Skip Headers
Oracle® Application Server Administrator's Guide
10g Release 3 (10.1.3.1.0)

Part Number B28940-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

6 Reconfiguring Application Server Instances

When you installed Oracle Application Server, you chose an installation type and specified if the instance should be part of a cluster. After installation, you may want to cluster Oracle Application Server instances if you did not do so during installation, to add or delete OC4J instances, to use Oracle Web Cache as a reverse proxy, or to use Identity Management with your middle-tier installation. This chapter describes how to make these types of changes.

It contains the following topics:

If you have disabled anonymous binds in Oracle Internet Directory, you must enable them before you make configuration changes. See Section 6.7, "Disabling and Enabling Anonymous Binds" for more information.

6.1 Adding and Deleting OC4J Instances

You can add or delete OC4J instances in an existing Oracle home, as described in the following sections:

6.1.1 Adding OC4J Instances

You can add OC4J instances in an existing Oracle home in the following ways:

  • With the createinstance utility, which is located in the bin directory of Oracle home

  • With Application Server Control Console

For example, you can add an additional OC4J instance to a J2EE Server installation. In Figure 6-1, a second OC4J instance named crm is added to the installation.

To add an OC4J instance using the command-line utility, take the following steps:

  1. Create the instance:

    (UNIX) ORACLE_HOME/bin/createinstance -instanceName OC4J_instanceName -groupName groupname [-port httpPort] [-protocol protocol]
    (Windows) ORACLE_HOME\bin\createinstance -instanceName OC4J_instanceName -groupName groupname[-port httpPort] [-protocol protocol]
    
    

    In the example:

    • If you do not specify the -groupName option, the new instance is allocated to the default_group group.

    • If you are adding the OC4J instance to a J2EE Server installation type and you did not configure it at installation to accept requests from a separate HTTP server, you must specify either the -port option or the -protocol option.

    • Use the -port option if you want the instance to run in HTTP mode, which means that it will not be accessed by Oracle HTTP Server. In this case, the OC4J instance is configured to use the OC4J HTTP listener.

    • Use the -protocol option and specify ajp for the value if you want the instance to be accessed by Oracle HTTP Server. In this case, the instance will use Apache JServ Protocol (AJP). The OC4J instance will receive and respond to requests from Oracle HTTP Server.

    As part of the creation process, you are asked to enter a password. This password will be tied to the oc4jadmin user for this instance. For consistency, you may want to enter the same password used to access the default OC4J instance with the oc4jadmin user.

  2. Start the new OC4J instance:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl startproc process-type=oc4J_instanceName
    (Windows) ORACLE_HOME\opmn\bin\opmnctl startproc process-type=oc4J_instanceName
    
    

To add an OC4J instance using Application Server Control Console, take the following steps:

  1. Navigate to the Application Server instance_name page.

  2. Click Create OC4J Instance.

  3. On the Create OC4J Instance page, enter the following information:

    • OC4J Instance Name: Enter a name for the instance.

    • Select one of the following:

      • Add to an existing group with name: Select a group from Existing Group Name.

      • Add to a new group with name: In the New Group Name field, enter a name for the new group.

    • Select Start this OC4J instance after creation.

  4. Click Create.

    A confirmation screen is displayed after the instance has been created.

Note that the password used for this OC4J instance is the same password used for the oc4jadmin user for the installation.

Figure 6-1 shows part of the Cluster Topology page, which displays the additional OC4J instance added to the cluster.

Figure 6-1 OC4J Instance Added to Cluster

Description of Figure 6-1 follows
Description of "Figure 6-1 OC4J Instance Added to Cluster"

You can also verify that the instance was added by using the opmnctl command:

ORACLE_HOME\opmn\bin\opmnctl status
Processes in Instance: orcl_oc4j.hgremb.ora.com
-------------------+--------------------+---------+---------
ias-component      | process-type       |     pid | status
-------------------+--------------------+---------+---------
OC4J               | crm                |    1152 | Alive
OC4J               | home               |    2424 | Alive
ASG                | ASG                |     N/A | Down

Note:

If you have configured Remote Management Interface (RMI) to use Secure Socket Layer (SSL), you must add the appropriate <ssl-config> element to the rmi.xml file for each OC4J instance you create. Otherwise, management connections to the OC4J instance from the Application Server Control will either fail or use the non-secure RMI protocol, depending upon the value of the connection protocol property in the opmn.xml file for the administration OC4J instance. See Section A.3, "Configuring Security for the Application Server Control Console" for more information.


See Also:

The chapter, "Creating and Managing Additional OC4J Instances" in the Oracle Containers for J2EE Configuration and Administration Guide

6.1.2 Deleting OC4J Instances

You can delete an OC4J instance in the following ways:

  • With the removeinstance utility, which is located in the bin directory of Oracle home

  • With Application Server Control Console

Both methods delete the directory created for the instance from the j2ee directory structure and remove configuration data for the instance from opmn.xml.

