Fusion Applications: Extending the Domain with Oracle Internet Directory
In my previous post I created the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control. In this post I will configure Oracle Identity Directory (OID) and extend this domain with OID. Furthermore I will seed the Identity Store and Policy Store with data to be used by Oracle Access Manager.
First of all this chapter took a lot longer then I expected. I ran into a couple of issues, some explainable and some still a mystery. My biggest issue was configuring OID on privileged port 389 and SSL port 636. After reading tons of posts (funny how you have to rely on posts and forums for oracle installations), I was still not able to get the installer to complete succesfully on ports 389/636, even after using oracleRoot.sh script, which set uid of ldapbind to root. Finally after reading a comment on a post on OTN Forums, I started believing that I had to use the default non-privileged ports 3060/3061.
See snippet from Forum:
The issue -- according to Oracle -- is the ports < 1024. OID is trying to start on port 389 when the config ends in error. The solution is to change the port >OID is configured to use to the staticports.ini default of 3060 and then entering the Enterprise Manager console and change the port to 389 -- this does >work.
Before starting the configuration wizard, you need to check/adjust a few settings on your host.
First of all, the configuration wizard fails if your hostname does not contain a domain name. Open file /etc/sysconfig/network and add a domain name to your hostname, if not present yet. My file looks like this:
NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=FusionIDM.mycompany.com
Now set the hostname including domain to your /etc/hosts file and make sure that hostname is not pointing to 127.0.0.1, but to your accual network ipaddress.
I want to stick as close as possible to the installation manual, so I will use all the hosts in the installation manual and point these to myhost, as I am installing all FMW on the same server.
Reboot the server at this point, so the hostname will be set properly. Before we start the installer, make sure Oracle HTTP Server is not running! OID and Oracle HTTP Server are both started using opmn and are monitored by agent EMAGENT, which run on same default Oracle ports (6700/5162). Since I am installing both on the same server, I will adjust the ports later to specific ports, but to successfully configure OID using the installer, stop HTTP Server now.
We are now ready to start the configuration wizard. Go to directory /u01/app/oracle/product/fmw/idm/bin and issue the command
./config.sh
On the welcome screen click on Next. On the next screen choose the option Configure Without A Domain and click on Next.
On the Specify Installation Location screen set
Oracle Instance Location to /u01/app/oracle/admin/oid_inst1 and
Oracle Instance Name to oid_inst1
Click on Next and on the next screen choose not to be informed about updates and click on Next. On the Configure Components screen choose only option Oracle Internet Directory.
On the Configure Ports screen select option Specify Ports using Configuration file and click on Browse. Now select file staticports.ini to from directory /home/oracle/install/idm/Disk1/stage/Response. Now click on View/Edit and uncomment the part for OID ports.
Note that the installation manual stated using port 389 and 636! I will use the default ports as delivered in this file 3060/3061. Click on Save and then on Next. On the next screen select option Use Existing Schema Connect String.
On the next screen you will see that the Realm is automatically filled in based on you hostname domain. Specify the administrator password and click on Next.
On the Summary screen click on Configure. If all went well, you will see following progress screen.
Click on next and you will see the Installation Complete screen which summerizes the configuration.
We can now validate if we can use ldapbind to connect to OID.
We will now change the ports of opmn and EMAGENT for OID so we can start both instances on the same server. Go to directory /u01/app/oracle/admin/oid_inst1/config/OPMN/opmn and open file ports.prop and change the port numbers of OPMN and EMAGENT.
Now open file opmn.xml and change ports for opmn.
