Monday, August 29, 2011

Fusion Applications: Extending the Domain with Oracle Internet Directory

In my previous post I created the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control. In this post I will configure Oracle Identity Directory (OID) and extend this domain with OID. Furthermore I will seed the Identity Store and Policy Store with data to be used by Oracle Access Manager.

First of all this chapter took a lot longer then I expected. I ran into a couple of  issues, some explainable and some still a mystery. My biggest issue was configuring OID on privileged port 389 and SSL port 636. After reading tons of posts (funny how you have to rely on posts and forums for oracle installations), I was still not able to get the installer to complete succesfully on ports 389/636, even after using oracleRoot.sh script, which set uid of ldapbind to root. Finally after reading a comment on a post on OTN Forums, I started believing that I had to use the default non-privileged ports 3060/3061.

See snippet from Forum:

The issue -- according to Oracle -- is the ports < 1024. OID is trying to start on port 389 when the config ends in error. The solution is to change the port >OID is configured to use to the staticports.ini default of 3060 and then entering the Enterprise Manager console and change the port to 389 -- this does >work.

Before starting the configuration wizard, you need to check/adjust a few settings on your host.

First of all, the configuration wizard fails if your hostname does not contain a domain name. Open file /etc/sysconfig/network and add a domain name to your hostname, if not present yet. My file looks like this:

NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=FusionIDM.mycompany.com

Now set the hostname including domain to  your /etc/hosts file and make sure that hostname is not pointing to 127.0.0.1, but to your actual network ipaddress.


I want to stick as close as possible to the installation manual, so I will use all the hosts in the installation manual and point these to myhost, as I am installing all FMW on the same server.

Reboot the server at this point, so the hostname will be set properly. Before we start the installer, make sure Oracle HTTP Server is not running! OID and Oracle HTTP Server are both started using opmn and are monitored by agent EMAGENT, which run on same default Oracle ports (6700/5162). Since I am installing both on the same server, I will adjust the ports later to specific ports, but to successfully configure OID using the installer, stop HTTP Server now.

We are now ready to start the configuration wizard. Go to directory /u01/app/oracle/product/fmw/idm/bin and issue the command
./config.sh

On the welcome screen click on Next. On the next screen choose the option Configure Without A Domain and click on Next.


On the Specify Installation Location screen set

Oracle Instance Location to /u01/app/oracle/admin/oid_inst1 and

Oracle Instance Name to oid_inst1


Click on Next and on the next screen choose not to be informed about updates and click on Next. On the Configure Components screen choose only option Oracle Internet Directory.


On the Configure Ports screen select option Specify Ports using Configuration file and click on Browse. Now select file staticports.ini to from directory /home/oracle/install/idm/Disk1/stage/Response. Now click on View/Edit and uncomment the part for OID ports.


Note that the installation manual stated using port 389 and 636! I will use the default ports as delivered in this file 3060/3061. Click on Save and then on Next. On the next screen select option Use Existing Schema Connect String.


On the next screen you will see that the Realm is automatically filled in based on you hostname domain. Specify the administrator password and click on Next.


On the Summary screen click on Configure. If all went well, you will see following progress screen.


Click on next and you will see the Installation Complete screen which summarizes the configuration.


We can now validate if we can use ldapbind to connect to OID.



We will now change the ports of opmn and EMAGENT for OID so we can start both instances on the same server. Go to directory /u01/app/oracle/admin/oid_inst1/config/OPMN/opmn and open file ports.prop  and change the port numbers of OPMN and EMAGENT.


Now open file opmn.xml and change ports for opmn.


Startup sequence

I now have Oracle Internet Directory, Oracle HTTP Server and Oracle Weblogic installed and configured on this host. We need to start the components in the following order

  1. Oracle Internet Directory

  2. Oracle HTTP Server

  3. Oracle Weblogic Server

I created three scripts to start the individual components without conflicting ORACLE_HOMES and a script that starts the startscripts.

