storage as a dependency for the listener. For steps, see the following guide:

   Item	Name
   Book	Oracle Application Server Installation Guide for Microsoft Windows This guide is available on Disk 1 of the Oracle Application Server distribution.
   Chapter	11, "Installing in High Availability Environments: OracleAS Cold Failover Cluster"
   Section	11.12.3, "Add the Shared Disk as a Dependency for the Listener"

   
   

3. Disable the old listener service.

   1. Display the Services dialog.

   2. Select the old listener. The name of the old listener is Oracle<CFC_MR_OracleHomeName>TNSListener.

   3. Stop the old listener, if it is running.

   4. Right-click the old listener and select Properties.

   5. Set its startup type to Disabled, and click OK.

   There should be another listener service with the name Oracle<CFC_MR_OracleHomeName>TNSListenerFsl<virtualHostName>. This listener was created when you added the OracleAS Metadata Repository to the failover group (in step 1). This is the listener you will be using.

Step 4 Change the Source Oracle Identity Management to Use the New OracleAS Metadata Repository

In this step, you update the source Oracle Identity Management so that it uses the OracleAS Metadata Repository that you just installed in the hardware cluster. After performing this step, your environment should look like the following (Figure 21-13):

1. Shut down Oracle Identity Management on node 1.

   > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
   
   

2. In the SRC_IM_ORACLE_HOME\network\admin\tnsnames.ora file, update the HOST parameter in the OracleAS Metadata Repository connect string to use the fully qualified virtual hostname.

3. Update the OracleAS Metadata Repository connect string in Oracle Internet Directory.

   1. Start the OPMN daemon (note that you run "opmnctl start", not "opmnctl startall").

      > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl start
      
      

   2. Start Oracle Internet Directory.

      > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl startproc ias-component=OID
      
      

   3. Start Oracle Directory Manager from the Start menu:

      Start > Programs > Oracle - IM_OracleHomeName > Integrated Management Tools > Oracle Directory Manager

   4. Log in as cn=orcladmin.

   5. Expand the following: Entry Management > cn=OracleContext.

   6. Select cn=dbName on the left side.

   7. In the Properties tab on the right side, update the HOST parameter in orclnetdescstring with the fully qualified virtual hostname.

4. Verify that the following items have the same connect string:

   • orclnetdescstring value in Oracle Internet Directory (see previous step)

   • the tnsnames.ora file in SRC_IM_ORACLE_HOME\network\admin

   • the tnsnames.ora file in CFC_MR_ORACLE_HOME\network\admin

5. Stop and restart Oracle Identity Management and middle tier.

   > MT_ORACLE_HOME\opmn\bin\opmnctl stopall
   > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
   > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl startall
   > MT_ORACLE_HOME\opmn\bin\opmnctl startall
   
   

6. Test OracleAS Infrastructure and middle-tier components. They should be working normally.

Step 5 Install a New Oracle Identity Management Instance on the Shared Storage

Figure 21-14 shows the environment at the completion of this step.

1. Create an OracleAS Cluster (Identity Management) on the source Oracle Identity Management instance.

   > SRC_IM_ORACLE_HOME\dcm\bin\dcmctl createcluster -cluster cluster_name
   
   

   You create this OracleAS Cluster (Identity Management) as a means to copy configuration information from the source Oracle Identity Management to the new Oracle Identity Management.

2. Make the Oracle Identity Management instance the first member of the OracleAS Cluster (Identity Management).

   > SRC_IM_ORACLE_HOME\dcm\bin\dcmctl joincluster -cluster cluster_name
   
   

3. Make sure that the shared storage on which you will be installing Oracle Identity Management is mounted on cluster node 1.

4. On the shared storage, create a staticports.ini file to specify the ports that you are using on node 1 for Oracle Identity Management. You will specify this file in the installer.