Startup sequence
I now have Oracle Internet Directory, Oracle HTTP Server and Oracle Weblogic installed and configured on this host. We need to start the components in the following order
- Oracle Internet Directory
- Oracle HTTP Server
- Oracle Weblogic Server
#!/bin/sh # # # startOID.sh # # echo "Starting Oracle Internet Directory" ORACLE_HOME=/u01/app/oracle/product/fmw/idm ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst1 PATH=$ORACLE_HOME/opmn/bin:$PATH PATH=$ORACLE_HOME/bin:$PATH PATH=$ORACLE_HOME/ldap/bin:$PATH PATH=$ORACLE_HOME/ldap/admin:$PATH export ORACLE_HOME export ORACLE_INSTANCE export PATH echo "ORACLE_HOME set as $ORACLE_HOME" echo "ORACLE_INSTANCE set as $ORACLE_INSTANCE" echo "PATH set as $PATH" opmnctl startall
#!/bin/sh # # # startwebtier.sh # # echo "Starting Oracle HTTP Server" ORACLE_HOME=/u01/app/oracle/product/fmw/web ORACLE_INSTANCE=/u01/app/oracle/admin/ohs_inst1 PATH=$ORACLE_HOME/opmn/bin:$PATH export ORACLE_HOME export ORACLE_INSTANCE export PATH echo "ORACLE_HOME set as $ORACLE_HOME" echo "ORACLE_INSTANCE set as $ORACLE_INSTANCE" echo "PATH set as $PATH" opmnctl startall
#!/bin/sh # # # startweblogic.sh # # echo "Starting Weblogic Administration Manager" export JAVA_OPTIONS=-DDomainRegistrationEnabled=true cd $ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/bin ./startWebLogic.sh
Script to all components
#!/bin/sh # # # startAll.sh # # echo "Starting Oracle Internet Directory" ./startOID.sh echo "Starting Oracle HTTP Server" ./startwebtier.sh echo "Starting Oracle Weblogic Server" ./startweblogic.sh
Registering OID with Weblogic
Now that we have configured and started OID we have to register OID with Oracle Enterprise Manager Fusion Middleware Control. Go to directory /u01/app/oracle/admin/oid_inst1/bin and issue the following command.
Now we have to update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag. Issue the following command:
Now we will validate if the agent is configured properly to monitor the targets. Open the browser and go to http://admin.mycompany.com/em and log in with user weblogic.
Once logged in choose Agent-Monitored Targets from menu Farm
As stated in the following screen agent for OID needs configuring. Click on the Configure icon.
On the configuration screen add the weblogic user and password.
Click on OK and you will now see that the agent is monitoring the target OID.
Generating a Certificate to be Used by the Identity Management Domain
External domains communicate with the Identity Management domain using SSL Server Authentication Only Mode. To enable the Identity Management domain to support this SSL mode, we must generate a certificate and store it in the Policy Store. To do this go to directory /u01/app/oracle/fmw/oracle_common/bin and issue command SSLGenCA.sh. The scripts will prompt for several parameters, see following screen.
Configuring Oracle Internet Directory to Accept Server Authentication Mode SSL Connections
To enable SSL Server Authentication Only Mode for our domain, we must perform the following to ensure that our Oracle Internet Directory instance is capable of accepting requests using this mode.
Preconfiguring Identity Store and Policy Store
Before we can install Oracle Access Manager, we must seed the Identity Store and Policy Store with data. The installation manual states that to preform this step we need to have Oracle Virtual Directory installed and configured. Oracle Virtual Directory is not configured at this moment, so one step we will configure after we configured Oracle Virtual Directory.
First start by creating a file called idstore.props that looks like this:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 3060 IDSTORE_LOGINATTRIBUTE: uid IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com IDSTORE_READONLYUSER: readOnlyUser IDSTORE_READWRITEUSER: readWriteUser IDSTORE_SUPERUSER: weblogic IDSTORE_OAMSOFTWAREUSER: oamSoftwareUser IDSTORE_OAMADMINUSER: oamMasterAdminUser IDSTORE_OIMADMINUSER: oimAdminUser IDSTORE_OIMADMINGROUP: oimAdminGroup POLICYSTORE_SHARES_IDSTORE: true
Now go to directory /u01/app/oracle/product/fmw/iam/idmtools/bin and issue the command
./idmConfigTool.sh -preConfigIDStore input_file=idstore.props
Output will look like this.
Creating Oracle Access Manager Users and Groups in LDAP
Prior to performing this step, ensure that there is a group in your LDAP store for Oracle Access Manager administrators, such as OAMAdministrator, and that a user such as oamadmin exists in that group.