For example, to delete an instance using the command-line utility, take the following steps:

  1. Stop the instance:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=oc4J_instanceName
    (Windows) ORACLE_HOME\opmn\bin\opmnctl stopproc process-type=oc4J_instanceName
    
    
  2. Delete the instance:

    (UNIX) ORACLE_HOME/bin/removeinstance -instanceName oc4J_instanceName
    (Windows) ORACLE_HOME\bin\removeinstance -instanceName oc4J_instanceName
    
    

To delete an OC4J instance with Application Server Control Console, take the following steps:

  1. Navigate to the Application Server instance_name page.

  2. Click the Delete icon for the instance you want to delete.

  3. On the confirmation page, click Yes.

  4. A confirmation screen is displayed after the instance has been deleted.

Note the following guidelines for deleting OC4J instances:

  • You cannot delete the OC4J home instance that was created by Oracle Application Server during installation.

  • You can delete OC4J instances that were created by a user after installation.

6.2 Configuring Cluster Topologies

A cluster topology is defined as two or more connected Oracle Application Server nodes.

Some reasons for creating a cluster include:

With this release, you can create the following types of cluster topologies:

You can configure a cluster topology in the following ways:


See Also:

The chapter, "Configuring and Managing Clusters" in the Oracle Containers for J2EE Configuration and Administration Guide for detailed information about configuring cluster topologies

In the following sections, you create a cluster with three nodes, create two groups for OC4J instances, add OC4J instances to two nodes and add them to the groups, and specify multiple JVMs for the OC4J instances you create.

Figure 6-3 shows this configuration:

Figure 6-3 Multiple OC4J Middle Tiers, Additional OC4J Instances, and a Web Server Middle Tier in a Cluster

Description of Figure 6-3 follows
Description of "Figure 6-3 Multiple OC4J Middle Tiers, Additional OC4J Instances, and a Web Server Middle Tier in a Cluster"

6.2.1 Configuring a Web Server and OC4J on Separate Hosts

In this example, you install a Web server, Oracle HTTP Server, on one host, and install Oracle Containers for J2EE (OC4J) on another host. Then, you cluster the instances using dynamic node discovery. This enables Oracle HTTP Server to route requests to the OC4J, and OC4J to dynamically notify Oracle HTTP Server of new application bindings when an application is deployed.

Figure 6-4 shows this environment.

Figure 6-4 Web Server Middle Tier and OC4J Middle Tier on Separate Hosts in a Cluster

Description of Figure 6-4 follows
Description of "Figure 6-4 Web Server Middle Tier and OC4J Middle Tier on Separate Hosts in a Cluster"

For this scenario, install the following Oracle Application Server middle-tier instances on separate hosts. (For this scenario, do not configure the cluster during installation.)

  • Web Server (referred to in this procedure as Web), which includes Oracle HTTP Server and OPMN

    When you install the Web Server, accept the defaults on the Cluster Topology Configuration page.

  • J2EE Server (referred to in this procedure as J2EE_1), which includes OC4J and OPMN

    When you install the J2EE Server, on the Administration Settings page, select Configure this as an Administration OC4J Instance. For OC4J Instance Name, enter admin.

    On the Cluster Topology Configuration page, accept the defaults. You will add the instances to the cluster later.

    Note the following points:

    • When you select an OC4J instance to be the Administration OC4J instance, the Application Server Control Console that is hosted within that instance administers the local OC4J instance and any other instances in the cluster that are not designated as Administration OC4J instances.

      If you did not choose this option, you can configure it later, by starting the ascontrol application in the instance:

      (UNIX) ORACLE_HOME/opmn/bin/opmnctl startproc application=ascontrol
      (Windows) ORACLE_HOME\opmn\bin\opmnctl startproc application=ascontrol
      
      
    • For those instances that are not specified as the Administration OC4J instance, Application Server Control Console is deployed in the instance, but not started.

    • Oracle recommends that only one OC4J instance in the cluster be configured as the Administration OC4J instance.

After you install the middle-tier instances, configure the instances for dynamic node discovery, by taking the following steps:

  1. To configure the Web Server instance for dynamic node discovery, set the OPMN multicast discovery address using the opmnctl config topology command. (You cannot use the Application Server Control Console because it is not running on this instance; you cannot use opmnassociate because you used a name other than home for the default OC4J instance.)

    For example, to associate the Web Server instance on UNIX to the multicast address 225.0.0.33, use the following commands:

    ORACLE_HOME/opmn/bin/opmnctl config topology update discover=*225.0.0.33:8001
    ORACLE_HOME/opmn/bin/opmnctl reload
    
    
  2. To configure the J2EE Server instance for dynamic node discovery, you can use the opmnctl config topology command or Application Server Control Console. For this example, use Application Server Control Console and take the following steps:

    1. From the Cluster Topology page of Application Server Control Console, click Topology Network Configuration.

    2. In the Topology section, select Configuring Dynamic Node Discovery Using Multicast. Then, enter the same multicast address and port that you used for the Web Server instance. For example:

      225.0.0.33:8001
      
      
    3. Click Apply.

    Now, both instances are part of the same cluster topology.

