Skip Headers
Oracle® Application Server Installation Guide
10g Release 2 (10.1.2) for Microsoft Windows
B14094-03
  Go To Documentation Library
Home
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

8 Configuring Oracle Internet Directory for Oracle Application Server Installation Privileges

When you install certain middle-tier or infrastructure components, the installer prompts you for a username to log in to Oracle Internet Directory. For the installation to complete successfully, this user must belong to certain groups in Oracle Internet Directory. The groups that are required depend on what you are installing.

By putting users into groups, you allow other users to perform installations. Users do not have to log in as the cn=orcladmin superuser to perform the installations.

Contents:

8.1 Default Users in Oracle Internet Directory

When you install Oracle Internet Directory, it has two users: cn=orcladmin and orcladmin:

For more information on the cn=orcladmin and orcladmin users, see the Oracle Internet Directory Administrator's Guide.

8.2 Groups in Oracle Internet Directory

Groups in Oracle Internet Directory can be classified into these categories:

8.2.1 "Global" Groups

Table 8-1 describes the groups that affect all Oracle Application Server instances and components registered with Oracle Internet Directory.

Table 8-1 "Global" Groups

Group Description

IAS Admins

DN: cn=IASAdmins, cn=groups, cn=OracleContext

IAS Admins have the following privileges:

  • Install and register new metadata repositories. IAS Admins have no privileges to manage existing repositories already registered with Oracle Internet Directory.

  • Install middle tiers.

Trusted Application Admins

DN: cn=Trusted Application Admins, cn=groups, cn=OracleContext

To install Oracle Identity Management, OracleAS Portal, or OracleAS Wireless components, you must belong to several groups, one of which is the Trusted Application Admins group. Table 8-4 lists the required groups for each component.

IAS & User Management Application Admins

DN: cn=IAS & User Mgmt Application Admins, cn=groups, cn=OracleContext

To install OracleAS Portal or OracleAS Wireless, you must belong to several groups, one of which is the IAS & User Management Application Admins group. Table 8-4 lists the required groups for each component.


8.2.2 Groups for Each Metadata Repository

Each metadata repository registered with Oracle Internet Directory has its own groups, as described in Table 8-2. This enables you to assign different owners and users for each repository.

Table 8-2 Groups Associated with Each Metadata Repository Registered with Oracle Internet Directory

Group Description

Repository Owners

DN: cn=Repository Owners, orclReferenceName=dbName, cn=IAS Infrastructure Databases, cn=IAS, cn=Products, cn=OracleContext

The user who installs the metadata repository becomes a member of this group.

Repository Owners have the following privileges:

  • Add/remove users to/from this group.

  • De-register this repository.

  • Add/remove users to/from the Mid-Tier Admins group for this repository.

  • Add/remove middle-tier instances to/from this repository.

  • All privileges of the Mid-Tier Administrators group.

Mid-Tier Administrators

DN: cn=Repository Mid-tiers, orclReferenceName=dbName, cn=IAS Infrastructure Databases, cn=IAS, cn=Products, cn=OracleContext

Mid-Tier Administrators have the following privileges:

  • Add/remove middle-tier instances from the Associated Middle Tiers group for this repository. This is required to install a middle tier or to configure a middle-tier component to use a different repository.

  • Access metadata for the repository database object.

Associated Middle Tiers

DN: cn=Associated Mid-tiers, orclReferenceName=dbName, cn=IAS Infrastructure Databases, cn=IAS, cn=Products, cn=OracleContext

Members of this group are middle-tier instances associated with this metadata repository. The middle-tier instances are added to this group during installation. You do not have to add the instances manually to this group.

Members of this group have the following privilege:

  • Access metadata for the repository database object and its schemas.


8.2.3 Groups for Each Component

Oracle Application Server components also have groups in Oracle Internet Directory. Each component has a Component Owners group and an Associated Middle Tiers group, as described in Table 8-3.

Table 8-3 Groups Associated with Each Component

Group Description

Component Owners

DN: cn=Component Owners, orclApplicationCommonName=componentCommonName, cn=componentName, cn=Products, cn=OracleContext

Component Owners have the following privileges:

  • Add/remove owners for this component.

  • De-register this component.

  • Associate additional middle tiers with this component.

Associated Middle Tiers

DN: cn=Associated Mid-tiers, orclApplicationCommonName=componentCommonName, cn=componentName, cn=Products, cn=OracleContext

Members of this group are middle-tier instances.


