Oracle® Application Server Installation Guide
10g Release 2 (10.1.2) for Microsoft Windows B14094-03 |
|
Previous |
Next |
This chapter describes how to install Oracle Application Server in OracleAS Cluster (Identity Management) configurations.
Section 12.1, "OracleAS Cluster (Identity Management): Introduction"
Section 12.2, "Pre-Installation Steps for OracleAS Cluster (Identity Management)"
Section 12.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server"
Section 12.5, "Installing an OracleAS Cluster (Identity Management) Configuration"
Section 12.6, "Installing a Distributed OracleAS Cluster (Identity Management) Configuration"
In OracleAS Cluster (Identity Management) configurations, the Oracle Identity Management components and the OracleAS Metadata Repository run on separate nodes. All the nodes in an OracleAS Cluster (Identity Management) configuration are active. Requests from clients, such as middle tiers, are directed to a load balancer, which then directs the requests to one of the active nodes. See Figure 12-1.
These nodes can belong to a hardware cluster, but this is not required.
These configurations are called "OracleAS Cluster (Identity Management)" because the OracleAS Single Sign-On and Oracle Delegated Administration Services components are clustered. This means that these components are configured identically across nodes.
Database (OracleAS Metadata Repository) Requirement
You need an existing database before installing an OracleAS Cluster (Identity Management) configuration. You will install the OracleAS Metadata Repository on this database using the OracleAS Metadata Repository Creation Assistant. You can use any database configuration supported by OracleAS Metadata Repository Creation Assistant. See the Oracle Application Server Metadata Repository Creation Assistant User's Guide for the supported database configurations. For OracleAS Cluster (Identity Management) configurations, Oracle recommends using a high availablity database configuration such as Real Application Clusters or cold failover cluster.
You can only install one OracleAS Cluster (Identity Management) on an OracleAS Metadata Repository.
Note: For OracleAS Cluster (Identity Management) configurations, you never select the "Oracle Identity Management and OracleAS Metadata Repository" option in the installer. You always select the Oracle Identity Management option. This is why you need an existing database for the OracleAS Metadata Repository. |
Always Select the Same Components
Because the installer clusters the components in an OracleAS Cluster (Identity Management) configuration, you need to select the same components in the Select Configuration Options screen for all the nodes in the cluster.
For example, if you select Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services for the installation on node 1, then you have to select the same set of components in subsequent installations.
Clustering will fail if you select different components in each installation.
Configurations
You can install OracleAS Cluster (Identity Management) in these configurations:
OracleAS Cluster (Identity Management). See Section 12.5.
Distributed OracleAS Cluster (Identity Management). See Section 12.6.
Before installing an OracleAS Cluster (Identity Management) configuration, you need to set up the following items:
Section 12.2.1, "Use the Same Path for the Oracle Home Directory (recommended)"
Section 12.2.3, "Configure Virtual Server Names and Ports for the Load Balancer"
Section 12.2.5, "Set up Cookie Persistence on the Load Balancer"
For all the nodes that will be running Oracle Identity Management components, use the same full path for the Oracle home. This practice is recommended, but not required.
Synchronize the system clocks on all nodes so they are running within 250 seconds of each other. When synchronizing the system clocks, make sure the clocks are set to the same time zone.
Note: If you do not synchronize the clocks, then there will be inconsistent operation attributes in the directory entries and inconsistent behavior of the password state policies. As a result, you will see unwanted instance failovers.
Configure your load balancer with two virtual server names and associated ports:
Configure a virtual server name for LDAP connections. For this virtual server, you need to configure two ports: one for SSL and one for non-SSL connections.
Note: Ensure that the same ports that you configured for the LDAP virtual server are available on the nodes on which you will be installing Oracle Internet Directory.The installer will configure Oracle Internet Directory to use the same port numbers that are configured on the LDAP virtual server. In other words, Oracle Internet Directory on all the nodes and the LDAP virtual server will use the same port numbers. Even if the port numbers are set in the |
Configure a virtual server name for HTTP connections. For this virtual server, you also need to configure a port for either SSL or non-SSL connections. If you want the client to connect to the load balancer using HTTPS, configure a port for SSL connections. If you want the client to connect to the load balancer using HTTP, configure a port for non-SSL connections.
Note: The ports for the HTTP virtual server can be different from the Oracle HTTP ServerListen ports.
|
The installer will prompt you for the virtual server names and port numbers. Enter the same virtual server name in the installer that you used to configure the LDAP and HTTP virtual servers. The virtual server name may or may not be fully-qualified. For example, if you used a fully-qualified host name when you configured the LDAP virtual server, then you must enter the same fully-qualified host name in the installer.
Note: The installer does not check the load balancer. Make sure the load balancer is properly configured and enabled before running the installer. |
In addition, check the following:
Check that the virtual server names are associated with IP addresses and are part of your DNS. The nodes that will be running Oracle Application Server must be able to resolve these virtual server names.
