12 Deploying Identity Management with Multimaster Replication

This chapter provides high-level instructions for installing Oracle Identity Management components with Oracle Internet Directory multimaster replication. This chapter assumes that you are familiar with Oracle Application Server components, including: Oracle Internet Directory, OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration and Provisioning. You should also be familiar with Oracle Internet Directory replication concepts.

You might find the following documentation pointers useful:

For information on	See:
Running a replicated Oracle Internet Directory	"Oracle Internet Directory Replication Administration" chapter in the Oracle Internet Directory Administrator's Guide
Deploying Oracle Identity Management with fan-out replication	Oracle Identity Management Concepts and Deployment Planning Guide
Using Oracle Directory Integration and Provisioning with Oracle Internet Directory	Oracle Identity Management Integration Guide
Using Oracle Delegated Administration Services with Oracle Internet Directory	Oracle Identity Management Guide to Delegated Administration

Keep the following points in mind when using the command-line tools mentioned in this chapter:

The ORACLE_HOME, MASTER_HOME, and REPLICA_HOME variables designate absolute Oracle home paths.
Use the appropriate path separator while running the commands. The notation in this chapter is based on the UNIX path variable notation. For example, the ldapadd tool is located in the $ORACLE_HOME/bin directory in the UNIX environment. In the Windows environment, this tool is located in the ORACLE_HOME\bin directory.
The PATH environment variable should include ORACLE_HOME\bin, ORACLE_HOME\ldap\bin and ORACLE_HOME\opmn\bin directories.
Include $ORACLE_HOME/lib in the appropriate library environment variable. For example, in the Solaris environment, include $ORACLE_HOME/lib in the LD_LIBRARY_PATH environment variable.

This chapter contains the following sections:

Section 12.1, "Multimaster Identity Management Replication Configuration"
Section 12.2, "Adding a Node to a Multimaster Replication Group"
Section 12.3, "Deleting a Node from a Multimaster Replication Group"

12.1 Multimaster Identity Management Replication Configuration

In Figure 12-1, the Oracle Identity Management master node includes Host 1 and Host 2. OracleAS Metadata Repository, Oracle Internet Directory, and Oracle Directory Integration and Provisioning are installed on Host 1. OracleAS Single Sign-On and Oracle Delegated Administration Services are installed on Host 2.

Similarly, the Oracle Identity Management replica node includes Host 3 and Host 4. OracleAS Metadata Repository, Oracle Internet Directory, and Oracle Directory Integration and Provisioning are installed on Host 3. OracleAS Single Sign-On and Oracle Delegated Administration Services are installed on Host 4.

Figure 12-1 Multimaster Replication Configuration with Two Hosts Per Node

12.1.1 Master Node Installation

Install Oracle Internet Directory and Oracle Directory Integration and Provisioning on the master node as follows:

In the Oracle Application Server installer on Host 1: select Identity Management and Metadata Repository in the Select Installation Type screen, and select Oracle Internet Directory and Oracle Directory Integration and Provisioning in the Select Configuration Options screen. This chapter refers to this Oracle home on Host 1 as the MASTER_HOME.
Do not install any other Identity Management components such as OracleAS Single Sign-On or Oracle Delegated Administration Services on Host 1.

12.1.2 Replica Node Installation

Install Oracle Internet Directory with OracleAS Metadata Repository on the replica node as follows:

In the Oracle Application Server installer on Host 3:

Select Identity Management and Metadata Repository in the Select Installation Type screen.

Select Oracle Internet Directory, Oracle Directory Integration and Provisioning, High Availability and Replication in the Select Configuration Options screen.

This chapter refers to this Oracle home on Host 3 as the REPLICA_HOME. This Oracle home will have only Oracle Internet Directory with OracleAS Metadata Repository and Oracle Directory Integration and Provisioning. The OracleAS Metadata Repository database should have a unique global database name.
Do not install any other Oracle Identity Management components, such as OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 3.

Note:

When installing the replica, be sure to select High Availability and Replication in the Select Configuration Options screen so that the installer will prompt you for the replication type. It will ask you to select ASR Replica or LDAP Replica. Select ASR Replica.

12.1.3 Multimaster Replication Setup

Use the following procedure to set up replication between the master node and the replica node.