Figure 8-6 shows these groups for the Oracle Delegated Administration Services component.

8.3 Groups Required to Configure or Deinstall Components

Table 8-4 shows the groups that a user needs to belong to in order to configure or deinstall Oracle Application Server components.

The user who installs and configures the components becomes the owner of the components.

Table 8-4 Oracle Internet Directory Groups Required to Configure Components

To Configure This Component User Must Be a Member of ALL Listed Groups:

Infrastructure Components


OracleAS Metadata Repository


To register OracleAS Metadata Repository against Oracle Internet Directory, you must log in to Oracle Internet Directory as a user who belongs to the iAS Admins group.

Oracle Internet Directory

In OracleAS Cluster (Identity Management) environments, to install subsequent Oracle Internet Directory instances after the first one, you must be the Oracle Internet Directory superuser (cn=orcladmin).

Oracle Delegated Administration Services

  • Trusted Application Admins

  • iAS Admins

  • Mid-Tier Admins group for the metadata repository used by OracleAS Single Sign-On

    If you are unsure which metadata repository is used by OracleAS Single Sign-On, see "To Determine the Metadata Repository Used by OracleAS Single Sign-On".

  • Component Owners for the Oracle Delegated Administration Services component

    Note: This is required only if you are installing multiple instances of Oracle Delegated Administration Services. When you are installing the second and subsequent instances, then you need to belong to the Component Owners group. You do not need to be a member when you install the first Oracle Delegated Administration Services instance.

    See Section 8.8.1, "Using Oracle Directory Manager to Add Users to Groups" for steps on how to add users to groups.

OracleAS Single Sign-On

You must install OracleAS Single Sign-On as the superuser (cn=orcladmin).

Oracle Directory Integration and Provisioning

  • iAS Admins

  • Trusted Application Admins

  • Admin for Oracle Directory Integration and Provisioning, which is identified by "cn=dipadmingrp,cn=odi,cn=oracle internet directory"

  • Mid-Tier Admins group for the metadata repository used by OracleAS Single Sign-On.

    If you are unsure which metadata repository is used by OracleAS Single Sign-On, see "To Determine the Metadata Repository Used by OracleAS Single Sign-On".

OCA, configured against an existing OracleAS Metadata Repository

  • Trusted Application Admins

  • iAS Admins

  • Repository Owners group for the existing metadata repository

OCA, configured against a new OracleAS Metadata Repository (that is, you are installing and configuring OCA and OracleAS Metadata Repository in the same installation session)

  • Trusted Application Admins

  • iAS Admins

J2EE and Web Cache Middle-tier Features


Oracle Identity Management Access only

  • iAS Admins

Oracle Identity Management Access and Farm Repository (Database-Based or File-Based)

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository

Portal and Wireless, and Business Intelligence and Forms Middle-tier Components


OracleAS Portal

  • Trusted Application Admins

  • IAS & User Management Application Admins

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository

  • Component Owners group for the OracleAS Portal component

    Note: This group is applicable only when you are installing additional OracleAS Portal instances. It does not apply for the first OracleAS Portal installation. For subsequent OracleAS Portal installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. If you want to allow a different Oracle Internet Directory user to install OracleAS Portal, you have to add this user to the Component Owners group for the Portal application entity.

OracleAS Wireless

  • IAS & User Management Application Admins

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository

  • Component Owners group for the OracleAS Wireless component

    Note: This group is applicable only when you are installing additional OracleAS Wireless instances. It does not apply for the first OracleAS Wireless installation. For subsequent OracleAS Wireless installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. If you want to allow a different Oracle Internet Directory user to install OracleAS Wireless, you have to add this user to the Component Owners group for the Wireless application entity.

  • In addition, the user must be one of the owners of the OracleAS Wireless application entity. To determine the name of the OracleAS Wireless application entity, run the following command from the first OracleAS Wireless installation:

    prompt> ORACLE_HOME\wireless\bin\getAppEntityName.bat
    
    

    Then add the user as a component owner for this application entity. You can do this using the Deployment Delegation Console or the Oracle Directory Manager.

OracleAS Reports Services

OracleAS Forms Services

OracleAS Personalization

OracleBI Discoverer

  • iAS Admins

  • Mid-Tier Admins or Repository Owners group for the metadata repository


To Determine the Metadata Repository Used by OracleAS Single Sign-On

  1. Run the following command (all on one line):

    C:\> ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
     -b "orclapplicationcommonname=orasso_ssoserver,cn=sso,cn=products,
          cn=oraclecontext"
     -s base "objectclass=*" seealso
    
    

    Values you need to provide:

    oidhostname - name of the computer running Oracle Internet Directory. Example: dbmachine.mydomain.com.

    oidport - port number on which Oracle Internet Directory is listening. Example: 389.

    password - password for the cn=orcladmin user.