   You only need to specify the ports for Oracle Internet Directory in this file. The port numbers must match those for Oracle Internet Directory on node 1. You can copy the lines from the SRC_IM_ORACLE_HOME\install\portlist.ini file in the source Oracle Identity Management. For example:

   Oracle Internet Directory port = 389
   Oracle Internet Directory (SSL) port = 636
   
   

5. On cluster node 1, run the Oracle Application Server installer to install an Oracle Identity Management instance on the shared storage, and during installation, set this instance to belong to the OracleAS Cluster (Identity Management) that you created in the previous step. Essentially, you are installing a second instance in an OracleAS Cluster (Identity Management).

   Important details:

   • Install the Oracle Identity Management instance on the shared storage.

   • In the Select Configuration Options screen, select Oracle Internet Directory, OracleAS Single Sign-On, Oracle Delegated Administration Services, Oracle Directory Integration and Provisioning, and High Availability and Replication.

   • In the Specify Port Configuration Options screen, select Manual and enter the fullpath to the staticports.ini file that you created in step 4.

   • In the Specify Repository screen, connect to the database on cluster node 1 using the virtual hostname as the hostname. Connect as the system user if you did not create a password file in Oracle Fail Safe (see step 1). If you created a password file in Oracle Fail Safe, you can connect as the sys user.

   • In the Specify Existing Oracle Application Server Cluster Name screen, enter the name of the cluster that you created in step 1.

   • In the Specify LDAP Virtual Host and Ports screen, specify node 1's hostname and the Oracle Internet Directory port.

   • In the Specify HTTP Listen Port, Load Balancer Host and Port screen, enter the virtual hostname in the HTTP Load Balancer: Hostname field. Enter the HTTP port in HTTP Load Balancer: Port field.

6. On cluster node 1, remove the new Oracle Identity Management instance from the cluster and farm. You need to do this so that you can install this instance from cluster node 2.

   > CFC_IM_ORACLE_HOME\dcm\bin\dcmctl leaveCluster
   > CFC_IM_ORACLE_HOME\dcm\bin\dcmctl leaveFarm
   
   

7. Reboot cluster node 1. The resources defined in the failover group fail over to cluster node 2.

8. Delete the Oracle home for the Oracle Identity Management instance that you just installed on the shared storage. You need to do this because you need to perform the same installation, but this time from cluster node 2 (next step).

9. From cluster node 2, install the Oracle Identity Management instance in the same Oracle home directory on the shared storage. Follow the same instructions as for cluster node 1.

10. On cluster node 2, remove the new Oracle Identity Management instance from the cluster.

    > CFC_IM_ORACLE_HOME\dcm\bin\dcmctl leaveCluster
    
    

11. Change the source Oracle Identity Management instance (on node 1) to its original configuration.

    > SRC_IM_ORACLE_HOME\dcm\bin\dcmctl leaveCluster
    > SRC_IM_ORACLE_HOME\dcm\bin\dcmctl removeCluster -cluster cluster_name
    
    

    cluster_name is the name of the cluster you created in step 1.

12. (optional) You can take a backup of your environment at this time, if desired.

    1. Stop all processes.

       To stop the middle tier:

       > MT_ORACLE_HOME\opmn\bin\opmnctl stopall
       
       

       To stop the source Oracle Identity Management instance:

       > SRC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
       
       

       To stop the new Oracle Identity Management instance:

       > CFC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
       
       

       To stop the OracleAS Metadata Repository database:

       > CFC_MR_ORACLE_HOME\bin\sqlplus /nolog
       SQL> connect / as sysdba
       SQL> shutdown
       
       

       To stop the listener:

       > CFC_MR_ORACLE_HOME\bin\lsnrctl stop
       
       

    2. Back up the Oracle Identity Management instance that you just installed.

    3. Back up the OracleAS Metadata Repository data files.

    4. Start up all the components (listener, OracleAS Metadata Repository, Oracle Identity Management, middle tier).

Step 6 Configure Oracle Identity Management to Use the Virtual Hostname

After installation, configure the Oracle Identity Management components for OracleAS Cold Failover Cluster. After this step, your environment should look like this (Figure 21-15):

1. Check that cluster node 1 is the active node and that the shared storage is mounted on that node.

2. On cluster node 1, configure Oracle Internet Directory in the new Oracle Identity Management instance to use the virtual hostname.