#!/bin/sh
#
#
# startOID.sh
#
#
echo "Starting Oracle Internet Directory"

ORACLE_HOME=/u01/app/oracle/product/fmw/idm
ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst1
PATH=$ORACLE_HOME/opmn/bin:$PATH
PATH=$ORACLE_HOME/bin:$PATH
PATH=$ORACLE_HOME/ldap/bin:$PATH
PATH=$ORACLE_HOME/ldap/admin:$PATH
export ORACLE_HOME
export ORACLE_INSTANCE
export PATH

echo "ORACLE_HOME set as $ORACLE_HOME"
echo "ORACLE_INSTANCE set as $ORACLE_INSTANCE"
echo "PATH set as $PATH"

opmnctl startall


#!/bin/sh
#
#
# startwebtier.sh
#
#
echo "Starting Oracle HTTP Server"

ORACLE_HOME=/u01/app/oracle/product/fmw/web
ORACLE_INSTANCE=/u01/app/oracle/admin/ohs_inst1
PATH=$ORACLE_HOME/opmn/bin:$PATH
export ORACLE_HOME
export ORACLE_INSTANCE
export PATH

echo "ORACLE_HOME set as $ORACLE_HOME"
echo "ORACLE_INSTANCE set as $ORACLE_INSTANCE"
echo "PATH set as $PATH"

opmnctl startall


#!/bin/sh
#
#
# startweblogic.sh
#
#
echo "Starting Weblogic Administration Manager"
export JAVA_OPTIONS=-DDomainRegistrationEnabled=true 

cd $ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/bin
./startWebLogic.sh

Script to all components
#!/bin/sh
#
#
# startAll.sh
#
#
echo "Starting Oracle Internet Directory"
./startOID.sh

echo "Starting Oracle HTTP Server"
./startwebtier.sh

echo "Starting Oracle Weblogic Server"
./startweblogic.sh

Registering OID with Weblogic

Now that we have configured and started OID  we have to register OID with Oracle Enterprise Manager Fusion Middleware Control. Go to directory  /u01/app/oracle/admin/oid_inst1/bin and issue the following command.



Now we have to update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag. Issue the following command:


Now we will validate if the agent is configured properly to monitor the targets. Open the browser and go to http://admin.mycompany.com/em and log in with user weblogic.

Once logged in choose Agent-Monitored Targets from menu Farm


As stated in the following screen agent for OID needs configuring. Click on the Configure icon.


On the configuration screen add the weblogic user and password.


Click on OK and you will now see that the agent is monitoring the target OID.



Generating a Certificate to be Used by the Identity Management Domain

External domains communicate with the Identity Management domain using SSL Server Authentication Only Mode. To enable the Identity Management domain to support this SSL mode, we must generate a certificate and store it in the Policy Store.  To do this go to directory /u01/app/oracle/fmw/oracle_common/bin  and issue command SSLGenCA.sh. The scripts will prompt for several parameters, see following screen.



Configuring Oracle Internet Directory to Accept Server Authentication Mode SSL Connections

To enable SSL Server Authentication Only Mode for our domain, we  must perform the following to ensure that our Oracle Internet Directory instance is capable of accepting requests using this mode.



Preconfiguring Identity Store and Policy Store

Before we can install Oracle Access Manager, we must seed the Identity Store and Policy Store with data. The installation manual states that to preform this step we need to have Oracle Virtual Directory installed and configured. Oracle Virtual Directory is not configured at this moment, so one step we will configure after we configured Oracle Virtual Directory.