Verify the configuration in one of the following ways:

  • Using Application Server Control Console: Navigate to the Cluster Topology page. The page displays both instances, as shown in Figure 6-5:

    Figure 6-5 Verifying the Cluster Topology

    Description of Figure 6-5 follows
    Description of "Figure 6-5 Verifying the Cluster Topology"

  • Using the opmnctl command with the @cluster option. The following example shows the output:

    ORACLE_HOME/opmn/bin/opmnctl @cluster status
    Processes in Instance: J2EE_1.stadh42.us.oracle.com
    ---------------------------------+--------------------+---------+---------
    ias-component                    | process-type       |     pid | status  
    ---------------------------------+--------------------+---------+---------
    OC4JGroup:default_group          | OC4J:admin         |   21520 | Alive   
    ASG                              | ASG                |     N/A | Down    
    
    Processes in Instance: Web.stadh42.us.oracle.com
    ---------------------------------+--------------------+---------+---------
    ias-component                    | process-type       |     pid | status  
    ---------------------------------+--------------------+---------+---------
    HTTP_Server                      | HTTP_Server        |   25118 | Alive   
    

6.2.2 Configuring Multiple J2EE Server Middle Tiers in a Cluster

The example in this section builds upon the example in the previous section, Section 6.2.1. It adds an additional J2EE server middle tier to the cluster topology, to support a highly available environment for testing or production purposes.

Figure 6-6 shows this environment.

Figure 6-6 Multiple J2EE Server Middle Tiers and a Web Server Middle Tier in a Cluster

Description of Figure 6-6 follows
Description of "Figure 6-6 Multiple J2EE Server Middle Tiers and a Web Server Middle Tier in a Cluster"

For this scenario:

  • Install and configure instances as described in Section 6.2.1.

  • Install an additional J2EE Server instance (referred to in this procedure as J2EE_2).

    During installation, do not select Configure this as an Administration OC4J Instance in the Administration Instance Settings page. This instance will be managed by the Administration OC4J instance in J2EE_1 after you add it to the cluster. For OC4J Instance Name, enter admin.

Then, configure this J2EE Server instance for dynamic node discovery, adding it to the same cluster as the previous instances, using the opmnctl command.

For example, to associate the J2EE_2 instance on UNIX to the multicast address 225.0.0.33, use the following command:

ORACLE_HOME/opmn/bin/opmnctl config topology update discover=*225.0.0.33:8001
ORACLE_HOME/opmn/bin/opmnctl reload

Now, this instance is part of the cluster topology and is managed by the Administration OC4J instance in J2EE_1. This OC4J instance uses Apache JServ Protocol (AJP) to receive and respond to requests from Oracle HTTP Server.

Verify the configuration using Application Server Control Console or the opmnctl @cluster status command. For example, to verify it using Application Server Control Console, navigate to the Cluster Topology page. The page displays all three instances in the Members section, as shown in Figure 6-7.

Figure 6-7 Verifying the Updated Cluster Topology

Description of Figure 6-7 follows
Description of "Figure 6-7 Verifying the Updated Cluster Topology"

The default OC4J instance is part of the group default_group. In the scenario in the previous sections, both the J2EE Server instances, J2EE_1 and J2EE_2, contain the default OC4J instance, admin, and both OC4J instances are part of the group default_group. Figure 6-8 shows the Groups section of the Cluster Topology page.

Figure 6-8 The default_group Group

Description of Figure 6-8 follows
Description of "Figure 6-8 The default_group Group"

6.2.3 Creating Additional Groups

A group is a collection of OC4J instances that belong to the same cluster topology. Configuration operations can be executed simultaneously on all running OC4J instances in the group.

You can create additional groups. For this scenario, create two empty groups:

  • FinancialServices_Group

  • CustomerServices_Group

Take the following steps for each group:

  1. From the Groups section of Cluster Topology page, click Create.

  2. For Group Name, enter FinancialServices_Group.

  3. Click Create.

  4. Repeat steps 1 through 3, entering CustomerServices_Group as the Group Name.

In the next section, you will create new OC4J instances and add them to the groups.

6.2.4 Adding OC4J Instances and Adding Them to Groups

As described in Section 6.1, you can add OC4J instances to an existing Oracle home. In this section, you add the instances and add them to the groups created in Section 6.2.3, as shown in the following table:

Application Server Instance OC4J Instance Name Group Name
J2EE_1 finance1 FinancialServices_Group
J2EE_1 finance2 FinancialServices_Group
J2EE_2 finance3 FinancialServices_Group
J2EE_2 callcenter1 CustomerServices_Group

Take the following steps for each of the four OC4J instances you create, using the information in the preceding table:

  1. Navigate to the Application Server instance_name page, for example, Application Server J2EE_1.hostname.

  2. Click Create OC4J Instance.

  3. On the Create OC4J Instance page, enter the following information:

    • OC4J Instance Name: Enter a name for the instance. For example, for the J2EE_1 instance, enter finance1.

    • Select Add to an existing group with name, then select the appropriate group from Existing Group Name.

  4. Select Start this OC4J instance after creation.

  5. Click Create.

    A confirmation screen is displayed after the instance has been created.

Figure 6-9 shows the Members section of the Cluster Topology page, with the new OC4J instances displayed.

Figure 6-9 New OC4J Instances Displayed in Cluster Topology Page

Description of Figure 6-9 follows
Description of "Figure 6-9 New OC4J Instances Displayed in Cluster Topology Page"

Figure 6-10 shows the Groups section of the Cluster Topology page, with the new groups and their members.