Configure the LDAP virtual server on your load balancer to direct requests to node 1 initially. The procedure to add additional nodes differs depending upon whether or not your load balancer supports LDAP service monitoring.
Note that these procedures apply only to the LDAP virtual server configured on your load balancer. They do not apply to the HTTP virtual server configured on your load balancer.
If your load balancer supports LDAP service monitoring, then you can add all the nodes to the LDAP virtual server before starting the installation.
For example, if you have three nodes:
Configure the LDAP virtual server to direct requests to node 1 only.
Add node 2 to the LDAP virtual server.
Add node 3 to the LDAP virtual server.
Install Oracle Identity Management components on node 1.
Install Oracle Identity Management components on node 2.
Install Oracle Identity Management components on node 3.
If your load balancer does not support LDAP service monitoring, then configure your LDAP virtual server to direct requests to node 1 only before starting the installation. After you complete an installation on a node, then you can add that node to the virtual server.
For example, if you have three nodes:
Configure the LDAP virtual server to direct requests to node 1 only.
Install Oracle Identity Management components on node 1.
Install Oracle Identity Management components on node 2.
Add node 2 to the LDAP virtual server.
Install Oracle Identity Management components on node 3.
Add node 3 to the LDAP virtual server.
On your load balancer, set up cookie persistence for HTTP traffic. Specifically, set up cookie persistence for URIs starting with /oiddas/
. This is the URI for Oracle Delegated Administration Services. If your load balancer does not allow you to set cookie persistence at the URI level, then set the cookie persistence for all HTTP traffic. In either case, set the cookie to expire when the browser session expires. Refer to your load balancer documentation for details.
In OracleAS Cluster (Identity Management) configurations, you install Oracle Internet Directory on multiple nodes, and in each installation, you enter the instance password in the "Specify Instance Name and ias_admin Password" screen.
The password specified in the first installation is used as the password for the cn=orcladmin
and orcladmin
users not just in the first Oracle Internet Directory, but in all Oracle Internet Directory installations in the cluster.
This means that to access the Oracle Internet Directory on any node, you have to use the password that you entered in the first installation. You cannot use the passwords that you entered in subsequent installations.
Accessing the Oracle Internet Directory includes:
Logging into Oracle Delegated Administration Services (URL: http://
hostname
:
port
/oiddas
)
Logging into OracleAS Single Sign-On (URL: http://
hostname
:
port
/pls/orasso
)
Connecting to Oracle Internet Directory using the Oracle Directory Manager
You still need the passwords that you entered in subsequent installations for logging into Application Server Control.
When you are installing OracleAS Cluster (Identity Management) configurations, the installer displays the "Specify HTTP Load Balancer Host and Listen Ports" screen.
This screen has two sections:
In the load balancer section, you specify the load balancer's HTTP virtual server name and port number. You also indicate whether the port is for SSL or non-SSL requests.
In the Oracle HTTP Server section, you specify the port number that you want for the Oracle HTTP Server Listen
port. You also indicate whether the port is for SSL or non-SSL requests.
The virtual server and the Oracle HTTP Server Listen
port can use different port numbers.
You use this screen to set up the type of communication (SSL or non-SSL) between client, load balancer, and Oracle HTTP Server. Three cases are possible:
Case 1: Communications between clients and the load balancer use HTTP, and communications between the load balancer and Oracle HTTP Server also use HTTP. See Section 12.4.1, "Case 1: Client ---[HTTP]---> Load Balancer ---[HTTP]---> Oracle HTTP Server".
Case 2: Communications between clients and the load balancer use HTTPS, and communications between the load balancer and Oracle HTTP Server also use HTTPS. See Section 12.4.2, "Case 2: Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server".
Case 3: Communications between clients and the load balancer use HTTPS, but communications between the load balancer and Oracle HTTP Server use HTTP. See Section 12.4.3, "Case 3: Client ---[HTTPS]---> Load Balancer ---[HTTP]---> Oracle HTTP Server".
Note: Because the values you specify in this dialog override the values specified in the staticports.ini file, you should not specify port numbers for the Oracle HTTP ServerListen port in the staticports.ini file.
|
HTTP Listener: Port: Enter the port number that you want to use as the Oracle HTTP Server Listen
port. This will be the value of the Listen
directive in the httpd.conf
file. Enable SSL: Do not select this option. The installer tries the default port number for the SSL port.
HTTP Load Balancer: Hostname: Enter the name of the virtual server on the load balancer configured to handle HTTP requests.
HTTP Load Balancer: Port: Enter the port number that the HTTP virtual server listens on. This will be the value of the Port
directive in the httpd.conf
file. Enable SSL: Do not select this option.
Example
Table 12-1 Example for Case 1
Values in Screen | Resulting Values in Configuration Files |
---|---|
HTTP Listener: Port: 8000 Enable SSL: Unchecked HTTP Load Balancer: Port: 80 Enable SSL: Unchecked |
In Port 80 Listen 8000 In Port <default port number assigned by installer> Listen <default port number assigned by installer> |
HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. This will be the value of the Listen
directive in the ssl.conf
file. Enable SSL: Select this option.