First start by creating a file called idstore.props that looks like this:
IDSTORE_HOST: idstore.mycompany.com
IDSTORE_PORT: 3060
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_BINDDN: cn=orcladmin
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
IDSTORE_SEARCHBASE: dc=mycompany,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
IDSTORE_READONLYUSER: readOnlyUser
IDSTORE_READWRITEUSER: readWriteUser
IDSTORE_SUPERUSER: weblogic
IDSTORE_OAMSOFTWAREUSER: oamSoftwareUser
IDSTORE_OAMADMINUSER: oamMasterAdminUser
IDSTORE_OIMADMINUSER: oimAdminUser
IDSTORE_OIMADMINGROUP: oimAdminGroup
POLICYSTORE_SHARES_IDSTORE: true

Now go to directory /u01/app/oracle/product/fmw/iam/idmtools/bin and issue the command
./idmConfigTool.sh -preConfigIDStore input_file=idstore.props

Output will look like this.



Creating Oracle Access Manager Users and Groups in LDAP

Prior to performing this step, ensure that there is a group in your LDAP store for Oracle Access Manager administrators, such as OAMAdministrator, and that a user such as oamadmin exists in that group.

To do this create the following files:

oam_user.ldif
dn:  cn=oamadmin,cn=Users,dc=mycompany,dc=com
cn:  oamadmin
sn:  oamadmin
description:  oamadmin
uid: oamadmin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
userpassword: [yourpasswordhere]

oam_group.ldif
dn: cn=OAMAdministrator,cn=Groups,dc=mycompany,dc=com
cn: OAMAdministrator
displayname: OAMAdministrator
description: OAMAdministrator
uniquemember: cn=oamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

Load the user and group into ldap using the following commands:
ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oam_user.ldif

Output will look like this:



ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oam_group.ldif

Output will look like this:



Seeding the xelsysadm User in Oracle Internet Directory

Now we will have to create the xelsyadm user in Oracle Internet Directory. Run the ldapadd command, however, against Oracle Virtual Directory. Create a file called xelsysadm.ldif with the following contents:
dn: cn=xelsysadm, cn=Users, dc=mycompany,dc=com
orclPwdChangeRequired: false
orclPwdExpirationDate: 2035-01-01T00:00:00Z
sn: admin
uid: xelsysadm
givenname: xelsysadm
displayname: xelsysadm
mail:xelsysadm@mycompany.com
cn: xelsysadm
objectclass: orclIDXPerson
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
userpassword: xelsysadm password
orclAccountEnabled: activated
orclisenabled: ENABLED

Output looks like this:


This give an error that parameter oraclepwdchangerequired is not an attribute of any object class. After configuring Oracle Virtual Directory, we will try to create this user again.

Creating the OAAM User and Group

We will now create user and group for OAAM in the Identity Store.

To do this, create the following files:

oaam_user.ldif
dn:  cn=oaamadmin,cn=Users,dc=mycompany,dc=com
cn:  oaamadmin
sn: oaamadmin
description:  oaamadmin
uid: oaamadmin
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
userpassword: [yourpasswordhere]

oaam_group.ldif
dn: cn=OAAMCSRGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMCSRGroup
displayname: OAAMCSRGroup
description: OAAMCSRGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMCSRManagerGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMCSRManagerGroup
displayname: OAAMCSRManagerGroup
description: OAAMCSRManagerGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMEnvAdminGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMEnvAdminGroup
displayname: OAAMEnvAdminGroup
description: OAAMEnvAdminGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMInvestigationManagerGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMInvestigationManagerGroup
displayname: OAAMInvestigationManagerGroup
description: OAAMInvestigationManagerGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMInvestigatorGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMInvestigatorGroup
displayname: OAAMInvestigatorGroup
description: OAAMInvestigatorGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMRuleAdministratorGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMRuleAdministratorGroup
displayname: OAAMRuleAdministratorGroup
description: OAAMRuleAdministratorGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

dn: cn=OAAMSOAPServicesGroup,cn=Groups,dc=mycompany,dc=com
cn: OAAMSOAPServicesGroup
displayname: OAAMSOAPServicesGroup
description: OAAMSOAPServicesGroup
uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com
objectclass: top
objectclass: groupofuniquenames
objectclass: orclgroup