Figure 6-10 New Groups Displayed in Cluster Topology Page

Description of Figure 6-10 follows
Description of "Figure 6-10 New Groups Displayed in Cluster Topology Page"

Now, the cluster is configured as depicted in Figure 6-3 in Section 6.2.

6.2.5 Creating Multiple JVMs

OC4J executes on the Java Virtual Machine (JVM) of the standard Java Development Kit (JDK). By default, each OC4J instance uses one JVM. However, you can configure an OC4J instance so it runs on multiple JVMs.

In this case, the OC4J instance is essentially running on multiple processes. This can improve performance and provide a level of fault tolerance for your deployed applications. However, multiple JVMs also require additional hardware resources to run efficiently.


Note:

You cannot configure the OC4J instance that is hosting the active Application Server Control (represented by the ascontrol application) to run multiple JVMs.

In this example, you create an additional JVM for each OC4J instance you created in Section 6.2.4. Take the following steps for each of these OC4J instances:

  1. Navigate to the Home page for the OC4J instance.

  2. Click Administration.

  3. If necessary, expand the Properties section of the table by clicking the Expand icon. Then, click the Go to Task icon in the Server Properties row.

  4. In the Number of VM Processes field, enter the number of JVMs to configure.

  5. Click Apply.

  6. Navigate to the Cluster Topology page, select the OC4J instance that you modified, and click Restart. On the Confirmation page, click Yes.

6.3 Configuring 10.1.2 Oracle Web Cache as a Reverse Proxy

You can use Release 2 (10.1.2) Oracle Web Cache as a reverse proxy for your 10g Release 3 (10.1.3.1.0) middle-tier instance. As a reverse proxy server, OracleAS Web Cache acts a gateway to the middle-tier servers.

The following topics describe how to configure Oracle Web Cache Release 2 (10.1.2) as a reverse proxy for your 10g Release 3 (10.1.3.1.0) middle-tier instance:


See Also:

For complete information about using Oracle Web Cache as a reverse proxy, and about Oracle Web Cache clusters, see the Release 2 (10.1.2) Oracle Application Server Web Cache Administrator's Guide.

6.3.1 Configuring an Oracle Web Cache Instance as a Reverse Proxy

You can use Release 2 (10.1.2) Oracle Web Cache as a reverse proxy for your middle-tier instance. The procedure in this section makes the following assumptions:

  • You have installed a Release 2 (10.1.2) Oracle Web Cache standalone kit. The kit is part of the Oracle Application Server Companion CD, which is available on OTN.

  • You have configured Oracle Web Cache, as described in the Oracle Application Server Web Cache Administrator's Guide.

  • You have installed a 10g Release 3 (10.1.3.1.0) middle-tier instance.

Figure 6-11 depicts the scenario described in this section.

Figure 6-11 Oracle Web Cache as Reverse Proxy

Description of Figure 6-11 follows
Description of "Figure 6-11 Oracle Web Cache as Reverse Proxy"

From the Release 2 (10.1.2) standalone Oracle Web Cache instance, take the following steps:

  1. Log into Oracle Web Cache Manager, using the Oracle Web Cache username and password. By default, the username is ias_admin and the password is the one you specified during installation. Use the following URL, where port is the Oracle Web Cache administration port:

    http://hostname:port/webcacheadmin
    
    

    By default, the port is 9400. The administration port number for a Oracle Web Cache standalone installation is listed in the Oracle_Home/webcache/webcache.xml file. To find the port number for Oracle Web Cache that is part of an Oracle Application Server installation, click the Ports link in Application Server Control Console.

  2. In the navigator frame, select Origin Servers, Sites, and Load Balancing > Origin Servers.

  3. In the Origin Servers page, click Add in the Application Web Servers section.

  4. In the Add Application Web Server dialog box, enter the following information:

    • In the Hostname field, enter the host name of the origin server (Oracle HTTP Server) in the 10g Release 3 (10.1.3.1.0) middle-tier instance.

    • In the Port field, enter the listening port from which the origin server will receive OracleAS Web Cache requests.

    • In the Routing field, select ENABLED to permit OracleAS Web Cache to route requests to the origin server.

    For information about other fields in the dialog box, refer to the online Help or the Oracle Application Server Web Cache Administrator's Guide.

  5. Click Submit.

  6. Optionally, you can add a new site to map to the origin server or you can use an existing site. To add a new site, in the navigator frame, select Origin Servers, Sites, and Load Balancing > Site Definitions.

    For more information about adding a site, refer to the online Help or the Oracle Application Server Web Cache Administrator's Guide.

  7. In the navigator frame, select Origin Servers, Sites, and Load Balancing > Site-to-Server Mapping to map the site to the origin server in the 10g Release 3 (10.1.3.1.0) middle-tier instance.

  8. In the Site-to-Server Mapping page, select a mapping and click Insert Above or Insert Below.

  9. In the Edit/Add Site-to-Server Mapping dialog box:

    • Select Select from Site definitions to select the site definition you want to use.

    • In the Select Application Web Servers field, select the application Web server from 10g Release 3 (10.1.3.1.0) middle-tier instance.

6.3.2 Configuring an Oracle Web Cache Cluster as a Reverse Proxy

You can use a cluster of Release 2 (10.1.2) Oracle Web Cache instances as a reverse proxy for your 10g Release 3 (10.1.3.1.0) middle-tier instance.