HTTP Load Balancer: Hostname: Enter the name of the virtual server on the load balancer configured to handle HTTPS requests.
HTTP Load Balancer: Port: Enter the port number that the HTTP virtual server listens on. This will be the value of the Port
directive in the ssl.conf
file. Enable SSL: This option has been automatically selected and cannot be deselected. This is because you selected Enable SSL for the HTTP Listener.
In opmn.xml
, the installer sets the ssl-enabled
line in the Oracle HTTP Server section to true
.
Example
Table 12-2 Example for Case 2
Values in Screen | Resulting Values in Configuration Files |
---|---|
HTTP Listener: Port: 90 Enable SSL: Checked HTTP Load Balancer: Port: 443 Enable SSL: Checked |
In Port <default port number assigned by installer> Listen <default port number assigned by installer> In Port 443 Listen 90 |
Note that in this case you will have to perform an additional post-configuration step. See Section 12.7.1, "Update targets.xml (Case 2 only)".
HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. This will be the value of the Listen
directive in the httpd.conf
file. Enable SSL: Do not select this option.
HTTP Load Balancer: Hostname: Enter the name of the virtual server on the load balancer configured to handle HTTPS requests.
HTTP Load Balancer: Port: Enter the port number that the HTTP virtual server listens on. This will be the value of the Port
directive in the httpd.conf
file. Enable SSL: Select this option.
Note that in this configuration, the load balancer must have SSL acceleration capabilities, or you must add a separate SSL Accelerator. The conversion from HTTPS to HTTP happens before Oracle HTTP Server receives the request. The SSL accelerator must be properly configured prior to installation. The installer does not check for this.
The installer will change the following lines:
In opmn.xml
, the installer sets the ssl-enabled
line in the Oracle HTTP Server section to true
.
In httpd.conf
, the installer adds the following lines:
LoadModule certheaders_module libexec/mod_certheaders.so SimulateHttps on
Example
Table 12-3 Example for Case 3
Values in Screen | Resulting Values in Configuration Files |
---|---|
HTTP Listener: Port: 9000 Enable SSL: Unchecked HTTP Load Balancer: Port: 443 Enable SSL: Checked |
In Port 443 Listen 9000 In Port <default port number assigned by installer> Listen <default port number assigned by installer> |
In this configuration, you need an existing database that is already running in a configuration supported by the OracleAS Metadata Repository Creation Assistant. Oracle recommends running the database in a high availability environment, such as a Real Application Clusters database. You also need additional nodes (at least two nodes) to run Oracle Identity Management components. In this configuration, Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services run on each node. If you want to distribute these components, see Section 12.6, "Installing a Distributed OracleAS Cluster (Identity Management) Configuration".
These nodes are accessed through a load balancer. See Figure 12-1.
You install the OracleAS Metadata Repository in your existing database, then install Oracle Identity Management components against this database.
Figure 12-1 OracleAS Cluster (Identity Management) Configuration
Subsections:
Section 12.5.3, "Installing OracleAS Cluster (Identity Management) on the First Node"
Section 12.5.4, "Installing OracleAS Cluster (Identity Management) on Subsequent Nodes"
Section 12.5.5, "If the Cluster Configuration Assistant Failed"
To create an OracleAS Cluster (Identity Management) configuration:
Install the OracleAS Metadata Repository in your existing database.
Install the Oracle Identity Management on each node. You run the installer on each node separately.
Install middle tiers.
To install the OracleAS Metadata Repository in your existing database, you use the OracleAS Metadata Repository Creation Assistant. See the Oracle Application Server Metadata Repository Creation Assistant User's Guide for details.
Run the installer on each node where you want to install Oracle Identity Management components.
Note that the procedure for installing Oracle Identity Management components on the first node is different from installing the components on subsequent nodes. To install the components on subsequent nodes, see Section 12.5.4, "Installing OracleAS Cluster (Identity Management) on Subsequent Nodes".
Subsections:
Section 12.5.3.2, "Disable TCP Monitoring on Load Balancer for First Node"
Section 12.5.3.5, "Select the Same Components for Each Node"
If you want to use custom ports for components other than Oracle HTTP Server or Oracle Internet Directory, you need to create a staticports.ini file for this installation.
If you want custom ports for Oracle HTTP Server or Oracle Internet Directory, you specify them in the "Specify HTTP Load Balancer Host and Listen Ports" and the "Specify LDAP Virtual Host and Listen Ports" screens.
If you specify custom ports for Oracle HTTP Server and Oracle Internet Directory also in the staticports.ini file, and you also specify ports in the screens mentioned above, the ports specified in the screens take precedence.