Perform the following tasks in the Oracle Internet Directory Administrator's Guide to set up the master and the replica nodes for replication:

Item	Name
Book	Oracle Internet Directory Administrator's Guide This book is available in the Oracle Application Server documentation set.
Chapter	25, "Oracle Internet Directory Replication Administration"
Section	"Installing and Configuring a Multimaster Replication Group"
Task	Task 3: Set Up Oracle Database Advanced Replication for a Directory Replication Group Task 5: Ensure that Oracle Directory Server Instances Are Started on All the Nodes Task 6: Start the Replication Servers on All Nodes in the DRG Task 7: Test Directory Replication

A workaround is required for release 10g (10.1.2).

On the master node (node 2), run this command:

@  sqlplus  REPADMIN/password
 exec DBMS_REPCAT.DROP_MASTER_REPOBJECT
 (
    sname =>'ORASSO',
    oname => 'WWSEC_PERSON$',
    type  => 'TABLE',
    drop_objects  => false
 );

On each node in the replication group, run this command:

sqlplus "/ as sysdba"
delete from orasso.wwsec_person$ where user_name not like '%PUBLIC';
commit;

12.1.4 Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Master Node

Install OracleAS Single Sign-On and Oracle Delegated Administration Services as follows:

On Host 2, install OracleAS Single Sign-On and Oracle Delegated Administration Services so that those components use the OracleAS Metadata Repository and Oracle Internet Directory on Host 1. To do that, make the following selections in the installation screens:
1. Specify File Locations - enter the destination directory where you want to install OracleAS Single Sign-On and Oracle Delegated Administration Services.
2. Select a Product to Install - select Oracle Application Server Infrastructure.
3. Select Installation Type - select Identity Management.
4. Confirm Pre-Installation Requirements - verify that you meet the requirements and select all the checkboxes.
5. Select Configuration Options - select OracleAS Single Sign-On, Oracle Delegated Administration Services, and High Availability and Replication.
6. Specify Port Configuration Options - select Automatic.
7. Select High Availability Option - select OracleAS Cluster (Identity Management).
8. Create or Join an Oracle Application Server Cluster (Identity Management) - select Create a New Oracle Application Server Cluster.
9. Specify New Oracle Application Server Cluster Name - enter a name for the new cluster.
10. Specify LDAP Virtual Host and Ports - enter the physical hostname of Host 1 (not the virtual name configured on the load balancer), and the necessary ports for Oracle Internet Directory.
11. Specify Oracle Internet Directory Login - enter the login and password for Oracle Internet Directory.
12. Specify HTTP Listen Port, Load Balancer Host and Port - enter the port number that you want to use for Oracle HTTP Server in HTTP Listener Port. In HTTP Load Balancer Hostname and Port, enter the HTTP virtual hostname configured on the load balancer and the port number configured for the virtual hostname.
13. Specify Instance Name and ias_admin Password - enter a name for this Oracle Application Server instance, and the password for the ias_admin user.

Repeat this procedure to install additional OracleAS Single Sign-On and Oracle Delegated Administration Services instances, as needed.

Note:

You can place OracleAS Single Sign-On and Oracle Delegated Administration Services instances in the same cluster only if all the instances in the cluster use the same OracleAS Metadata Repository. For example, in Figure 12-1, you cannot place the instances on Host 2 and Host 4 in the same cluster because they use different OracleAS Metadata Repositories. But if you install another OracleAS Single Sign-On and Oracle Delegated Administration Services instance, and set it to use the OracleAS Metadata Repository on Host 1, you can cluster it with the instance on Host 2.

12.1.5 Synchronizing the OracleAS Single Sign-On Schema Password

To synchronize the OracleAS Single Sign-On schema password between the master Metadata Repository database (MDS) and the replica Metadata Repository database (RMS), follow the steps in the following section:

Item	Name
Book	Oracle Application Server Single Sign-On Administrator's Guide This book is available in the Oracle Application Server documentation set.
Chapter	9, "Advanced Deployment Options"
Section	"Configuring the Identity Management Database for Replication"
Step	Perform step 2.

Whenever you add a new Oracle Application Server Single Sign-On and Oracle Delegated Administration Services replica, you must first perform this step from the master Oracle home on the replica to synchronize the Oracle Application Server Single Sign-On schema password with the OracleAS Metadata Repository.

Note:

If you encounter errors, the OracleAS Metadata Repository might be misconfigured. Either the MDS or RMS might not have the correct database information, as used by OracleAS Single Sign-On.