The procedure in this section makes the following assumptions:

  • You have installed more than one instance of Release 2 (10.1.2) Oracle Web Cache standalone kit. The kit is part of the Oracle Application Server Companion CD, which is available on OTN.

  • You have configured Oracle Web Cache, as described in the Oracle Application Server Web Cache Administrator's Guide.

  • You have installed a 10g Release 3 (10.1.3.1.0) middle-tier instance.

Figure 6-12 depicts the scenario described in this section.

Figure 6-12 Oracle Web Cache Cluster as Reverse Proxy

Description of Figure 6-12 follows
Description of "Figure 6-12 Oracle Web Cache Cluster as Reverse Proxy"

To configure an Oracle Web Cache cluster as a reverse proxy, take the following steps:

  1. Set up one Oracle Web Cache instance as a reverse proxy, as described in Section 6.3.1.

  2. Log into Oracle Web Cache Manager for that instance, using the Oracle Web Cache username and password. By default, the username is ias_admin and the password is the one you specified during installation. Use the following URL, where port is the Oracle Web Cache administration port:

    http://hostname:port/webcacheadmin
    
    
  3. Configure the properties of the cache cluster, by taking the following steps:

    1. In the Oracle Web Cache Manager navigator frame, select Properties > Clustering.

    2. In the General Cluster Information section of the Clustering page, click Edit.

      Follow the directions in the online Help or Chapter 10 of the Oracle Application Server Web Cache Administrator's Guide.

  4. Add other caches to the cluster, by taking the following steps for each instance you want to place in the cluster:

    1. In the Oracle Web Cache Manager navigator frame, select Properties > Clustering.

    2. In the Cluster Members section of the Clustering page, click Add.

      Follow the directions in the online Help or Chapter 10 of the Oracle Application Server Web Cache Administrator's Guide.

  5. After you have added all the caches to the cluster, propagate the cluster configuration to the cluster members by taking the following steps:

    1. In the Oracle Web Cache Manager navigator frame, select Operations > Cache Operations.

    2. Select All Caches, and click Propagate.

    3. Restart all caches by selecting All Caches and clicking Restart.

6.4 Configuring Oracle Application Server 10.1.2 with Oracle Application Server 10.1.3

To use the latest J2EE features of Oracle Application Server, 10g Release 3 (10.1.3.1.0), with existing Oracle Application Server, Release 2 (10.1.2), components and applications, you can use the Oracle HTTP Server from an Oracle Application Server, Release 2 (10.1.2), middle tier as the front-end for your Oracle Application Server, 10g Release 3 (10.1.3.1.0), middle tier. This section provides instructions on installing and configuring Oracle Application Server, 10g Release 3 (10.1.3.1.0), and Oracle HTTP Server, Release 2 (10.1.2), for interoperability.

On your farm or cluster, either install or locate the following:

For Release 2 (10.1.2) middle tiers that are associated with an Infrastructure, start with Step 3 in the following procedure because the ons.conf file on the Release 2 (10.1.2) middle tier is not updated in this configuration. For this configuration, the Oracle Application Server, 10g Release 3 (10.1.3.1.0), initiates the connections between the two instances. For middle tiers that are not associated with an Infrastructure (a J2EE and Web Cache type middle tier may or may not be associated with an Infrastructure), start with Step 1.

Configuration Procedure

Perform the following steps to configure the two servers:

  1. On Server 1, add Server 2 using DCM:

    ORACLE_HOME/dcm/bin/dcmctl addOPMNLink server2_ip:server2_ons_remote_port
    
    
  2. Verify that Server 2 is added by inspecting the contents of ons.conf in the ORACLE_HOME/opmn/conf directory. The file should contain a list of comma-separated hostname/ip:ons_remote_port entries. The remote port is the port on Server 2 that OPMN on Server 1 uses to communicate with Server 2. An example of an entry in the list would be:

    127.2.148.142:6200
    
    
  3. On Server 2, add Server 1 to the cluster using static node-to-node communication by editing the topology section in ORACLE_HOME/opmn/conf/opmn.xml:

    <notification-server>
    ...
       <topology>
          <nodes list="server1_ip:remote_port,server2_ip:remote_port"/>
       </topology>
    </notification-server>
    
    

    In the example, server*_ip is the IP address of Server 1 or Server 2 and remote_port is the port number through which other servers can communicate with the server, for example:

    127.2.148.142:6200
    
    

    To configure ONS in opmn.xml, all Oracle RAC instance nodes must be listed, not only the master. For an Oracle RAC with host1, host2, host3, host4, the list would be:

    list="host1:ONSRemotePort,host2:ONSRemotePort,host3:ONSRemotePort,host4:ONSRemotePort"
    
    

    The SSL setting must be the same on all nodes: enabled or disabled.

  4. On Server 2, reload OPMN:

    ORACLE_HOME_SERVER2/opmn/bin/opmnctl reload
    
    
  5. Verify that both servers can communicate with each other by running the following commands:

    • On Server 1:

      ORACLE_HOME_SERVER1/opmn/bin/opmnctl @farm status
      
      
    • On Server 2:

      ORACLE_HOME_SERVER2/opmn/bin/opmnctl @cluster status
      
      

      These commands produce a list of servers that are part of the farm or cluster.