To do this create the following files:
oam_user.ldif
dn: cn=oamadmin,cn=Users,dc=mycompany,dc=com cn: oamadmin sn: oamadmin description: oamadmin uid: oamadmin objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 userpassword: [yourpasswordhere]
oam_group.ldif
dn: cn=OAMAdministrator,cn=Groups,dc=mycompany,dc=com cn: OAMAdministrator displayname: OAMAdministrator description: OAMAdministrator uniquemember: cn=oamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup
Load the user and group into ldap using the following commands:
ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oam_user.ldif
ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oam_group.ldif
Output will look like this:
Seeding the xelsysadm User in Oracle Internet Directory
Now we will have to create the xelsyadm user in Oracle Internet Directory. Run the ldapadd command, however, against Oracle Virtual Directory. Create a file called xelsysadm.ldif with the following contents:
dn: cn=xelsysadm, cn=Users, dc=mycompany,dc=com orclPwdChangeRequired: false orclPwdExpirationDate: 2035-01-01T00:00:00Z sn: admin uid: xelsysadm givenname: xelsysadm displayname: xelsysadm mail:xelsysadm@mycompany.com cn: xelsysadm objectclass: orclIDXPerson objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top userpassword: xelsysadm password orclAccountEnabled: activated orclisenabled: ENABLED
Output looks like this:
This give an error that parameter oraclepwdchangerequired is not an attribute of any object class. After configuring Oracle Virtual Directory, we will try to create this user again.
Creating the OAAM User and Group
We will now create user and group for OAAM in the Identity Store.
To do this, create the following files:
oaam_user.ldif
dn: cn=oaamadmin,cn=Users,dc=mycompany,dc=com cn: oaamadmin sn: oaamadmin description: oaamadmin uid: oaamadmin objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 userpassword: [yourpasswordhere]
oaam_group.ldif
dn: cn=OAAMCSRGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMCSRGroup displayname: OAAMCSRGroup description: OAAMCSRGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup dn: cn=OAAMCSRManagerGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMCSRManagerGroup displayname: OAAMCSRManagerGroup description: OAAMCSRManagerGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup dn: cn=OAAMEnvAdminGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMEnvAdminGroup displayname: OAAMEnvAdminGroup description: OAAMEnvAdminGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup dn: cn=OAAMInvestigationManagerGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMInvestigationManagerGroup displayname: OAAMInvestigationManagerGroup description: OAAMInvestigationManagerGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup dn: cn=OAAMInvestigatorGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMInvestigatorGroup displayname: OAAMInvestigatorGroup description: OAAMInvestigatorGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup dn: cn=OAAMRuleAdministratorGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMRuleAdministratorGroup displayname: OAAMRuleAdministratorGroup description: OAAMRuleAdministratorGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup dn: cn=OAAMSOAPServicesGroup,cn=Groups,dc=mycompany,dc=com cn: OAAMSOAPServicesGroup displayname: OAAMSOAPServicesGroup description: OAAMSOAPServicesGroup uniquemember: cn=oaamadmin,cn=Users,dc=mycompany,dc=com objectclass: top objectclass: groupofuniquenames objectclass: orclgroup
Load the user and group into LDAP issuing the following commands from the LDAP server:
ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oaam_user.ldif ldapadd -h idstore.mycompany.com -p 3060 -D cn="orcladmin" -q -c -v -f oaam_group.ldif
Preconfiguring Policy Store
Create a file called policystore.props that looks this:
POLICYSTORE_HOST: policystore.mycompany.com POLICYSTORE_PORT: 3060 POLICYSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_READONLYUSER: PolStoreROUser POLICYSTORE_READWRITEUSER: PolStoreRWUser POLICYSTORE_CONTAINER: cn=jpsroot POLICYSTORE_BINDDN: cn=orcladmin
Go to directory /u01/app/oracle/product/iam/idmtools/bin and issue the command
./idmConfigTool.sh -configPolicyStore input_file=policystore.props
Output looks like this
This concludes the configuration of OID with Identity Store and Policy Store.
In my following post I will describe the steps to install and configure Oracle Directory Integration Platform (DIP) and Oracle Directory Services Manager (ODSM)
Viewed 22162 times by 4507 visitors
16 Responses (last comment shown first)
For the step Generating a Certificate to be Used by the Identity Management Domain, I am not sure if an incorrect hostname is used or not. The oid.mycompany.com is not defined in /etc/hosts. However oidhost1.mycompany.com is, this worked for me.
>>>Enter the LDAP hostname [mybox.mycompany.com]: oidhost1.mycompany.com
Getting following error while adding users
ldapadd -h ADMINVHN.4Pinfosys.com -p 3060 -D cn=”orcladmin” -q -c -v -f /tmp/oam_user.ldif
Please enter bind password:
add cn:
oamadmin
add sn:
oamadmin
add description:
oamadmin
add uid:
oamadmin
add objectclass:
top
person
organizationalPerson
inetorgperson
orcluser
orcluserV2
add userpassword:
oracle123
adding new entry cn=oamadmin,cn=Users,dc=4pfusion,dc=com
ldap_add: No such object
ldap_add: matched: dc=com
ldap_add: additional info: Parent entry not found in the directory.
