7 Extending the Domain with Oracle Internet Directory

This chapter describes how to extend the domain with Oracle Internet Directory (OID) in the enterprise deployment.

This chapter includes the following topics:

Section 7.1, "Prerequisites for Configuring Oracle Identity Directory Instances"

Section 7.2, "Configuring the Oracle Internet Directory Instances"

Section 7.3, "Post-Configuration Steps"

Section 7.4, "Validating the Oracle Internet Directory Instances"

Section 7.5, "Backing up the OID Configuration"

7.1 Prerequisites for Configuring Oracle Identity Directory Instances

Before configuring the Oracle Internet Directory instances on OIDHOST1 and OIDHOST2, ensure that the following tasks have been performed:

  1. Synchronize the time on Oracle Internet Directory, as described in Section 7.1.1.

  2. Install and upgrade the software on OIDHOST1 and OIDHOST2 as described in Section 4.5.4 and Section 4.6.1.

  3. If you plan on provisioning the Oracle Internet Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on OIDHOST1 and OIDHOST2 as described in Section 2.4.

  4. Make sure that the load balancer is configured.

7.1.1 Synchronizing the Time on Oracle Internet Directory

Before setting up Oracle Internet Directory in a high availability environment, you must ensure that the time on the individual Oracle Internet Directory nodes is synchronized.

Synchronize the time on all nodes using Greenwich Mean Time so that there is a discrepancy of no more than 250 seconds between them.

If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes, the OID Monitor on the node that is behind stops all servers on its node. To correct this problem, synchronize the time on the node that is behind in time. The OID Monitor automatically detects the change in the system time and starts the Oracle Internet Directory servers on its node.

7.2 Configuring the Oracle Internet Directory Instances

Follow these steps to configure the Oracle Internet Directory components, OIDHOST1 and OIDHOST2 on the directory tier with Oracle Internet Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.

This section contains the following topics:

7.2.1 Configure the First Oracle Internet Directory Instance

  1. Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

    On UNIX:

    netstat -an | grep "389"
netstat -an | grep "636"

    If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

    On UNIX:

    Remove the entries for ports 389 and 636 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components,"or restart the computer.

  2. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

  3. Edit the staticports.ini file that you copied to the temporary directory to assign ports 389 and 636, as follows:

    # The non-SSL port for Oracle Internet Directory
Oracle Internet Directory port = 389
# The SSL port for Oracle Internet Directory
Oracle Internet Directory (SSL) port = 636

  4. Start the Oracle Identity Management 11g Configuration Assistant by running ORACLE_HOME/bin/config.sh.

  5. On the Welcome screen, click Next.

  6. On the Select Domain screen, select Configure without a Domain.

    Click Next.

  7. On the Specify Installation Location screen, specify the following values:

    • Oracle Instance Location: /u01/app/oracle/admin/oid_inst1

    • Oracle Instance Name: oid_inst1

    Click Next.

  8. On the Specify Email for Security Updates screen, specify these values:

    • Email Address: Provide the email address for your My Oracle Support account.

    • Oracle Support Password: Provide the password for your My Oracle Support account.

    • Check the checkbox next to the I wish to receive security updates via My Oracle Support field.

    Click Next.

  9. On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and then click Next.

  10. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full pathname to the staticports.ini file that you edited in the temporary directory.

    Click Next.

  11. On the Specify Schema Database screen, select Use Existing Schema and specify the following values:

    • Connect String: infradbhost1-vip.mycompany.com:1521:idmdb1^infradbhost2-vip.mycompany.com:1521:idmdb2@idmedg.mycompany.com

      Note:

      The Oracle RAC database connect string information must be provided in the format host1:port1:instance1^host2:port2:instance2@servicename. During this installation, it is not required for all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed.It is required that the information provided above is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each Oracle RAC instance, and the service name provided must be configured for all the specified Oracle RAC instances.Any incorrect information entered in the Oracle RAC database connect string has to be corrected manually after the installation.

    • User Name: ODS

    • Password: ****** (enter the password)

    Click Next.

  12. On the Configure OID screen, specify the Realm and enter the Administrator (cn=orcladmin) password and click Next.

  13. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.