  6. On Server 1, set the OC4J mount directive in the ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf file:

    Oc4jMount /MyApp instance://server2_instance_name:oc4j_instance_name 
    Oc4jMount /MyApp/* instance://server2_instance_name:oc4j_instance_name
    
    

    A mount point must be added for each J2EE application deployed on 10g Release 3 (10.1.3.1.0). As new applications are added, you must add a new mount point.

  7. On Server 1, update the configuration. (You must update the configuration any time you manually edit mod_oc4J.conf.)

    ORACLE_HOME/dcm/bin/dcmctl updateConfig
    
  8. Restart Oracle HTTP Server on Server 1:

    ORACLE_HOME_SERVER1/opmn/bin/opmnctl restartproc ias-component=HTTP_Server
    
    

A browser pointing to appserverInstance on Server 1 can now access an OC4J application in appserverInstance on Server 2.


Caution:

For Release 2 (10.1.2) middle-tier installations other than a J2EE and Web Cache type middle tier, start the Oracle Application Server, Release 2 (10.1.2), middle tier before starting the Oracle Application Server, 10g Release 3 (10.1.3.1.0), middle tier, or a delay of up to two minutes can occur.

In this configuration, the application stop functionality in the J2EE 10g Release 3 (10.1.3.1.0) instance should not be used because errors can occur when the Oracle HTTP Server Release 2 (10.1.2) routes to the J2EE 10g Release 3 (10.1.3.1.0) instance with the stopped application.


Note:

You cannot manage Release 2 (10.1.2) from the 10g Release 3 (10.1.3.1.0) Application Server Control Console. The 10.1.2 instance will appear on the Cluster Topology page for Application Server Control Console, 10g Release 3 (10.1.3.1.0), but some of the information about the 10.1.2 instance will be either unavailable or incorrect. For example:
  • In the Ports page, the ports for the 10.1.2 instance may not be listed or the type of port may be listed as NA.

  • In the Groups section of the topology page, if a group contains a 10.1.2 instance, the status of the instance may be incorrect.


6.5 Configuring Instances to Use OC4J Java Single Sign-On

You can configure instances to use OC4J Java Single Sign-On (Java SSO), a lighter-weight single sign-on solution supplied with OC4J that does not require additional infrastructure (such as OracleAS Single Sign-On and Oracle Access Manager single sign-on do) and decouples OC4J from any identity management system that you use.

Note that for a Basic Install, Java SSO is automatically deployed, configured, and started. For an Advanced Install, it is deployed, but not configured or started.

For information about configuring instances to use Java SSO, see the section, "Java SSO Setup and Configuration" in the Oracle Containers for J2EE Security Guide.

For information about configuring Java SSO to use Oracle Internet Directory, see the section "Associate Oracle Internet Directory with OC4J" in the Oracle Containers for J2EE Security Guide.

6.6 Configuring Instances to Use 10.1.4 or 10.1.2 Oracle Identity Management

You can configure 10.1.3 middle-tier instances to use Release 10.1.4 or Release 2 (10.1.2) Oracle Identity Management.

See the Oracle Application Server Upgrade Guide for information about the specific versions of Oracle Identity Management that are supported with 10g Release 3 (10.1.3.1.0).

This section describes how to configure a 10.1.3 middle-tier instance to use Oracle Identity Management, Release 10.1.4 or Release 2 (10.1.2). Figure 6-13 shows the middle-tier instance configured with Oracle Identity Management, Release 2 (10.1.2).

Figure 6-13 Middle Tier Using 10.1.2 Identity Management

Description of Figure 6-13 follows
Description of "Figure 6-13 Middle Tier Using 10.1.2 Identity Management"

Before you start, make sure that:

Task 1: Enable SSO Authentication (Optional)

If you want to enable Oracle Single Sign-On authentication for deployed applications, you must take the following steps before you use the Identity Management wizard described in "Task 2: Configure the Middle-Tier Instance for Identity Management".


Note:

Oracle Single Sign-On is available only if you have installed an Oracle Application Server installation type that includes Oracle HTTP Server. For other installation types, Java SSO is available. See Section 6.5.

  1. On the Identity Management host, set the environment variables ORACLE_HOME and ORACLE_SID.

  2. On the Identity Management host, run the ssoreg script, using the -remote_midtier option. The file is located at:

    (UNIX) ORACLE_HOME/sso/bin/ssoreg.sh
    (Windows)ORACLE_HOME\sso\bin\ssoreg.bat
    
    

    For example, on LINUX:

    $ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path $ORACLE_HOME 
     -config_mod_osso TRUE 
     -site_name myhost.com:7778  
     -remote_midtier 
     -config_file $ORACLE_HOME/Apache/Apache/conf/osso/myosso.conf 
     -mod_osso_url http://myhost.com:7778
    
    

    The resulting configuration file (mysso.conf in the example) is an obfuscated osso configuration file.