   1. Stop all Oracle Identity Management components.

      > CFC_IM_ORACLE_HOME\bin\emctl stop iasconsole
      > CFC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
      
      

   2. Make these edits in the CFC_IM_ORACLE_HOME\opmn\conf\opmn.xml file.

      In these categories:

      category id="oidctl-parameters"

      and

      category id="oidmon-parameters"

      add the following line (including the < and > characters):

      <data id="host" value="fully_qualified_virtual_hostname"/>

      Replace fully_qualified_virtual_hostname with your fully qualified virtual hostname.

3. On cluster node 1, edit the CFC_IM_ORACLE_HOME\config\ias.properties file as follows:

   • Edit OIDhost to use the virtual hostname.

4. Update the DIRECTORY_SERVERS parameter in the CFC_IM_ORACLE_HOME\ldap\admin\ldap.ora file to use the virtual hostname.

5. On cluster node 1, set the ORACLE_HOME environment variable to the fully qualified path for CFC_IM_ORACLE_HOME, then run the chgiphost.bat script.

   > set ORACLE_HOME=CFC_IM_ORACLE_HOME
   > cd CFC_IM_ORACLE_HOME\chgip\scripts
   > cmd /c chgiphost.bat -idm -noconfig
   
   

   (You need to enter the "cmd /c" in the last command so that the DOS window in which you enter the command does not go away when the command completes.)

   When prompted, provide the following information:

   Table 21-5 Prompts from chgiphost

   Prompt from chgiphost	Response
   Enter fully qualified hostname (hostname.domainname) of destination	Enter the fully qualified virtual hostname.
   Enter fully qualified hostname (hostname.domainname) of source	Enter the fully qualified cluster node 2's hostname.
   Enter valid IP address of destination	Enter the IP associated with the virtual hostname.
   Enter valid IP address of source	Enter the IP for cluster node 2.
   OID Admin Password	Enter the password for the cn=orcladmin user.

   
   

6. Configure OracleAS Single Sign-On to use the virtual hostname.

   1. Start Oracle Internet Directory (note that the first command is "opmnctl start", not "opmnctl startall").

      > CFC_IM_ORACLE_HOME\opmn\bin\opmnctl start
      > CFC_IM_ORACLE_HOME\opmn\bin\opmnctl startproc ias-component=OID
      
      

   2. On cluster node 1, start Oracle Directory Manager from the Start menu:

      Start > Programs > Oracle - IM_OracleHomeName > Integrated Management Tools > Oracle Directory Manager

   3. Connect using the virtual hostname. Log in as cn=orcladmin.

   4. Get the password for the orasso schema.

      • In Oracle Directory Manager, expand Entry Management > cn=OracleContext > cn=Products > cn=IAS > cn=IAS Infrastructure Databases > orclReferenceName=DBServiceName > orclResourceName=ORASSO.

      • Note the password in the orclpasswordattribute field.

   5. On cluster node 1, log in to the OracleAS Metadata Repository database as ORASSO and run the ssooconf.sql script.

      > cd CFC_IM_ORACLE_HOME\sso\admin\plsql\sso
      > CFC_IM_ORACLE_HOME\bin\sqlplus orasso/password@mrdbInstanceName
      SQL> @ssooconf.sql
      
      

      For password, enter the password for the orasso schema.

      For mrdbInstanceName, enter the instance name of the database as defined in the CFC_IM_ORACLE_HOME\network\admin\tnsnames.ora file

      ssooconf.sql prompts you for the following information:

      Table 21-6 ssooconf.sql Prompts

      Prompt from ssooconf.sql	Response
      Enter value for new_oid_host:	Enter the virtual hostname and press Return.
      Enter value for new_oid_port:	Enter the Oracle Internet Directory port number and press Return. You can enter an SSL port or a non-SSL port. In the last prompt (see below), you indicate whether this port is an SSL port or a non-SSL port.
      Enter value for new_ssoserver_password:	Press Return so that the password is not changed.
      Enter value for new_ldapusessl:	Enter n if the port you entered above is not an SSL port. Enter y if the port you entered above is an SSL port.