  14. On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.

  15. On the Installation Complete screen, click Finish to confirm your choice to exit.

  16. To validate the installation of the Oracle Internet Directory instance on OIDHOST1, issue these commands:

    ldapbind -h oidhost1.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oidhost1.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1

    Note:

    See the "Configuring Your Environment" section of Oracle Fusion Middleware Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

7.2.2 Configuring an Additional Oracle Internet Directory Instance

The schema database must be running before you perform this task. Follow these steps to install Oracle Internet Directory on OIDHOST2:

  1. Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

    On UNIX:

    netstat -an | grep "389"
netstat -an | grep "636"

    If the ports are in use (that is, if the command returns output identifying either port), you must free them.

    On UNIX:

    Remove the entries for ports 389 and 636 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components,"or restart the computer.

  2. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

  3. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

    # The non-SSL port for Oracle Internet Directory
Oracle Internet Directory port = 389
# The SSL port for Oracle Internet Directory
Oracle Internet Directory (SSL) port = 636

  4. Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

    On UNIX:

    netstat -an | grep "389"
netstat -an | grep "636"

    If the ports are in use (if the command returns output identifying the port), you must free them.

    On UNIX, remove the entries for ports 389 and 636 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components,"or restart the computer.

    Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory

  5. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

    # The non-SSL port for Oracle Internet Directory
Oracle Internet Directory port = 389
# The SSL port for Oracle Internet Directory
Oracle Internet Directory (SSL) port = 636

  6. Start the Oracle Identity Management 11g Configuration Assistant by running ORACLE_HOME/bin/config.sh.

  7. On the Welcome screen, click Next.

  8. On the Select Domain screen, select Configure without a Domain.

    Click Next.

  9. On the Specify Installation Location screen, specify the following values:

    Oracle Instance Location: /u01/app/oracle/admin/oid_inst1

    Oracle Instance Name: oid_inst1

    Click Next.

  10. On the Specify Email for Security Updates screen, specify these values:

    • Email Address: Provide the email address for your My Oracle Support account.

    • Oracle Support Password: Provide the password for your My Oracle Support account.

    • Check the checkbox next to the I wish to receive security updates via My Oracle Support field.

    Click Next.

  11. On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.

  12. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full pathname to the staticports.ini file that you edited in the temporary directory.

    Click Next.

  13. On the Specify Schema Database screen, select Use Existing Schema and specify the following values:

    • Connect String: infradbhost1-vip.mycompany.com:1521:idmdb1^infradbhost2-vip.mycompany.com:1521:idmdb2@idmedg.mycompany.com

      Note:

      The Oracle RAC database connect string information needs to be provided in the format host1:port1:instance1^host2:port2:instance2@servicename. During this installation, it is not required for all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed.

      It is required that the information provided above is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each Oracle RAC instance, and the service name provided must be configured for all the specified Oracle RAC instances.

      Any incorrect information entered in the Oracle RAC database connect string has to be corrected manually after the installation.

    • User Name: ODS

    • Password: ****** (enter the password)

    Click Next.

  14. The ODS Schema in use message appears. The ODS schema chosen is already being used by the existing Oracle Internet Directory instance. Therefore, the new Oracle Internet Directory instance being configured would re-use the same schema.

    Choose Yes to continue.

    A popup window with this message appears:

    "Please ensure that the system time on this Identity Management Node is in sync with the time on other Identity management Nodes that are part of the Oracle Application Server Cluster (Identity Management) configuration. Failure to ensure this may result in unwanted instance failovers, inconsistent operational attributes in directory entries and potential inconsistent behavior of password state policies."

    Ensure that the system time between IDMHOST1 and IDMHOST2 is synchronized.

    Click OK to continue.

  15. On the Specify OID Admin Password screen, specify the OID Admin password and click Next.

  16. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.

  17. On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.

  18. On the Installation Complete screen, click Finish to confirm your choice to exit.

  19. To validate the installation of the Oracle Internet Directory instance on OIDHOST2, issue these commands:

    ldapbind -h oidhost2.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oidhost2.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1

    Note:

    See the "Configuring Your Environment" section of Oracle Fusion Middleware Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.

7.3 Post-Configuration Steps

Follow the steps in this section to complete the configuration of the Oracle Internet Directory instances on OIDHOST1 and OIDHOST2.