  3. Copy the obfuscated osso configuration file to the 10g Release 3 (10.1.3.1.0) middle-tier instance.

  4. On the middle-tier host, run the following script to complete the registration:

    (UNIX) ORACLE_HOME/Apache/Apache/bin/osso1013 config_file
    (Windows) perl ORACLE_HOME\Apache\Apache\bin\osso1013 config_file
    

Task 2: Configure the Middle-Tier Instance for Identity Management

To configure the middle-tier instance to use Identity Management, take the following steps:

  1. Using the Application Server Control Console, navigate to the OC4J Home page for the middle-tier instance.

  2. Click Administration.

  3. In the Task Name column of the table, expand Security if it is not already expanded. Then, in the Identity Management row, click the Go to Task icon.

  4. On the Identity Management page, click Configure.

  5. On the Configure Identity Management: Connect Information page:

    • Oracle Internet Directory Host: Enter the fully-qualified name of the Oracle Internet Directory host.

    • Oracle Internet Directory User DN: Enter the distinguished name of a user, such as cn=orcladmin, in the iASAdmins group.

    • Password: Enter the password for the user.

      This password will be used as the default password for the oc4jadmin user created in Oracle Internet Directory.

    • Use only SSL connections to the Internet Directory: Select this option if you want middle-tier components to connect to Oracle Internet Directory using only SSL.

      Then, in the Oracle Internet Directory SSL Port field, enter the Oracle Internet Directory SSL port number.

    • Use non-SSL connections to the Internet Directory: Select this option if you want middle-tier components to connect to Oracle Internet Directory using non-SSL connections.

      Then, in the Oracle Internet Directory Port field, enter the Oracle Internet Directory non-SSL port number.

    Click Next.

  6. On the Configure Identity Management: Application Server Control page, you can specify if you want to configure the Application Server Control to use Identity Management as its security provider, for authentication and authorization of administrative users. If you do, select Use Oracle Identity Management Security Provider.

    Note the following:

    • Any Application Server Control administrator users created for the current security provider will not be able to access the Application Server Control Console after you make this change. Only users and groups defined in Oracle Internet Directory will be able to access the Application Server Control Console.

    • You can change the Application Server Control security provider later by clicking Setup, then Security Provider.

  7. On the Configure Identity Management: Deployed Applications page, you can specify security options for applications deployed in this OC4J instance. For each application:

    • Use OID Security Provider: Select this option to configure applications to use Identity Management as its security provider for authentication and authorization.

      Note that you cannot change the security provider for the default application.

    • Enable SSO Authentication: If you selected Use OID Security Provider, you can select this option to use Single Sign-On authentication. Note, however, that you must have first registered your instance of Oracle Application Server with the Oracle Single Sign-On server. See "Task 1: Enable SSO Authentication (Optional)" for more information.

    Click Configure.

  8. When the operation completes, you need to restart the OC4J instance. Do not click Restart on the Confirmation page. Instead, navigate to the Cluster Topology page, select the OC4J instance, and click Restart.

Your middle tier is now configured to use Oracle Identity Management services.

6.7 Disabling and Enabling Anonymous Binds

Beginning with Release 2 (10.1.2.0.2), you can enable and disable anonymous binds (anonymous authentication) in Oracle Internet Directory. By default, anonymous binds are enabled.

Although disabling anonymous binds is useful in many runtime environments, most configuration changes, such as the following, require that anonymous binds are enabled:

6.7.1 Disabling Anonymous Binds for Run-Time Environments

To disable anonymous binds, take the following steps:

  1. Shut down all middle tiers that are connected to the OracleAS Infrastructure, as described in Section 3.2.1, "Starting a Middle-Tier Instance".

  2. Shut down OracleAS Infrastructure, in all Infrastructure Oracle homes:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl stopall
    (Windows) ORACLE_HOME\opmn\bin\opmnctl stopall
    
    
  3. Start Oracle Internet Directory, because it must be started while you perform the procedure:

    (UNIX) ORACLE_HOME/bin/oidmon connect=db_connect_string start
    (Windows) ORACLE_HOME\bin\oidmon connect=db_connect_string start
    
    
  4. Edit the ias.properties file for each middle tier connected to the OracleAS Infrastructure and for the Infrastructure Oracle home that contains Oracle Single Sign-On and Oracle Delegated Administration Services. The ias.properties file is located in the following directory:

    (UNIX) ORACLE_HOME/config
    (Windows) ORACLE_HOME\config
    
    

    In the ias.properties file, add the OIDAnonymousDisabled property to the file and set it to true:

    OIDAnonymousDisabled=true
    
    
  5. Edit the dads.conf file for each middle tier connected to the OracleAS Infrastructure and for the Infrastructure Oracle home that contains Oracle Single Sign-On and Oracle Delegated Administration Services. The dads.conf file is located in the following directory:

    (UNIX) ORACLE_HOME/Apache/modplsql/conf
    (Windows) ORACLE_HOME\Apache\modplsql\conf
    
    

    By default, the PlsqlDatabaseConnectString parameter contains a value that uses the LDAP name resolution format, for example:

    PlsqlDatabaseConnectString cn=orcl, cn=oraclecontext NetServiceNameFormat
    
    

    Comment out this line. (Do not delete it because you will need to revert to it if you want to enable anonymous binds in the future.)

    Add the following line, which changes the value of the PlsqlDatabaseConnectString parameter to use the host:port:service format instead of LDAP name resolution:

    PlsqlDatabaseConnectString db_host:db_hostdb_listener_port:db_service_name
    
    

    In the example, db_host is the name of the host on which the OracleAS Metadata Repository for Oracle Single Sign-On is installed, db_listener_port is the listener port for that OracleAS Metadata Repository, and db_service_name is the service name for the OracleAS Metadata Repository.