To avoid specifying Oracle HTTP Server and Oracle Internet Directory ports in the staticports.ini file, the staticports.ini file must not contain these lines:
Oracle HTTP Server port = port_num Oracle HTTP Server Listen port = port_num Oracle HTTP Server SSL port = port_num Oracle HTTP Server Listen (SSL) port = port_num Oracle Internet Directory port = port_num Oracle Internet Directory (SSL) port = port_num
If you have a staticports.ini file, you should also use the same file for installations on subsequent nodes.
Before installing on the first node, you must make sure that TCP monitoring is not enabled for the Virtual IP on the first node.
It is highly recommended that you configure the load balancer virtual server to return immediately to the calling client when the backend services to which it forwards traffic are unavailable. This is preferred over the client disconnecting on its own after a timeout based on the TCP/IP settings on the client machine.
If your load balancer is not configured this way, the Java Security Configuration Assistant may report the following:
WARNING: DCM service may not be available at this time to synchronize $ORACLE_HOME/j2ee/home/config/jazn-data.xml file.
Refer to Section H.3.18, "WARNING: DCM service may not be available at this time" for information on how to correct this problem after the installation is finished.
See Also: The Oracle Application Server High Availability Guide for more information on load balancer requirements. |
When you perform the installation on the first node, you need to specify an OracleAS Metadata Repository that is not registered with any Oracle Internet Directory. The installer checks for this. If the installer finds that the OracleAS Metadata Repository is already registered with an Oracle Internet Directory, then it assumes that you are installing on subsequent nodes, and that you want to join the cluster that was created when you installed on the first node. It prompts you for the existing cluster name, and the connect information for the Oracle Internet Directory.
You must select the same components in the Select Configuration Options screen when installing on each node. For example, if you select Oracle Internet Directory, OracleAS Single Sign-On, and Oracle Delegated Administration Services on the first node, you must select these same set of components on subsequent nodes.
Follow the steps in Table 12-4.
Key Points for Installing on the First Node
In the Select Configuration Options screen, select High Availability and Replication, in addition to selecting the components.
In the Select High Availability or Replication Option screen, select OracleAS Cluster (Identity Management).
Table 12-4 Steps for Installing OracleAS Cluster (Identity Management) on the First Node
|
Screen | Action |
---|---|---|
1. |
-- |
Start up the installer and complete the first few screens. See Section 6.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Identity Management. |
2. |
Select Configuration Options |
Select Oracle Internet Directory. Select Oracle Application Server Single Sign-On. Select Oracle Application Server Delegated Administration Services. Select Oracle Application Server Directory Integration and Provisioning. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 12.5.3.1, "Create staticports.ini File". Click Next. |
4. |
Specify Repository |
When you install on the first node, you need to specify an OracleAS Metadata Repository that is not registered with an Oracle Internet Directory. When you install on subsequent nodes, then the OracleAS Metadata Repository is registered with the Oracle Internet Directory on the first node. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the names of all the nodes where the Real Application Clusters database is running, and the port numbers. Use the format: host1.domain.com:port1, host2.domain.com:port2, ... Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
5. |
Select High Availability or Replication Option |
Select OracleAS Cluster (Identity Management), and click Next. |
6. |
Specify New Oracle Application Server Cluster Name |
Enter a name for the new OracleAS Cluster (Identity Management). Note that the cluster name is case-sensitive. Oracle recommends that you record the cluster name for use during installations on subsequent nodes. Example: Click Next. |
7. |
Specify Namespace in Internet Directory |
Select the suggested namespace, or enter a custom namespace for the location of the default Oracle Identity Management realm. Ensure the value shown in Suggested Namespace meets your deployment needs. If not, enter the desired value in Custom Namespace. See Section 6.16, "What Do I Enter in the "Specify Namespace in Internet Directory" Screen?". Click Next. |
8. |
Specify LDAP Virtual Host and Ports |
The values you enter in this screen depend on your scenario. There are two possible scenarios: Scenario 1: You have configured a virtual server on your load balancer to handle LDAP traffic from Oracle Delegated Administration Services and OracleAS Single Sign-On to Oracle Internet Directory. Scenario 2: You do not have a load balancer. Hostname: In scenario 1, enter the name of the virtual server in this field. Enter the same virtual server name that you configured on the load balancer. In scenario 2, enter the name of the computer running Oracle Internet Directory. Notes on the port values (see Section 12.2.3, "Configure Virtual Server Names and Ports for the Load Balancer" for details):
SSL Port: In scenario 1, enter the port configured on the virtual server to handle SSL LDAP connections. In scenario 2, enter the port that you want Oracle Internet Directory to use for SSL connections. The standard port number for SSL LDAP connections is 636, but you can use any port that you want. Non-SSL Port: In scenario 1, enter the port configured on the virtual server to handle non-SSL LDAP connections. In scenario 2, enter the port that you want Oracle Internet Directory to use for non-SSL connections. The standard port number for non-SSL LDAP connections is 389, but you can use any port that you want. Click Next. |
9. |
Specify HTTP Listen Port, Load Balancer Host and Port |
See Section 12.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server" for details. HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. Enable SSL: Select this option if you want to configure Oracle HTTP Server for SSL on this port. HTTP Load Balancer: Hostname: Enter the name of the HTTP virtual server configured on your load balancer. Enter the same virtual server name that you configured on the load balancer. HTTP Load Balancer: Port: Enter the port for the HTTP virtual server. Enable SSL: Select this option if this port is for SSL communications only. Click Next. |
10. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 5.8, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 5.9, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
11. |
-- |
Finish the installation. See Section 6.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
You run the installer on each node where you want to install Oracle Identity Management components. Use this procedure to install Oracle Identity Management components on nodes other than the first. For the first node, see Section 12.5.3, "Installing OracleAS Cluster (Identity Management) on the First Node".