Hi Hakan, and other,
I’ve found out that you need to enter the ‘Monitoring Credentials’ first with username weblogic and assigned password before you configure Target Name /Farm_IDMDomain/oid_inst1/oid1. Then it works fine.
Good luck with the installation!
Kind regards,
Michael
Hi Hakan,
You were right. But I’ve changed the port number in ports.prop file, but somehow he didn’t read it during startup. So I’ve changed the port number into 5172 in the staticports.ini file; and now it works fine.
Thanks and I can’t wait for the next blog!
Kind regards,
Michael
Michael,
Ensure that EMagent for OID is up and running. Try following to see in EMagent is running http://bloggingaboutoracleapplications.org/wp-content/uploads/opmnctl-status-OID1.png
In this post I changed the EMagent default port from 5162 to 5172 to avoid conflicting ports. Did you do this too? If so, check if port is in use by other processes by issueing netstart -an | grep “5172″ and assign another port for EMagent.
Hi Hakan,
Thanks again for the detailed installation steps!
Question: I’ve have a problem with configuring the target /Farm_IDMDomain/oid_inst1/oid1 because he says the EM Agent monitoring the target is currently available…
The error is: Target /Farm_IDMDomain/oid_inst1/oid1/oracle_ldap not found.
Any idea what I’ve to do to fix this?
Additional info:
I had to restart the server and I did execute startOID, startwebtier and startweblogic (in that order) and with success.
In the Farm_IDMDomain (tree) the following components is working: Web tier (ohs1), all internal applications (DMS, em, etc.), weblogic domain (adminserver)
Except the Identity and Access (oid) -> no data available
Pls. let me know if you need more detail.
Thanks in advance.
An admirer…
Hi,
Did you also encouter the error while connecting on port 7001:
Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.
Using 7002 it doesn’t work. In the Weblogic admin panel I enabled 7002, I can reach via 7002 the Weblogic admin panel, but for the doing the certificate steps it doesn’t work.
Do you have any idea what it could be?
regards Maruti
Hi.
I am following the tutorials about the oracle fusion applications installation.
I finished to install OID but I am not finding the next tutorial of the set.
Can you please send us the link of the next post ?
After finish this topic, what will be next step that I should do ?
Thanks.
Venkat,
I hate to disappoint you, but the answer would be NOT possible.
From unofficial sources, but people who have installed it at customers, say you need at least 16 GB RAM for FMW components and get ready minimal 60GB RAM for the FusionApps Database!!!
I tried creating the FusionApps database on a dedicated 8GB RAM server and the creation wizard kept crashing with ‘no memory available’. I had to tweak Linux kernel parameters and database parameters to force the database from not allocating more then 8GB. And this is just creating a blank database. Suppose how much additional memory you would need when the database is seeded with data and all kinds of middleware i/o processes running on the database. You might get it running but performance will be so low, that it would be non acceptable or even annoying.
Funny that Oracle has not provide any hardware requirements for this part yet. But stating that you need al least 60GB, will cause a lot of people/customers to run a way or at least thing twice. Again these are unofficial numbers (making use of the Oracle Safe-Harbor statement)
My main goal at this moment is cracking the installation manual into something useful. After that we will order sufficient servers to run this GIANT.
Hakan
Hi,
Can we install all components (OID,OIDM,Fusion Middleware,weblogic,OAM,OVD,OIM,Transaction DB) with Fusion Applications HCM.
I have 8 GB RAM,xeon processor, 1 TB HDD server.
Please let me know your suggestions.
Thanks,
Venkat
Hello,
I currently have a problem with the configuration of OAM with a WebLogic Server ( in Stand Alone mode) to test the SSO authentication with Web Applications.
I see that you haven’t made a topic about it yet, maybe you will. I would like to know if you have a link to a precise documentation about this topic.
Thank you,
Seth
Folks
I highly recommend you folks write a book on FMW. I have learnt more from the blog than the book I have bought or the documentation.
Madhu
I’m having trouble installing OID. When he tries to create Em agent, I got error. In the logs appears that he can’t create em agent. I follow all the steps, but always get same error. Is there another way to install emagent after instance, or to get more detailed logs. Thank in advance.
PD:Sorry for my english, it’s no good.
[Reply to this comment]