      
      

7. On cluster node 1, run:

   > CFC_IM_ORACLE_HOME\dcm\bin\dcmctl resetHostInformation
   
   

8. Update the Oracle Directory Integration and Provisioning registration to use the virtual hostname.

   1. Run one of the following commands to update Oracle Directory Integration and Provisioning:

      Non-SSL:

      > CFC_IM_ORACLE_HOME\bin\odisrvreg -D cn=orcladmin -w adminPasswd
      -lhost FQvirtualHostname -p oidPort -h FQvirtualHostname
      
      

      SSL:

      > CFC_IM_ORACLE_HOME\bin\odisrvreg -D cn=orcladmin -w adminPasswd
       -lhost FQvirtualHostname -p oidSSLPort -h FQvirtualHostname
       -U sslMode -W walletLocation -P walletPassword
      
      

   2. Start the Oracle Directory Integration and Provisioning server.

      > oidctl connect=connectString server=odisrv inst=1 host=FQvirtualHostname
          flags="port=port host=FQvirtualHostname" start
      
      

      Replace connectString with the connect string to the Oracle Internet Directory database.

      Replace FQvirtualHostname with the fully qualified virtual hostname for the OracleAS Cold Failover Cluster.

      Replace port with the Oracle Internet Directory port.

9. Update the OracleAS Metadata Repository.

   Check that the ORACLE_HOME environment variable is set correctly.

   > echo %ORACLE_HOME%
   
   

   Non-SSL:

   > CFC_IM_ORACLE_HOME\sso\bin\ssocfg.bat http FQvirtualHostname port
   
   

   SSL:

   > CFC_IM_ORACLE_HOME\sso\bin\ssocfg.bat https FQvirtualHostname port
   
   

   Replace FQvirtualHostname with the virtual hostname (fully qualified).

   Replace port with either the SSL or the non-SSL port used by Oracle HTTP Server.

10. Skip this step if you are transforming to a distributed OracleAS Cold Failover Cluster (Identity Management) topology.

    Change the URL for OracleAS Single Sign-On and Oracle Delegated Administration Services.

    1. Start Oracle Directory Manager from the Start menu:

       Start > Programs > Oracle - IM_OracleHomeName > Integrated Management Tools > Oracle Directory Manager

    2. Connect using the virtual hostname. Log in as cn=orcladmin.

    3. In Oracle Directory Manager, expand Entry Management > cn=OracleContext > cn=Products > cn=DAS > cn=OperationURLs.

    4. Update the value of the orcldasurlbase attribute to the virtual hostname.

11. Skip this step if you are transforming to a distributed OracleAS Cold Failover Cluster (Identity Management) topology.

    Update mod_osso registration by running the following command (all on one line).

    > CFC_IM_ORACLE_HOME\sso\bin\ssoreg.bat
       -oracle_home_path im_oracle_home
       -site_name virtual_hostname:http_port
       -config_mod_osso TRUE
       -mod_osso_url http://virtual_hostname:port
       -u system
    
    

    Replace im_oracle_home with the full path of the Oracle Identity Management Oracle home.

    Replace virtual_hostname with the fully qualified virtual hostname.

    Replace port with the Oracle HTTP Server port. Note that if you are using port 80, then you must not specify the port number because port 80 is the default.

12. Restart Oracle Identity Management components.

    > CFC_IM_ORACLE_HOME\opmn\bin\opmnctl stopall
    > CFC_IM_ORACLE_HOME\opmn\bin\opmnctl startall
    
    

Step 7 Make the Oracle Identity Management Highly Available

Figure 21-16 shows the environment at the completion of this step.

1. Add OPMN to the failover group that you created in Oracle Fail Safe.

   1. On cluster node 1, start Oracle Fail Safe Manager from the Start menu:

      Start > Programs > Oracle - OracleHomeName > Oracle Fail Safe Manager

   2. Right-click the OracleAS group and select Add Resource to Group.

   3. In Resource, Step 1, select Generic Service and click Next.

   4. In Generic Service Identity, Step 2, select the Oracle<OracleHomeName>ProcessManager service from Display Name and click Next.