Key Points for Installing on Subsequent Nodes
Use the same staticports.ini file that you used for installing on the first node to ensure that the same component on all nodes uses the same port number.
In the Specify HTTP Load Balancer Host and Ports screen, enter the name of the HTTP virtual server of the load balancer, and the associated port. You also enter the port number for Oracle HTTP Server on this screen.
Follow the steps in Table 12-5.
Table 12-5 Steps for Installing OracleAS Cluster (Identity Management) on Subsequent Nodes
|
Screen | Action |
---|---|---|
1. |
-- |
Start up the installer and complete the first few screens. See Section 6.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
2. |
Select Configuration Options |
Select Oracle Internet Directory. Select Oracle Application Server Single Sign-On. Select Oracle Application Server Delegated Administration Services. Select Oracle Application Server Directory Integration and Provisioning. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 12.5.3.1, "Create staticports.ini File". Click Next. |
4. |
Specify Repository |
Specify the OracleAS Metadata Repository that is registered with the Oracle Internet Directory on the first node. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the names of all the nodes where the Real Application Clusters database is running, and the port numbers. Use the format: host1.domain.com:port1, host2.domain.com:port2, ... Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
5. |
Warning |
This warning reminds you that you are installing this instance as part of an OracleAS Cluster (Identity Management), and that you need to synchronize the clocks on the nodes in the cluster. See Section 12.2.2, "Synchronize Clocks on All Nodes". Click OK. |
6. |
Specify Existing Oracle Application Server Cluster Name |
Specify an existing OracleAS Cluster (Identity Management) for the current instance to join. The cluster was created during a previous identical installation. Note that the cluster name is case-sensitive. Example: Click Next. |
7. |
Specify ODS Password |
Enter the password for the ODS schema in the OracleAS Metadata Repository. The ODS schema is the main schema used by Oracle Internet Directory. By default, the ODS password is the same as the ias_admin password (the password that you entered in the Specify Instance Name and ias_admin Password screen). Click Next. |
8. |
Specify LDAP Virtual Host and Ports |
The values you enter on this screen are the same as the values you entered when you did the installation on the first node. The installer uses these values to connect to the Oracle Internet Directory on the first node. Hostname: Enter the LDAP virtual server name of the load balancer. Enter the same virtual server name that you configured on the load balancer. SSL Port: Enter the port configured on this load balancer to handle LDAP SSL connections. Non-SSL Port: Enter the port configured on this load balancer to handle LDAP non-SSL connections. If the load balancer is running in SSL-only mode, this field will not appear on the screen. Click Next. |
9. |
Warning |
This warning reminds you to setup the LDAP virtual server to direct requests to existing OracleAS Cluster (Identity Management) nodes, and then add this node to the LDAP virtual server after installation. See Section 12.2.4, "Configure Your LDAP Virtual Server". Click OK. |
10. |
Specify Oracle Internet Directory Login |
Username: Enter the username to log in to Oracle Internet Directory. You need to log in as the Oracle Internet Directory superuser ( Password: Enter the password for the username. Realm: Enter the realm against which to validate the username. This field appears only if your Oracle Internet Directory has multiple realms. Click Next. |
11. |
Specify HTTP Load Balancer Host and Ports |
See Section 12.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server" for details. The values you enter on this screen are the same as the values you entered when you did the installation on the first node. HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. Enable SSL: Select this option if you want to configure Oracle HTTP Server for SSL on this port. HTTP Load Balancer: Hostname: Enter the name of the HTTP virtual server configured on your load balancer. Enter the same virtual server name that you configured on the load balancer. HTTP Load Balancer: Port: Enter the port for the HTTP virtual server. Enable SSL: Select this option if this port is for SSL communications only. Click Next. |
12. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 5.8, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 5.9, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
13. |
-- |
Finish the installation. See Section 6.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
If the Cluster Configuration Assistant failed, you can cluster the instance after installation. In this case, to cluster the instance, you must use the "dcmctl
joincluster
" command instead of Application Server Control. You cannot use Application Server Control in this case because Application Server Control cannot cluster instances that contain disabled components. In this case, the "home" OC4J instance is disabled.
In this configuration, you need an existing database that is already running in a configuration that is supported by OracleAS Metadata Repository Creation Assistant. Oracle recommends running the database in a high availability environment, such as a Real Application Clusters database. This database will contain the OracleAS Metadata Repository.