12.1.6 Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Replica Node

Install OracleAS Single Sign-On and Oracle Delegated Administration Services on the replica node as follows:

On Host 4, install OracleAS Single Sign-On and Oracle Delegated Administration Services so that those components use the Metadata Repository and Oracle Internet Directory on the replica node (Host 3). To do this, follow the screen sequence shown in step 1, with the following differences:
- In step h, you also create a new cluster. You cannot join this instance (on Host 4) with the instance on Host 2 in the same cluster because the instances use different OracleAS Metadata Repositories.
- In step j, enter the physical hostname for Host 3 instead of Host 1, because you want OracleAS Single Sign-On and Oracle Delegated Administration Services to use the Oracle Internet Directory running on Host 3.

Synchronize the mod_osso configuration from the master middle tier, as described in the following section:

Item	Name
Book	Oracle Application Server Single Sign-On Administrator's Guide This book is available in the Oracle Application Server documentation set.
Chapter	9, "Advanced Deployment Options"
Section	"Configuration Steps"
Step	Reregister mod_osso on the single sign-on middle tiers

Repeat this procedure to install additional OracleAS Single Sign-On and Oracle Delegated Administration Services instances, as needed.

12.1.7 Oracle Directory Integration and Provisioning Event Propagation in a Multimaster Scenario

Oracle Directory Integration and Provisioning supports high availability in an Oracle Internet Directory multimaster replicated scenario, with certain drawbacks. In this high availability scenario, when changes are applied to Oracle Internet Directory on one node, the changes get propagated to the other consumer nodes. The Oracle Directory Integration and Provisioning server running on each node is responsible for event propagation to the configured applications on that node. That is, the applications that have provisioning profiles on that Oracle Internet Directory node will be informed of the changes happening on that Oracle Internet Directory node.

12.1.8 Load Balancer Configuration in a Multimaster Replication Scenario

Figure 12-1 shows two load balancers: one for HTTP requests and one for LDAP requests. Note the following points when you configure these load balancers:

The LDAP load balancer does not accept requests from OracleAS Single Sign-On and Oracle Delegated Administration Services.

OracleAS Single Sign-On and Oracle Delegated Administration Services should not use the LDAP load balancer because they need to send requests only to the Oracle Internet Directory in the same "stack", where a stack consists of OracleAS Single Sign-On and its corresponding Oracle Internet Directory. You associated this OracleAS Single Sign-On with its Oracle Internet Directory during installation (see step 1(j)).

For example, in Figure 12-1, OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 2 and the Oracle Internet Directory on Host 1 make up one stack, and OracleAS Single Sign-On and Oracle Delegated Administration Services on Host 4 and the Oracle Internet Directory on Host 3 make up another stack.
All other LDAP requests (other than the ones from OracleAS Single Sign-On / Oracle Delegated Administration Services) should go through the LDAP load balancer. For example, requests from OracleAS Portal should go through the LDAP load balancer.
The HTTP load balancer should monitor both the OracleAS Single Sign-On servers and the Oracle Internet Directory servers on all nodes. It needs to do this so that it can ensure that the HTTP and LDAP requests are routed to the same "stack". For example, if the Oracle Internet Directory on Host 1 is down, then the HTTP load balancer should route HTTP requests only to the OracleAS Single Sign-On server on Host 4 because its Oracle Internet Directory server on Host 3 is up.
The HTTP load balancer should be configured for persistent routing of HTTP requests.

For details on deploying applications in a replicated environment, see section 3.3.2.7, "Application Deployments in Replicated Directory Environments", in the Oracle Identity Management Concepts and Deployment Planning Guide.

12.2 Adding a Node to a Multimaster Replication Group

To add a replication node to a functioning directory replication group (DRG), follow these steps.

First, install the new node.

Install Identity Management and Metadata Repository. This installation will have only the Metadata Repository, Oracle Internet Directory and Oracle Directory Integration and Provisioning. The replica node Metadata Repository should have a unique global database name.