   5. In Generic Service Account, Step 3, click Next.

   6. In Generic Service Disks, Step 4, click Next.

   7. In Generic Service Dependencies, Step 5, click Next.

   8. In Generic Service Registry, Step 6, click Next.

   9. In Finish Adding the Service to the Group, verify the information and click OK.

2. Add the shared storage as a dependency for OPMN. For steps, see the following guide:

   Item	Name
   Book	Oracle Application Server Installation Guide for Microsoft Windows This guide is available on Disk 1 of the Oracle Application Server distribution.
   Chapter	11, "Installing in High Availability Environments: OracleAS Cold Failover Cluster"
   Section	11.12.5, "Add the Shared Disk as a Dependency for OPMN"

   
   

3. Add Application Server Control Console to the failover group.

   1. On cluster node 1, start Oracle Fail Safe Manager from the Start menu:

      Start > Programs > Oracle - OracleHomeName > Oracle Fail Safe Manager

   2. Right-click the OracleAS group and select Add Resource to Group.

   3. In Resource, Step 1, select Generic Service and click Next.

   4. In Generic Service Identity, Step 2, select Oracle<OracleHomeName>ASControl from Display Name and click Next.

   5. In Generic Service Account, Step 3, click Next.

   6. In Generic Service Disks, Step 4, click Next.

   7. In Generic Service Dependencies, Step 5, move the Oracle<OracleHomeName>ProcessManager service to the Resource Dependencies column. Click Next.

   8. In Generic Service Registry, Step 6, click Next.

   9. In Finish Adding the Service to the Group, verify the information and click OK.

Step 8 Configure the Middle Tiers to Use the New Oracle Identity Management

Figure 21-17 shows the environment at the completion of this step.

1. Stop all the middle-tier instances.

   > MT_ORACLE_HOME\bin\emctl stop iasconsole
   > MT_ORACLE_HOME\opmn\bin\opmnctl stopall
   
   

2. In each middle-tier instance, in the MT_ORACLE_HOME\config\ias.properties file, update the OIDhost parameter to use the fully qualified virtual hostname.

3. In each middle-tier instance, in the MT_ORACLE_HOME\ldap\admin\ldap.ora file, update the DIRECTORY_SERVERS parameter to use the fully qualified virtual hostname.

4. Start OPMN and Application Server Control Console on all the middle-tier instances.

   Note that the first command is "opmnctl start", not "opmnctl startall", because at this time you want to start up only OPMN and the Application Server Control Console. The middle tiers cannot be started yet.

   > MT_ORACLE_HOME\opmn\bin\opmnctl start
   > MT_ORACLE_HOME\bin\emctl start iasconsole
   
   

5. For each middle tier:

   • Use the Application Server Control Console and navigate to the home page for the middle tier.

   • Click the Infrastructure link. Note that although you may see the virtual hostname on the page, you still have to perform this step. Application Server Control Console displays the virtual hostname only because it read it from the updated ias.properties file.

   • In the Identity Management section, click Change.

   • Follow the wizard for entering a new hostname. You enter the virtual hostname here.

   • When the wizard completes, it asks you to restart the components. You can do this by running the following commands:

     > MT_ORACLE_HOME\opmn\bin\opmnctl stopall
     > MT_ORACLE_HOME\opmn\bin\opmnctl startall
     
     

Step 9 Deregister the Source Oracle Identity Management

In this step, you deregister the source Oracle Identity Management from the OracleAS Metadata Repository. Figure 21-18 shows the environment at the end of this step.

1. If you are running Oracle Directory Integration and Provisioning, you need to stop it:

   > ORACLE_HOME\bin\oidctl connect=dbConnect flags="host=OIDhost port=OIDport"
        server=odisrv instance=1 stop
   
   

2. Make the following edits to the SRC_IM_ORACLE_HOME\deconfig\DeconfigWrapper.properties file, where SRC_IM_ORACLE_HOME refers to the source Oracle Identity Management home on node 1.