You also need two nodes to run OracleAS Single Sign-On and Oracle Delegated Administration Services components, and two additional nodes to run Oracle Internet Directory. These nodes are accessed through load balancers. See Figure 12-2.
Oracle Directory Integration and Provisioning Is Started on the First Node Only
The installer starts Oracle Directory Integration and Provisioning only on the first node, even though you selected it on subsequent nodes as well. On subsequent nodes, the installer configures Oracle Directory Integration and Provisioning, but does not start it.
If You Want Oracle Internet Directory to Listen on SSL Ports Only
If you want Oracle Internet Directory to listen on SSL ports only, perform this configuration after you have installed OracleAS Single Sign-On and Oracle Delegated Administration Services. You need Oracle Internet Directory to be listening on both SSL and non-SSL ports when you install OracleAS Single Sign-On and Oracle Delegated Administration Services.
Figure 12-2 Distributed OracleAS Cluster (Identity Management) Configuration
Subsections:
Section 12.6.3, "Installing Oracle Internet Directory on the First Node"
Section 12.6.4, "Installing Oracle Internet Directory on Subsequent Nodes"
To create a distributed OracleAS Cluster (Identity Management) configuration:
Install OracleAS Metadata Repository in your existing database.
Install Oracle Internet Directory on each node. You run the installer on each node separately.
Note: If you want to configure Oracle Internet Directory to listen on SSL ports only, perform this configuration after you have installed OracleAS Single Sign-On and Oracle Delegated Administration Services. Oracle Internet Directory needs to be listening on both SSL and non-SSL ports when you install OracleAS Single Sign-On and Oracle Delegated Administration Services. |
Install OracleAS Single Sign-On and Oracle Delegated Administration Services on each node. You run the installer on each node separately.
Install middle tiers.
To install the OracleAS Metadata Repository in your existing database, you use the OracleAS Metadata Repository Creation Assistant. See the Oracle Application Server Metadata Repository Creation Assistant User's Guide for details.
You run the installer on each node separately to install the Oracle Identity Management components.
When installing Oracle Internet Directory on the first node, you do not need a load balancer. You can set up and configure the load balancer later. However you must ensure that the port numbers used by Oracle Internet Directory and by the load balancer are the same.
To do this, create a staticports.ini file to specify port numbers that you want Oracle Internet Directory to use. Your load balancer will use the same port numbers for LDAP communications. The staticports.ini file should contain these lines:
Oracle Internet Directory port = port_num Oracle Internet Directory (SSL) port = port_num
If you are setting up the second node as a failover to the first node, then you must select the same set of components in the Select Configuration Options screen for each installation. For example, if you select Oracle Internet Directory and Oracle Directory Integration and Provisioning on the first node, you need to select them when installing on subsequent nodes.
To install Oracle Internet Directory on the first node, follow the steps in Table 12-6.
To install Oracle Internet Directory on subsequent nodes, see Section 12.6.4, "Installing Oracle Internet Directory on Subsequent Nodes".
Key Points
You must select the same components in the Select Configuration Options screen on all nodes. For example, if you select both Oracle Internet Directory and Oracle Directory Integration and Provisioning on the first node, you must select them on subsequent nodes in this tier.
Table 12-6 Steps for Installing Oracle Internet Directory in a Distributed OracleAS Cluster (Identity Management) on the First Node
|
Screen | Action |
---|---|---|
1. |
-- |
Start up the installer and complete the first few screens. See Section 6.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
2. |
Select Configuration Options |
Select Oracle Internet Directory. Do not select Oracle Application Server Single Sign-On. Do not select Oracle Application Server Delegated Administration Services. Select Oracle Application Server Directory Integration and Provisioning if you need this component. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 12.6.3.1, "Set up staticports.ini File". Click Next. |
4. |
Specify Repository |
When you install on the first node, you need to specify an OracleAS Metadata Repository that is not already registered with an Oracle Internet Directory. When you install on subsequent nodes, then the OracleAS Metadata Repository is registered with the Oracle Internet Directory on the first node. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the name of the computer where the database is running, and the port number at which it is listening. Use the format: Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
5. |
Select High Availability or Replication Option |
Select OracleAS Cluster (Identity Management), and click Next. |
6. |
Specify Namespace in Internet Directory |
Select the suggested namespace, or enter a custom namespace for the location of the default Oracle Identity Management realm. Ensure the value shown in Suggested Namespace meets your deployment needs. If not, enter the desired value in Custom Namespace. See Section 6.16, "What Do I Enter in the "Specify Namespace in Internet Directory" Screen?". Click Next. |
7. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 5.8, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 5.9, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
8. |
-- |
Finish the installation. See Section 6.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
Before performing the steps in this section, you must have installed Oracle Internet Directory on the first node as described in Section 12.6.3, "Installing Oracle Internet Directory on the First Node".