Load the user and group into LDAP issuing the following commands from the LDAP server:
ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oaam_user.ldif
ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oaam_group.ldif

Preconfiguring Policy Store


Create a file called policystore.props that looks this:
POLICYSTORE_HOST: policystore.mycompany.com
POLICYSTORE_PORT: 3060
POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com
POLICYSTORE_READONLYUSER: PolStoreROUser
POLICYSTORE_READWRITEUSER: PolStoreRWUser
POLICYSTORE_CONTAINER: cn=jpsroot
POLICYSTORE_BINDDN: cn=orcladmin

Go to directory /u01/app/oracle/product/iam/idmtools/bin and issue the command
./idmConfigTool.sh -configPolicyStore input_file=policystore.props

Output looks like this



This concludes the configuration of OID with Identity Store and Policy Store.
In my following post I will describe the steps to install and configure Oracle Directory Integration Platform (DIP) and Oracle Directory Services Manager (ODSM)

17 comments:

  1. [...] concludes the configuration of Weblogic Domain. In my next post I will describe the steps to Extend the Weblogic Domain with Oracle Identity [...]

    ReplyDelete
  2. Madhu6:06 PM

    Folks

    I highly recommend you folks write a book on FMW. I have learnt more from the blog than the book I have bought or the documentation.

    Madhu

    ReplyDelete
  3. Hello,

    I currently have a problem with the configuration of OAM with a WebLogic Server ( in Stand Alone mode) to test the SSO authentication with Web Applications.

    I see that you haven't made a topic about it yet, maybe you will. I would like to know if you have a link to a precise documentation about this topic.

    Thank you,

    Seth

    ReplyDelete
  4. Venkat1:18 AM

    Hi,

    Can we install all components (OID,OIDM,Fusion Middleware,weblogic,OAM,OVD,OIM,Transaction DB) with Fusion Applications HCM.

    I have 8 GB RAM,xeon processor, 1 TB HDD server.

    Please let me know your suggestions.


    Thanks,
    Venkat

    ReplyDelete
  5. Venkat,

    I hate to disappoint you, but the answer would be NOT possible.

    From unofficial sources, but people who have installed it at customers, say you need at least 16 GB RAM for FMW components and get ready minimal 60GB RAM for the FusionApps Database!!!

    I tried creating the FusionApps database on a dedicated 8GB RAM server and the creation wizard kept crashing with 'no memory available'. I had to tweak Linux kernel parameters and database parameters to force the database from not allocating more then 8GB. And this is just creating a blank database. Suppose how much additional memory you would need when the database is seeded with data and all kinds of middleware i/o processes running on the database. You might get it running but performance will be so low, that it would be non acceptable or even annoying.
    Funny that Oracle has not provide any hardware requirements for this part yet. But stating that you need al least 60GB, will cause a lot of people/customers to run a way or at least thing twice. Again these are unofficial numbers (making use of the Oracle Safe-Harbor statement)

    My main goal at this moment is cracking the installation manual into something useful. After that we will order sufficient servers to run this GIANT.

    Hakan

    ReplyDelete
  6. Rafael Cassolato6:19 PM

    Hi.

    I am following the tutorials about the oracle fusion applications installation.

    I finished to install OID but I am not finding the next tutorial of the set.

    Can you please send us the link of the next post ?

    After finish this topic, what will be next step that I should do ?

    Thanks.

    ReplyDelete
  7. Venkat7:12 PM

    Thanks Hakan for your prompt repornse.



    Thanks,
    Venkat

    ReplyDelete
  8. [...] my previous post I described the steps to configure Oracle Internet Directory. In this post I will describe the [...]

    ReplyDelete
  9. Maruti Bhanot7:08 PM

    Hi,

    Did you also encouter the error while connecting on port 7001:

    Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.