   • Comment out the line that begins with "SSO=". For example, the line might look like this:

     SSO=C:\OraHome_1\jdk\bin\java -jar C:\OraHome_1\sso\lib\ossoca.jar
             deinstall C:\OraHome_1 "%OID_USER%" %OID_PASSWORD%
     
     

     Comment out the line by adding a # character at the beginning of the line:

     #SSO=C:\OraHome_1\jdk\bin\java -jar C:\OraHome_1\sso\lib\ossoca.jar
             deinstall C:\OraHome_1 "%OID_USER%" %OID_PASSWORD%
     
     

   • Comment out the line that begins with "MOD_OSSO=". For example, the line might look like this:

     MOD_OSSO=C:\OraHome_1\jdk\bin\java -jar 
      C:\OraHome_1\jlib\infratool.jar de -f 
      C:\OraHome_1\deconfig\deconfig_modosso.properties -o 
      C:\OraHome_1 -u "%OID_USER%" -obf %OID_PASSWORD%
     
     

     Comment out the line by adding a # character at the beginning of the line:

     #MOD_OSSO=C:\OraHome_1\jdk\bin\java -jar 
      C:\OraHome_1\jlib\infratool.jar de -f 
      C:\OraHome_1\deconfig\deconfig_modosso.properties -o 
      C:\OraHome_1 -u "%OID_USER%" -obf %OID_PASSWORD%
     
     

3. On node 1, run deconfig.pl to deregister the source Oracle Identity Management from the OracleAS Metadata Repository.

   > cd SRC_IM_ORACLE_HOME\bin
   > SRC_IM_ORACLE_HOME\perl\5.6.1\bin\MSWin-x86\perl.exe deconfig.pl -u oidUser
    -w passwd -dbp sysPasswd [-r realm]
   
   

   The -u option specifies the name of the Oracle Internet Directory user. This user must have privileges for deinstalling the Oracle Identity Management components. To run as the Oracle Internet Directory superuser, specify the user as cn=orcladmin.

   The -w option specifies the password of the user.

   The -dbp option specifies the password of the SYS user in the OracleAS Metadata Repository database.

   The -r option is required only if your Oracle Internet Directory contains multiple realms. Use it to specify the realm in Oracle Internet Directory against which the user should be validated.

   See the "Deinstallation and Reinstallation" appendix in the Oracle Application Server Installation Guide for details about deconfig.pl.

Step 10 Start the OracleAS Metadata Repository, Oracle Identity Management, and Middle Tiers

Start the OracleAS Metadata Repository and the Oracle Identity Management on cluster node 1, and start also the middle tiers. The components and applications should be functioning properly. To test failover, fail cluster node 1. The processes should fail over to cluster node 2.

Step 11 Verify That All the Components Are Working

Verify that the Oracle Identity Management and middle-tier components are working.

1. Test Oracle Identity Management components.

   • Test Oracle Delegated Administration Services by accessing its URL, http://virtual_host_name:port/oiddas, and try to perform some operations. Example: http://infra.mydomain.com/oiddas.

   • Test OracleAS Single Sign-On by accessing its URL, http://virtual_host_name:port/pls/orasso, and try to perform some operations. Example: http://infra.mydomain.com/pls/orasso.

2. Test middle-tier components. For example, to test OracleAS Portal, access its URL, http://portalhost.mydomain.com/pls/portal, and try to perform some operations.

Step 12 Decommission the Oracle Homes That Are No Longer Used

At the end of the transformation procedure, you no longer need these Oracle homes:

• Oracle home for the source OracleAS Metadata Repository database

  If you are not using this Oracle home for other purposes (that is, if you were using this Oracle home only for the OracleAS Metadata Repository database), then you can deinstall it. See the "Removing Oracle Software" chapter in the Oracle Database Installation Guide for details.

• Oracle home for the source Oracle Identity Management

  You can deinstall it by following the procedures in the "Deinstallation and Reinstallation" appendix in the Oracle Application Server Installation Guide.