  2. If the command in the preceding step does not return the name of the metadata repository, then run the following commands:

    1. Run this command first to get the "orclreplicaid" value, which you need for the next command.

      C:\> ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
       -b "" -s base "objectclass=*" orclreplicaid
      
      
    2. Then run this command.

      C:\> ldapsearch -h oidhostname -p oidport -D cn=orcladmin -w password
       -b "orclreplicaid=value_from_previous_command,cn=replication configuration"
       -s base "objectclass=*" seealso
      
      

      This returns a "seealso" value in the format: cn=Metadata repository DB Name,cn=oraclecontext.

8.4 Groups Required to Install Middle Tiers

When you install middle tiers, the installer prompts you to log in to Oracle Internet Directory. Log in as a user who is a member of these groups:

8.4.1 Groups Required to Install Against the Desired Metadata Repository

To install middle tiers against a metadata repository, the user must belong to these groups:

  • IAS Admins group

  • Mid-Tier Admins group for the metadata repository to be used with the middle tier. When the installer prompts for the OracleAS Metadata Repository to use with this middle tier, the installer displays only the metadata repositories for which the user is a mid-tier admin. For example, in Figure 8-2, userA can see only the repository for orcl.oracle.com, and userB can see only the repository for orcl1.oracle.com.

8.4.2 Groups Required to Install Middle-tier Components

To install middle-tier components, such as OracleAS Portal and OracleAS Wireless, the user must belong to additional groups. See Table 8-4 for a list of components and required groups.

8.4.3 Example

Figure 8-1 shows an Oracle Internet Directory with one metadata repository and one middle-tier instance. userA can install middle tiers against the orcl metadata repository because userA belongs to the Mid-Tier Admins and the IAS Admins groups. userA can also install middle-tier components because userA belongs to the Trusted Application Admins group, the IAS & User Management Application Admins group, and the Component Owners group for Wireless.

Figure 8-1 Contents of Oracle Internet Directory with One Infrastructure and One Middle Tier

Description of Figure 8-1  follows
Description of "Figure 8-1 Contents of Oracle Internet Directory with One Infrastructure and One Middle Tier"

8.5 Groups Required to Install Additional Metadata Repositories

To install additional metadata repositories, a user must be a member of the IAS Admins group. After installation, the user then becomes a member of the Repository Owners group for that metadata repository.

8.6 Example of Installation with Different Users

Figure 8-2 shows an Oracle Internet Directory with two metadata repositories and two middle tiers installed by different users.

Figure 8-2 Oracle Internet Directory with Two Metadata Repositories and Two Middle Tiers

Description of Figure 8-2  follows
Description of "Figure 8-2 Oracle Internet Directory with Two Metadata Repositories and Two Middle Tiers"

The numbers in the figure correspond to these steps:

1. Install OracleAS Infrastructure (including Oracle Internet Directory and OracleAS Metadata Repository)

This first installation creates an Oracle Internet Directory and a metadata repository.

The installer registers the metadata repository with Oracle Internet Directory by creating the "orcl.oracle.com" entry.

The orcladmin user becomes a member of the Repository Owners group and the Mid-Tier Admins group for this repository.

2. Install J2EE and Web Cache Middle Tier

userA was added to the following groups:

The installer registers this middle tier with Oracle Internet Directory by creating the "J2EE" entry. (The "J2EE" is the name of the middle-tier instance, specified by userA.)

The middle tier becomes a member of the Associated Mid-Tiers group for "orcl.oracle.com".

3. Install OracleAS Infrastructure (OracleAS Metadata Repository only)

userB was added to the iAS Admins group so that userB can perform this installation. See Section 8.5, "Groups Required to Install Additional Metadata Repositories".

The installer registers this new repository with Oracle Internet Directory by creating the "orcl1.oracle.com" entry.

userB becomes a member of the Repository Owners group and the Mid-Tier Admins group for the new repository.

4. Install Portal and Wireless Middle Tier

userB was added to these groups:

The installer registers this middle tier with Oracle Internet Directory by creating the "PW1" entry.

The middle tier becomes a member of the Associated Mid-Tiers group for "orcl1.oracle.com".