    Using 7002 it doesn't work. In the Weblogic admin panel I enabled 7002, I can reach via 7002 the Weblogic admin panel, but for the doing the certificate steps it doesn't work.

    Do you have any idea what it could be?

    regards Maruti

    ReplyDelete
  10. Michael van der Wilden2:12 PM

    Hi Hakan,

    Thanks again for the detailed installation steps!
    Question: I've have a problem with configuring the target /Farm_IDMDomain/oid_inst1/oid1 because he says the EM Agent monitoring the target is currently available...
    The error is: Target /Farm_IDMDomain/oid_inst1/oid1/oracle_ldap not found.

    Any idea what I've to do to fix this?

    Additional info:
    I had to restart the server and I did execute startOID, startwebtier and startweblogic (in that order) and with success.
    In the Farm_IDMDomain (tree) the following components is working: Web tier (ohs1), all internal applications (DMS, em, etc.), weblogic domain (adminserver)
    Except the Identity and Access (oid) -> no data available

    Pls. let me know if you need more detail.
    Thanks in advance.

    An admirer...

    ReplyDelete
  11. Michael,

    Ensure that EMagent for OID is up and running. Try following to see in EMagent is running http://bloggingaboutoracle.com/wp-content/uploads/opmnctl-status-OID1.png

    In this post I changed the EMagent default port from 5162 to 5172 to avoid conflicting ports. Did you do this too? If so, check if port is in use by other processes by issueing netstart -an | grep "5172" and assign another port for EMagent.

    ReplyDelete
  12. Michael van der Wilden4:15 PM

    Hi Hakan,

    You were right. But I've changed the port number in ports.prop file, but somehow he didn't read it during startup. So I've changed the port number into 5172 in the staticports.ini file; and now it works fine.

    Thanks and I can't wait for the next blog!

    Kind regards,
    Michael

    ReplyDelete
  13. Michael van der Wilden1:17 PM

    Hi Hakan, and other,

    I've found out that you need to enter the 'Monitoring Credentials' first with username weblogic and assigned password before you configure Target Name /Farm_IDMDomain/oid_inst1/oid1. Then it works fine.

    Good luck with the installation!

    Kind regards,
    Michael

    ReplyDelete
  14. Fusion user7:47 PM

    Getting following error while adding users

    ldapadd -h ADMINVHN.4Pinfosys.com -p 3060 -D cn="orcladmin" -q -c -v -f /tmp/oam_user.ldif
    Please enter bind password:
    add cn:
    oamadmin
    add sn:
    oamadmin
    add description:
    oamadmin
    add uid:
    oamadmin
    add objectclass:
    top
    person
    organizationalPerson
    inetorgperson
    orcluser
    orcluserV2
    add userpassword:
    oracle123
    adding new entry cn=oamadmin,cn=Users,dc=4pfusion,dc=com
    ldap_add: No such object
    ldap_add: matched: dc=com
    ldap_add: additional info: Parent entry not found in the directory.

    ReplyDelete
  15. Gerald Bennett7:29 PM

    For the step Generating a Certificate to be Used by the Identity Management Domain, I am not sure if an incorrect hostname is used or not. The oid.mycompany.com is not defined in /etc/hosts. However oidhost1.mycompany.com is, this worked for me.

    >>>Enter the LDAP hostname [mybox.mycompany.com]: oidhost1.mycompany.com

    ReplyDelete
  16. Miguel11:13 PM

    I'm having trouble installing OID. When he tries to create Em agent, I got error. In the logs appears that he can't create em agent. I follow all the steps, but always get same error. Is there another way to install emagent after instance, or to get more detailed logs. Thank in advance.


    PD:Sorry for my english, it's no good.

    ReplyDelete
  17. Mridul7:29 AM

    Hi,
    excellent blog. thanks. I am following your document for Fusion middleware components. But on windows8 64 bit. I don't see equivalent of SSLGenCA.sh in windows. any idea how to go about secure ssl on this

    ReplyDelete