21.5.1 Overview of Steps

Transformation steps, at a high level, are:

Step 1: Perform Same Steps as for Transforming to OracleAS Cold Failover Cluster

Step 2: Disable OracleAS Single Sign-On and Oracle Delegated Administration Services

Step 3: Configure Virtual Server Name and IP on the Load Balancer

Step 4: Install OracleAS Single Sign-On and Oracle Delegated Administration Services on Active-Active Nodes

Step 5: Configure SSL (If You Want to Use SSL)

Step 6: Update OracleAS Single Sign-On and Oracle Delegated Administration Services Information in the OracleAS Metadata Repository

Step 7: Update mod_osso Registration

Step 8: Verify That All the Components Are Working

Step 9: Decommission the Oracle Homes That Are No Longer Used

21.5.2 Steps in Detail

The following steps use the following names to refer to the different nodes (the names match the ones used in Figure 21-19):

• Node 1 and node 2 are nodes in the source configuration.

• Cluster node 1 and cluster node 2 are nodes in the hardware cluster. These nodes have access to the shared storage on which you will install Oracle Identity Management instance.

• New nodes for OracleAS Single Sign-On and Oracle Delegated Administration Services are fronted by a load balancer. These nodes are not in a hardware cluster.

Step 1 Perform Same Steps as for Transforming to OracleAS Cold Failover Cluster

Perform most of the steps for transforming to OracleAS Cold Failover Cluster. Table 21-7 lists the sections for the steps.

Step 2 Disable OracleAS Single Sign-On and Oracle Delegated Administration Services

Disable OracleAS Single Sign-On and Oracle Delegated Administration Services on the hardware cluster so that you can install them on other nodes. This enables you to create a distributed model. After running this step, you should have an environment that looks like Figure 21-21.

1. On either cluster node 1 or cluster node 2, from the CFC_IM_ORACLE_HOME, start up Application Server Control Console.

2. Display the home page for the Oracle Identity Management instance.

3. Select the checkbox for OC4J_SECURITY and click Enable/Disable Components. This displays the Enable/Disable Components page.

4. On the Enable/Disable Components page, select both OC4J_SECURITY and HTTP_Server, Single Sign-On:orasso in the Enabled Components box and click Move All to move them to the Disabled Components box. There should be three items in the Disabled Components box:

   • home

   • OC4J_SECURITY

   • HTTP_Server, Single Sign-On:orasso

5. Click OK.

6. On the Warning page, which warns you that the components to be disabled will be stopped, click Yes. This stops the components and disables them as well.

7. When you return to the instance home page, you should see only two components: Internet Directory and Management.

Step 3 Configure Virtual Server Name and IP on the Load Balancer

Configure a virtual server name and IP on the load balancer for HTTP traffic. Clients will use this virtual server name to access OracleAS Single Sign-On and Oracle Delegated Administration Services.

Step 4 Install OracleAS Single Sign-On and Oracle Delegated Administration Services on Active-Active Nodes

In this step, you install OracleAS Single Sign-On and Oracle Delegated Administration Services on the nodes fronted by the load balancer. You install the Oracle home on the local storage of each node; this means you have to perform the installation once for each node.

1. Stop all the Oracle Identity Management components except Oracle Internet Directory. One way of doing this is to stop all components, then start up Oracle Internet Directory. (In the commands below, use the appropriate slash for your operating system.)

   > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl stopall
   > CFC_IM_ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID
   
   

2. Run the installer on each node to install OracleAS Single Sign-On and Oracle Delegated Administration Services. Some important screens:

   • In the Select Installation Type screen, select Identity Management.

   • In the Select Configuration Options screen, select only OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability.

   • In the Select High Availability Option screen, select OracleAS Cluster (Identity Management).

   • In the Create or Join an OracleAS Cluster (Identity Management) screen, for the first instance of OracleAS Single Sign-On / Oracle Delegated Administration Services that you are installing, select Create a New OracleAS Cluster. For subsequent instances, select Join an Existing Cluster.

   • In the Specify HTTP Load Balancer Host and Ports screen, enter the virtual server name configured on the load balancer and port.

   • In Specify LDAP Virtual Host and Ports screen, enter the virtual hostname and port for Oracle Internet Directory.

Step 5 Configure SSL (If You Want to Use SSL)

Configure OracleAS Single Sign-On and Oracle Delegated Administration Services for SSL, if you need these components to use SSL in your installation.