Do not install other Identity Management components such as OracleAS Single Sign-On or Oracle Delegated Administration Services.
Prepare the environment for adding a node.
1. Configure the Oracle Net Services environment as described in Task 3, Installing and Configuring a Multimaster Replication Group, in the "Oracle Internet Directory Replication Administration" chapter of Oracle Internet Directory Administrator's Guide.
2. Stop the directory replication server on all nodes
3. Identify a sponsor node and switch the sponsor node to read-only mode
  
  Note: While the sponsor node is in read-only mode, do not make any updates to it. You may, however, update any of the other nodes, but those updates are not replicated immediately. Also, the sponsor node and the MDS can be the same node.
4. Back up the sponsor node by using ldifwrite. Enter the following command:
```
$ORACLE_HOME/bin/ldifwrite -c connect_string  \
         -b "orclagreementid=000001,cn=replication configuration" \
         -f output_ldif_file
```

Add the node into the replication group.

Perform the Advanced Replication add node setup on the sponsor node by typing:

$ORACLE_HOME/bin/remtool -addnode

The Replication Environment Management Tool adds the node to the DRG.

Note:

Note: If you encounter errors, then use remtool -asrverify. If it reports errors, then rectify them by using remtool -asrrectify. Both of those options list all the nodes in the DRG. If the node to be deleted is in the list, then delete it by running remtool -delnode again.

Switch the sponsor node to updatable mode.
Start the directory replication server on all nodes except the new node.
Stop oidmon

Load data into the new node, as follows:

First do a check and generate by typing:

$ORACLE_HOME/ldap/bin/bulkload.sh \
  -connect <db_connect_string_of_new_node> \
  -check -generate -restore  \
  absolute_path_to_the_ldif_file_generated_by_ldifwrite

Note:

Verify that the $ORACLE_HOME/ldap/log/bulkload.log does not report any errors. It is possible that you might see Duplicate entry errors in the log for some of the entries. You can safely ignore this error and proceed with the load.

Now load the data on the target node by typing:

$ORACLE_HOME/ldap/bin/bulkload.sh \
  -connect db_connect_string_of_new_node \
  -load -restore  \
  absolute_path_to_the_ldif_file_generated_by_ldifwrite

Start the directory server on the new node by typing the following command:
```
$ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=OID
```

Start the directory replication server on the new node by typing:

$ORACLE_HOME/bin/oidctl connect=db_connect_string_of_new_node \
   server=oidrepld instance=1 \
   flags='-h host_name_of_new_node -p port'  start

A workaround is required for release 10g (10.1.2).

On the new node run this command:

sqlplus "/ as sysdba"
delete from orasso.wwsec_person$ where user_name not like '%PUBLIC';
commit;

Install a new middle tier, based on the new replica node.
1. Synchronize the OracleAS Single Sign-On schema passwords from MDS to the new node as described in Section 12.1.5, "Synchronizing the OracleAS Single Sign-On Schema Password".
2. Install OracleAS Single Sign-On and Oracle Delegated Administration Services as described in Section 12.1.6, "Installing OracleAS Single Sign-On and Oracle Delegated Administration Services on the Replica Node".
3. Configure the HTTP load balancer to distribute incoming traffic to this newly installed node.

12.3 Deleting a Node from a Multimaster Replication Group

You can delete a node from a DRG, provided the DRG contains more than two nodes. You might need to do so if the addition of a new node did not fully succeed as a result of system errors. To delete a replication node, perform these steps:

Stop the directory replication server on all nodes. To do that, run the following command on each node in the DRG:
```
$ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld instance=1 stop
```
Note:
The instance number may vary.
Stop all processes on the node to be deleted.
1. Stop all processes in the associated middle tier Oracle homes.
```
$ORACLE_HOME/opmn/bin/opmnctl stopall
```
2. On the node to be deleted, stop all Oracle Application Server processes including Oracle Internet Directory Monitor and all directory server instances.
```
$ORACLE_HOME/opmn/bin/opmnctl stopall
```

Delete the node from the master definition site. From the MDS, run the following command:

$ORACLE_HOME/bin/remtool -delnode

Note:

If you encounter errors, then use remtool -asrverify. If it reports errors, then rectify them by using remtool -asrrectify. Both of those options list all nodes in the DRG. If the new node is not in the list, then add it by running remtool -addnode again.

Start the directory replication server on all nodes by typing the following command:

$ORACLE_HOME/bin/oidctl connect=connect_string server=oidrepld \
  instance=1 flags='-h host -p port' start

Decommission the removed node and its associated middle tier. You can optionally decommission the removed replicated node and associated middle tier by deinstalling the corresponding Oracle homes.