8.7 How to Create Users in Oracle Internet Directory

You can create users in Oracle Internet Directory using the Self-Service Console, which is part of the Oracle Delegated Administration Services. See the Oracle Internet Directory Administrator's Guide for details.


Note:

You cannot connect to Oracle Internet Directory as the cn=orcladmin superuser using the Oracle Delegated Administration Services consoles. To connect to Oracle Internet Directory as the superuser, use Oracle Directory Manager.

8.8 How to Add Users to Groups in Oracle Internet Directory

To add users to groups in Oracle Internet Directory, you can use these tools:

8.8.1 Using Oracle Directory Manager to Add Users to Groups

When you have to log in as the cn=orcladmin superuser to add users to groups, you have to use Oracle Directory Manager, instead of Oracle Delegated Administration Services.

To add users using Oracle Directory Manager:

  1. Start up Oracle Directory Manager. ORACLE_HOME refers to the home directory where Oracle Internet Directory is installed.

    Select Start > Programs > Oracle - OracleHomeName > Integrated Management Tools > Oracle Directory Manager.

  2. In the Oracle Directory Manager Connect screen, enter the connect information for Oracle Internet Directory:

    • User: Enter cn=orcladmin.

    • Password: Enter the password for cn=orcladmin.

    • Server and Port: Click the icon at the right of the field to enter the name of the computer running Oracle Internet Directory and the port number on which Oracle Internet Directory is listening.

    • Click Login.

  3. On the left side, navigate to the group to which you want to add users. Select the group on the left side to display its attributes on the right side.

    To navigate to "global" groups, see Section 8.8.1.1, "Navigating to "Global" Groups".

    To navigate to metadata repository groups, see Section 8.8.1.2, "Navigating to Metadata Repository Groups".

    To navigate to component groups, see Section 8.8.1.3, "Navigating to Component Groups".

  4. Add new users to the group by adding the DNs of the users to the uniquemember attribute.

8.8.1.1 Navigating to "Global" Groups

The "global" groups are listed in Table 8-1.

The general navigation path is as follows. See Figure 8-3 for a screenshot.

  1. Expand the top-level entry, "Oracle Internet Directory Servers".

  2. Expand the specific Oracle Internet Directory.

  3. Expand the following entries: Entry Management > cn=OracleContext > cn=Groups.

  4. Click the group to which you want to add users. Figure 8-3 shows Oracle Directory Manager with the iASAdmins group selected.

Figure 8-3 Using Oracle Directory Manager to Add Users to "Global" Groups

Description of Figure 8-3  follows
Description of "Figure 8-3 Using Oracle Directory Manager to Add Users to "Global" Groups"

8.8.1.2 Navigating to Metadata Repository Groups

The metadata repository groups are listed in Table 8-2.

The general navigation path is as follows. See Figure 8-4 for a screenshot.

  1. Expand the top-level entry, "Oracle Internet Directory Servers".

  2. Expand the specific Oracle Internet Directory.

  3. Expand the following entries: Entry Management > cn=OracleContext > cn=Products > cn=IAS > cn=IAS Infrastructure Databases > orclReferenceName=dbName, where dbName is the name of the OracleAS Metadata Repository database.

  4. Click the group to which you want to add users. Figure 8-4 shows Oracle Directory Manager with the Repository Owners group for the orcl.us.oracle.com database selected.

Figure 8-4 Using Oracle Directory Manager to Add Users to Metadata Repository Groups

Description of Figure 8-4  follows
Description of "Figure 8-4 Using Oracle Directory Manager to Add Users to Metadata Repository Groups"

8.8.1.3 Navigating to Component Groups

The component groups are listed in Table 8-3.

The general navigation path is as follows. See Figure 8-5 for a screenshot.

  1. Expand the top-level entry, "Oracle Internet Directory Servers".

  2. Expand the specific Oracle Internet Directory.

  3. Expand the following entries: Entry Management > cn=OracleContext > cn=Products.

  4. Expand the particular component (for example, cn=DAS) whose groups you want to add users to.

  5. Expand orclApplicationCommonName=appName, where appName is specific to the component and application server instance. If you have installed multiple instances of a component, you would see multiple instances of this entry.

  6. Click the group to which you want to add users. Figure 8-5 shows Oracle Directory Manager with the Component Owners group for Oracle Delegated Administration Services selected.