  6. Use the ldapmodify command to disable anonymous binds. Use the command on the Oracle home that contains Oracle Internet Directory.

    Take the following steps:

    1. Create a text file with the following lines:

      dn:
      changetype: modify
      replace: orclanonymousbindsflag
      orclanonymousbindsflag: 0
      
      
    2. Use the ldapmodify command, calling the text file created in the previous step as input. In the following example, the text file is named anon_off.ldif:

      (Unix) ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -w password -v -f anon_off.ldif
      (Windows) ORACLE_HOME\bin\ldapmodify -h host -p port -D cn=orcladmin -w password -v -f anon_off.ldif
      
      
  7. Stop Oracle Internet Directory:

    (UNIX) ORACLE_HOME/bin/oidmon connect=db_connect_string stop
    (Windows) ORACLE_HOME\bin\oidmon connect=db_connect_string stop
    
    
  8. Start OracleAS Infrastructure, including Oracle Internet Directory, in the Oracle Internet Directory Oracle home, then in any other OracleAS Infrastructure Oracle homes:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl startall
    (Windows) ORACLE_HOME\opmn\bin\opmnctl startall
    
    
  9. Start all middle tiers that are connected to the Infrastructure, as described in Section 3.2.1, "Starting a Middle-Tier Instance".

6.7.2 Enabling Anonymous Binds for Configuration Changes

If you have disabled anonymous binds, you must take the following steps to enable anonymous binds before you can make configuration changes to Oracle Application Server middle tiers or OracleAS Infrastructure:

  1. Shut down all middle tiers that are connected to the OracleAS Infrastructure, as described in Section 3.2.2, "Stopping a Middle-Tier Instance".

  2. Shut down OracleAS Infrastructure, in all Infrastructure Oracle homes:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl stopall
    (Windows) ORACLE_HOME\opmn\bin\opmnctl stopall
    
    
  3. Start Oracle Internet Directory, because it must be started while you perform the procedure:

    (UNIX) ORACLE_HOME/bin/oidmon connect=db_connect_string start
    (Windows) ORACLE_HOME\bin\oidmon connect=db_connect_string start
    
    
  4. Edit the ias.properties file for each middle tier connected to the OracleAS Infrastructure and for the Infrastructure Oracle home that contains Oracle Single Sign-On and Oracle Delegated Administration Services. The ias.properties file is located in the following directory:

    (UNIX) ORACLE_HOME/config
    (Windows) ORACLE_HOME\config
    
    

    In the ias.properties file, set the OIDAnonymousDisabled property to false:

    OIDAnonymousDisabled=false
    
    

    If the property does not exist in the file, or if it is set to false, anonymous binds are enabled.

  5. Edit the dads.conf file for each middle tier connected to the OracleAS Infrastructure and for the Infrastructure Oracle home that contains Oracle Single Sign-On and Oracle Delegated Administration Services. The dads.conf file is located in the following directory:

    (UNIX) ORACLE_HOME/Apache/modplsql/conf
    (Windows) ORACLE_HOME\Apache\modplsql\conf
    
    

    If you previously commented out the line that contains the PlsqlDatabaseConnectString parameter with a value that uses the LDAP name resolution format, uncomment out that line. If you deleted the line, add a line using the following format:

    PlsqlDatabaseConnectString cn=orcl, cn=oraclecontext NetServiceNameFormat
    
    

    If you previously added a line similar to the following, which contains the PlsqlDatabaseConnectString parameter with a value that use host:port:service format, comment out the line:

    PlsqlDatabaseConnectString db_host:db_hostdb_listener_port:db_service_name
    
    
  6. Use the ldapmodify command to enable anonymous binds. Use the command on the Oracle home that contains Oracle Internet Directory.

    Take the following steps:

    1. Create a text file with the following lines:

      dn:
      changetype: modify
      replace: orclanonymousbindsflag
      orclanonymousbindsflag: 1
      
      
    2. Use the ldapmodify command, calling the text file created in the previous step as input. In the following example, the text file is named anon_on.ldif:

      (Unix) ORACLE_HOME/bin/ldapmodify -h host -p port -D cn=orcladmin -w password -v -f anon_on.ldif
      (Windows) ORACLE_HOME\bin\ldapmodify -h host -p port -D cn=orcladmin -w password -v -f anon_on.ldif
      
      
  7. Stop Oracle Internet Directory:

    (UNIX) ORACLE_HOME/bin/oidmon connect=db_connect_string stop
    (Windows) ORACLE_HOME\bin\oidmon connect=db_connect_string stop
    
    
  8. Start OracleAS Infrastructure, including Oracle Internet Directory, in the Oracle Internet Directory Oracle home, then in any other OracleAS Infrastructure Oracle homes:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl startall
    (Windows) ORACLE_HOME\opmn\bin\opmnctl startall
    
    
  9. Start all middle tiers that are connected to the Infrastructure, using the following command:

    (UNIX) ORACLE_HOME/opmn/bin/opmnctl startall
    (Windows) ORACLE_HOME\opmn\bin\opmnctl startall