Step 6 Update OracleAS Single Sign-On and Oracle Delegated Administration Services Information in the OracleAS Metadata Repository

1. From one of OracleAS Single Sign-On nodes, run one of these commands:

   • Non-SSL on UNIX:

     > SSO_ORACLE_HOME/sso/bin/ssocfg.sh http FQ_virtual_hostname port
     
     

   • SSL on UNIX:

     > SSO_ORACLE_HOME/sso/bin/ssocfg.sh https FQ_virtual_hostname port
     
     

   • Non-SSL on Windows:

     > SSO_ORACLE_HOME\sso\bin\ssocfg.bat http FQ_virtual_hostname port
     
     

   • SSL on Windows:

     > SSO_ORACLE_HOME\sso\bin\ssocfg.bat https FQ_virtual_hostname port
     
     

   Replace FQ_virtual_hostname with the HTTP virtual server name configured on the load balancer. Enter the fully qualified name.

   Replace port with either the SSL or the non-SSL port used by Oracle HTTP Server.

2. Change the URL for OracleAS Single Sign-On and Oracle Delegated Administration Services.

   1. On cluster node 1, start Oracle Directory Manager.

      If you are running on UNIX, run the following command to start it:

      > SSO_ORACLE_HOME/bin/oidadmin
      
      

      If you are running on Windows, you can start it from the Start menu:

      Start > Programs > Oracle - IM_OracleHomeName > Integrated Management Tools > Oracle Directory Manager

   2. Connect using cluster node 1's hostname. Log in as cn=orcladmin.

   3. Expand Entry Management > cn=OracleContext > cn=Products > cn=DAS > cn=OperationURLs.

   4. Update the value of the orcldasurlbase attribute to the virtual server name.

Step 7 Update mod_osso Registration

1. Run ssoreg as follows:

   On UNIX:

   > CFC_IM_ORACLE_HOME/sso/bin/ssoreg.sh
      -oracle_home_path im_oracle_home
      -site_name virtual_hostname:http_port
      -config_mod_osso TRUE
      -mod_osso_url http://virtual_hostname:port
      -u root
   
   

   On Windows:

   > CFC_IM_ORACLE_HOME\sso\bin\ssoreg.bat
      -oracle_home_path im_oracle_home
      -site_name virtual_hostname:http_port
      -config_mod_osso TRUE
      -mod_osso_url http://virtual_hostname:port
      -u system
   
   

   Replace im_oracle_home with the full path of the Oracle Identity Management Oracle home.

   Replace virtual_hostname with the fully qualified virtual hostname.

   Replace port with the Oracle HTTP Server port. Note that if you are using port 80, you must not specify the port number because port 80 is the default value.

2. Update the configuration in the DCM repository.

   > SSO_ORACLE_HOME/dcm/bin/dcmctl updateConfig
   
   

3. Restart the second OracleAS Single Sign-On.

   > opmnctl restartproc process-type=HTTP_Server
   > opmnctl restartproc process-type=OC4J_SECURITY
   
   

Step 8 Verify That All the Components Are Working

Verify that the Oracle Identity Management and middle-tier components are working.

1. Test Oracle Identity Management components.

   • Test Oracle Delegated Administration Services by accessing its URL, http://virtual_server_name:port/oiddas, and try to perform some operations. Example: http://sso.mydomain.com/oiddas.

   • Test OracleAS Single Sign-On by accessing its URL, http://virtual_server_name:port/pls/orasso, and try to perform some operations. Example: http://sso.mydomain.com/pls/orasso.

2. Test middle-tier components. For example, to test OracleAS Portal, access its URL, http://portalhost.mydomain.com/pls/portal, and try to perform some operations.

Step 9 Decommission the Oracle Homes That Are No Longer Used

At the end of the transformation procedure, you no longer need these Oracle homes:

• Oracle home for the source OracleAS Metadata Repository database

  If you are not using this Oracle home for other purposes (that is, if you were using this Oracle home only for the OracleAS Metadata Repository database), then you can deinstall it. See the "Removing Oracle Software" chapter in the Oracle Database Installation Guide for details.

• Oracle home for the source Oracle Identity Management

  You can deinstall it by following the procedures in the "Deinstallation and Reinstallation" appendix in the Oracle Application Server Installation Guide.