You do not need a staticports.ini file for this installation because the installer will configure this Oracle Internet Directory to use the same ports as the Oracle Internet Directory on the first node.
The Oracle Internet Directory on the first node must be up and running.
If you are setting up the second node as a failover to the first node, then you must select the same set of components in the Select Configuration Options screen for each installation. For example, if you select OracleAS Single Sign-On and Oracle Delegated Administration Services on the first node, you need to select them when installing on subsequent nodes.
Do not select the "Use only SSL connections with this Oracle Internet Directory" check box in the "Register with Oracle Internet Directory" screen.
To install Oracle Internet Directory on subsequent nodes, follow these steps:
Table 12-7 Steps for Installing Oracle Internet Directory in a Distributed OracleAS Cluster (Identity Management) on Subsequent Nodes
|
Screen | Action |
---|---|---|
1. |
-- |
Start up the installer and complete the first few screens. See Section 6.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
2. |
Select Configuration Options |
Select Oracle Internet Directory. Do not select Oracle Application Server Single Sign-On. Do not select Oracle Application Server Delegated Administration Services. Select Oracle Application Server Directory Integration and Provisioning if you need this component. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
3. |
Specify Port Configuration Options |
Select Automatic. The installer configures Oracle Internet Directory to use the same ports as the Oracle Internet Directory on the first node. Click Next. |
4. |
Specify Repository |
Enter the same connect information that you entered for the first Oracle Internet Directory. Username: Enter the username to use to log in to the OracleAS Metadata Repository database. The user must have DBA privileges. Password: Enter the user's password. Hostname and Port: Enter the name of the computer where the database is running, and the port number at which it is listening. Use the format: Service Name: Enter the service name of the database. Note that the service name must include the database domain name. Example: Click Next. |
5. |
Warning |
This warning reminds you that you are installing this instance as part of an OracleAS Cluster (Identity Management), and that you need to synchronize the clocks on the nodes in the cluster. See Section 12.2.2, "Synchronize Clocks on All Nodes". Click OK. |
6. |
Specify ODS Password |
Enter the password for the ODS schema in the OracleAS Metadata Repository. The ODS schema is the main schema used by Oracle Internet Directory. By default, the ODS password is the same as the ias_admin password (the password that you entered in the Specify Instance Name and ias_admin Password screen). Click Next. |
7. |
Specify Oracle Internet Directory Login |
Username: Enter the username to log in to the first Oracle Internet Directory. You must log in as the Oracle Internet Directory superuser ( Password: Enter the password for the username. Realm: Enter the realm against which to validate the username. This field appears only if your Oracle Internet Directory has multiple realms. Click Next. |
8. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 5.8, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 5.9, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
You run the installer on each node separately to install these Oracle Identity Management components.
If you want to use custom ports for components other than Oracle HTTP Server, you need to create a staticports.ini file for this installation.
If you want custom ports for Oracle HTTP Server, you specify them in the "Specify HTTP Load Balancer Host and Listen Ports" screen.
If you specify custom ports for Oracle HTTP Server also in the staticports.ini file, and you also specify ports in the screen mentioned above, the ports specified in the screen take precedence.
To avoid specifying Oracle HTTP Server ports in the staticports.ini file, the staticports.ini file must not contain these lines:
Oracle HTTP Server port = port_num Oracle HTTP Server Listen port = port_num Oracle HTTP Server SSL port = port_num Oracle HTTP Server Listen (SSL) port = port_num
If you have a staticports.ini file, you should also use the same file for installations on subsequent nodes.
Key Points
In the Specify OracleAS Cluster screen, for the first node, select Create a New Cluster. For the second node, select Join an Existing Cluster to join the cluster that you created when installing on the first node.
In the Specify HTTP Load Balancer Host and Ports screen, enter the name of the HTTP virtual server of the load balancer, and the associated port. You also enter the port number for Oracle HTTP Server on this screen.
Also in the Specify HTTP Load Balancer Host and Ports screen, you need to specify the same HTTP virtual server name and port number for all nodes. However, you can specify different port numbers for Oracle HTTP Server on each node, as long as your load balancer is configured to communicate with the specified port on that node.