7.3.1 Registering Oracle Internet Directory with the WebLogic Server Domain

All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Internet Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.

To register the Oracle Internet Directory instances installed on OIDHOST1 and OIDHOST2, follow these steps:

  1. Set the ORACLE_HOME variable. For example, on OIDHOST1 and OIDHOST2, issue this command:

    export ORACLE_HOME=/u01/app/oracle/product/fmw/idm

  2. Set the ORACLE_INSTANCE variable. For example:

    On OIDHOST1, issue this command:

    export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst1

    On OIDHOST2, issue this command:

    export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst2

  3. Execute the opmnctl registerinstance command on both OIDHOST1 and OIDHOST2:

    ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName -adminPort WLSPort -adminUsername adminUserName

    For example, on OIDHOST1 and OIDHOST2:

    ORACLE_INSTANCE/bin/opmnctl registerinstance \
   -adminHost idmhost1.mycompany.com-adminPort 7001 -adminUsername weblogic

    The command requires login to WebLogic admin server (idmhost1.mycompany.com)

    Username: weblogic

    Password: *******

    Note:

    For additional details on registering Oracle Internet Directory components with a WebLogic Server domain, see the "Registering an Oracle Instance or Component with the WebLogic Server" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

  4. Update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.

    Syntax:

    ./emctl switchOMS <ReposURL>.

    For Example:

    ./emctl switchOMS http://idmhost-vip.mycompany.com:7001/em/upload

    Output:

    ./emctl switchOMS http://idmhost-vip.mycompany.com:7001/em/upload 
Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. 
Copyright (c) 1996, 2009 Oracle Corporation.  All rights reserved.  
SwitchOMS succeeded.

  5. Validate if the agents on OIDHOST1 and OIDHOST2 are configured properly to monitor their respective targets. Follow these steps to complete this task:

    • Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em.

      Log in as the weblogic user.

    • From the Domain Home Page navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets.

    • Validate that the hostname in Agent URL under the Agent column matches the hostname under the Host column. In case of a mismatch, follow the steps below to correct the issue:

      • Click the configure link to bring up the Configure Target Page.

      • On the Configure Target Page, click Change Agent and choose the correct agent for the host.

      • Click OK to save your changes.

7.4 Validating the Oracle Internet Directory Instances

To validate the OID instances, ensure that you can connect to each Oracle Internet Directory instance and the load balancing router using these commands:

Note:

See the "Configuring Your Environment" section of Oracle Fusion Middleware Reference for Oracle Identity Management for a list of the environment variables you must set before using the ldapbind command.
ldapbind -h oidhost1.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oidhost1.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
ldapbind -h oidhost2.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oidhost2.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
ldapbind -h oid.mycompany.com -p 389 -D "cn=orcladmin" -q
ldapbind -h oid.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1

Note:

The -q option above prompts the user for a password. LDAP tools have been modified to disable the options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1. Use this feature whenever possible.

7.5 Backing up the OID Configuration

It is an Oracle best practices recommendation to create a backup file after successfully completing the installation and configuration of each tier or at a logical point. Create a backup of the installation after verifying that the install so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. After the enterprise deployment setup is complete, the regular deployment-specific Backup and Recovery process can be initiated. More details are described in the Oracle Fusion Middleware Administrator's Guide.

For information on database backups, refer to Oracle Database Backup and Recovery Advanced User's Guide.

To back up the installation to this point, follow these steps:

  1. Back up the OID instances in the directory tier:

    1. Shut down the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:

      ORACLE_INSTANCE/bin/opmnctl stopall

    2. Create a backup of the Middleware home on the directory tier as the root user:

      tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME

    3. Create a backup of the Instance home on the directory tier as the root user:

      tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE

    4. Start up the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:

      ORACLE_INSTANCE/bin/opmnctl startall

  2. Perform a full database backup (either a hot or cold backup). Oracle recommends that you use Oracle Recovery Manager. You can use an operating system tool such as tar for cold backups.

  3. Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory:

    IDMHOST1> tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver

Note:

Create backups on all machines in the directory tier by following the steps shown in this section.

For more information about backing up the directory tier configuration, see Section 19.4, "Performing Backups and Recoveries."