Figure 8-5 Using Oracle Directory Manager to Add Users to the Component Users Group for the Oracle Delegated Administration Services Component

Description of Figure 8-5  follows
Description of "Figure 8-5 Using Oracle Directory Manager to Add Users to the Component Users Group for the Oracle Delegated Administration Services Component"

8.8.2 Using Deployment Delegation Console to Add Users to Groups

Using the Deployment Delegation Console, which is installed as part of Oracle Delegated Administration Services, you can add users to or remove users from the following groups:

  • Repository Owners

  • Mid-Tier Administrators

  • Component Owners


Note:

You can add users to these groups only if these groups have existing members other than the cn=orcladmin superuser. If the only member of these groups is the superuser, then you have to use Oracle Directory Manager to add users to these groups. See Section 8.8.1, "Using Oracle Directory Manager to Add Users to Groups".

To add users to these groups:

  1. Ensure that the Oracle Delegated Administration Services and Oracle Internet Directory are running.

  2. Display the Deployment Delegation Console page. The URL is:

    http://hostname:port/oiddas/ui/oidinstallhome
    
    

    hostname specifies the name of the computer where you installed Oracle Delegated Administration Services.

    port specifies the port on which Oracle HTTP Server is listening.

  3. Click Login.

  4. Enter a username and password to log in to Oracle Internet Directory, and click Login. The login user must have sufficient privileges to allow you to add users to the desired group:

    To add users to this group: Log in as a user who belongs to:
    Repository Owners the same Repository Owners group.
    Mid-Tier Administrators the Repository Owners group for the same repository.
    Component Owners the same Component Owners group.

  5. Perform the steps to add the user to the desired group:

    To add the user to the Repository Owners group To add the user to the Mid-Tier Administrators group To add the user to the Component Owners group
    1. Click the Repository tab.

      This displays all the metadata repositories for which you are an owner.

    2. Select the metadata repository to which you want to add a user, and click Manage Owners.

    3. On the page that displays the current owners, click Add.

    4. Enter the first few characters of the user's name in the Search field and click Go. If you leave the Search field empty and click Go, you would get a list of all users in Oracle Internet Directory.

    5. Select the user that you want to add to the Repository Owners group and click Select.

    6. Click Submit on the Manage Repository Owners page.

    1. Click the Repository tab.

      This displays all the metadata repositories for which you are an owner.

    2. Select the metadata repository to which you want to add a user, and click Manage Administrators.

    3. On the page that displays the current administrators, click Add.

    4. Enter the first few characters of the user's name in the Search field and click Go. If you leave the Search field empty and click Go, you would get a list of all users in Oracle Internet Directory.

    5. Select the user that you want to add to the Mid-Tier Administrators group and click Select.

    6. Click Submit on the Manage Administrators page.

    1. Click the Components tab.

      This displays all the components for which you are an owner.

    2. Select the component to which you want to add a user, and click Manage Owners.

    3. On the page that displays the current component owners, click Add.

    4. Enter the first few characters of the user's name in the Search field and click Go. If you leave the Search field empty and click Go, you would get a list of all users in Oracle Internet Directory.

    5. Select the user that you want to add to the Component Owners group and click Select.

    6. Click Submit on the Manage Component Owners page.


8.9 Contents of a New Oracle Internet Directory

When you install OracleAS Infrastructure with Oracle Internet Directory, OracleAS Metadata Repository, and Oracle Delegated Administration Services, the Oracle Internet Directory contains the following objects (Figure 8-6):

Figure 8-6 Contents of a New Oracle Internet Directory

Description of Figure 8-6  follows
Description of "Figure 8-6 Contents of a New Oracle Internet Directory"

8.10 On the Specify Login for Oracle Internet Directory Screen, What Username and Realm Do I Enter?

The installer displays the Specify Login for Oracle Internet Directory screen:

This screen prompts you to enter a username and password to log in to Oracle Internet Directory.

Username

In the Username field, enter either the simple username or the user's DN.

Simple username example: jdoe

DN example: cn=orcladmin

The user must belong to specific groups for installing and configuring certain components. See Table 8-4 for details.

If you want to specify the superuser, enter cn=orcladmin, not just orcladmin.

Realm

The Realm field appears only if your Oracle Internet Directory contains more than one realm. The username that you enter is authenticated against the specified realm. If you are unsure what the realm name is, contact your Oracle Internet Directory administrator.

Example 1: in a hosted deployment, the realm name could be similar to the name of the hosted company: XYZCorp.

Example 2: within an enterprise, you could have separate realms for internal users and external users. The realm name for the external users could be externalUsers.