Table 12-8 Steps for Installing Oracle Delegated Administration Services and OracleAS Single Sign-On in a Distributed OracleAS Cluster (Identity Management) Configuration
|
Screen | Action |
---|---|---|
1. |
-- |
Start up the installer and complete the first few screens. See Section 6.27, "Install Fragment: The First Few Screens of the Installation" for details. Notes: In the Select Installation Type screen, select Oracle Identity Management. |
2. |
Select Configuration Options |
Do not select Oracle Internet Directory. Select Oracle Application Server Single Sign-On. Select Oracle Application Server Delegated Administration Services. Select Oracle Application Server Directory Integration and Provisioning if you need this component. Do not select Oracle Application Server Certificate Authority (OCA). Select High Availability and Replication. Click Next. |
3. |
Specify Port Configuration Options |
Select Manual and enter the fullpath to your staticports.ini file in the provided field. You need to use staticports.ini file for OracleAS Cluster (Identity Management) configurations. See Section 12.6.5.1, "Set up staticports.ini File". Click Next. |
4. |
Select High Availability Option |
Select OracleAS Cluster (Identity Management), and click Next. |
5. |
Create or Join an OracleAS Cluster (Identity Management) |
For the first node, select Create a New OracleAS Cluster. For subsequent nodes, select Join an Existing Cluster. Click Next. |
6. |
Specify New OracleAS Cluster Name - or - Specify Existing OracleAS Cluster Name |
For the first node, enter a name for a new OracleAS Cluster (Identity Management). Example: For subsequent nodes, enter the name of the existing OracleAS Cluster (Identity Management). Note: Be very sure that the cluster name you enter is correct. The installer does not perform any checks on this name. If the name is incorrect, the installation will fail. Click Next. |
7. |
Specify LDAP Virtual Host and Ports |
The installer will use the values on this screen to connect to Oracle Internet Directory. Hostname: Enter the LDAP virtual server name of the load balancer. Enter the same virtual server name that you configured on the load balancer. SSL Port: Enter the port configured on this load balancer to handle LDAP SSL connections. If the Oracle Internet Directory is configured for SSL only, select the Use only SSL connections with this LDAP Virtual Host option. Otherwise, enter the non-SSL port number for this load balancer in the Non-SSL Port field. Click Next. |
8. |
Specify Oracle Internet Directory Login |
Username: Enter the username to log in to Oracle Internet Directory, accessed through the load balancer host and port specified in the previous screen. Log in as the Oracle Internet Directory superuser ( Password: Enter the password for the username. Realm: Enter the realm against which to validate the username. This field appears only if your Oracle Internet Directory has multiple realms. Click Next. |
9. |
Specify HTTP Load Balancer Host and Ports |
See Section 12.4, "About Configuring SSL and Non-SSL Ports for Oracle HTTP Server" for details. The values entered on this screen should be the same for every node. HTTP Listener: Port: Enter the port number that you want Oracle HTTP Server to listen on. Enable SSL: Select this option if you want to configure Oracle HTTP Server for SSL on this port. HTTP Load Balancer: Hostname: Enter the name of the HTTP virtual server configured on your load balancer. Enter the same virtual server name that you configured on the load balancer. HTTP Load Balancer: Port: Enter the port for the HTTP virtual server. Enable SSL: Select this option if this port is for SSL communications only. Click Next. |
10. |
Specify Instance Name and ias_admin Password |
Instance Name: Enter a name for this infrastructure instance. Instance names can contain alphanumeric characters and the _ (underscore) character. If you have more than one Oracle Application Server instance on a computer, the instance names must be unique. See Section 5.8, "Oracle Application Server Instances and Instance Names" for instance name details. Example: ias_admin Password and Confirm Password: Set the password for the ias_admin user. This is the administrative user for the instance. See Section 5.9, "The ias_admin User and Restrictions on its Password" for restrictions on the password. Example: Click Next. |
11. |
-- |
Finish the installation. See Section 6.28, "Install Fragment: The Last Few Screens of the Installation" for details. |
You can cluster the instance after installation. See Section 12.5.5, "If the Cluster Configuration Assistant Failed" for details.
After installing Oracle Identity Management components on all nodes, reconfigure your load balancer to direct requests to all nodes. Before you started the installation, you had configured the load balancer to direct requests to node 1 only. See Section 12.2.4, "Configure Your LDAP Virtual Server".
The following configuration steps are needed only in the installation scenario described in Section 12.4.2, "Case 2: Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server".
In this case the oracle_sso_server entry in the targets.xml
file, on each physical host of the cluster, must be reconfigured to monitor the local SSL port.
Note: Keep in mind that the hostname should remain the same. Please do not change the hostname. |
Perform the following steps to update targets.xml
on each node of the cluster:
Back up the targets.xml
file:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.BACKUP
Open the file and find the oracle_sso_server target type. Within this target entry, locate and edit the following two attributes:
HTTPPort - the server SSL port number
HTTPProtocol - the server protocol, which in this case is HTTPS
For example, you could update the two attributes this way:
<Property NAME="HTTPPort" VALUE="4443"/> <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
Save and close the file.
Reload the OracleAS console:
ORACLE_HOME/bin/emctl reload
Pre-Installation
Before starting the middle-tier installation, configure the LDAP load balancer that you are using for Oracle Internet Directory so that it points to only one Oracle Internet Directory node.
Installation
When installing middle tiers against OracleAS Cluster (Identity Management) configurations, follow the steps described in Chapter 7, "Installing Middle Tiers".
When the installer prompts for the Oracle Internet Directory host and port, enter the LDAP virtual host name configured on the load balancer and the associated port.
Post-Installation
After installing the middle tiers, you can reconfigure the LDAP load balancer to point to all the Oracle Internet Directory nodes.