Automating Oracle IAM Suite 11gR2 PS3 (11.1.2.3.0) Installation in Oracle Linux 7.1

-
The Oracle Identity and Access Management Suite 11gR2 Patchset 3 introduces important new features and improvements to the user interface,  expansion of Oracle's Mobile Security offering, directory virtualization with Oracle Unified Directory, enhanced Privilege Account Management, and automation tools for patching and deploying the IAM Suite among other capabilities. This article describes the steps to use the new Life Cycle Management (LCM) tools to automate the deployment of the Oracle IAM Suite 11g R2 PS3 in Oracle Linux 7.1


Oracle IAM Suite 11gR2 Patchset 3 Overview


This new update introduces important new features and improvements to the user interface that simplify the tasks associated with the provisioning and management of identities within organizations. The new features include: expansion of Oracle's Mobile Security offering, with capabilities for mobile device management; a policy framework to facilitate the provisioning of devices; directory virtualization with Oracle Unified Directory; enhanced Privilege Account Management with windows session recording; and extended automation tools for patching and installing the IAM Suite.

Oracle IAM 11gR2 Patchset 3 can be installed as a new product or applied to existing installations, including:

  • 11g Release 2 (11.1.2.0)
  • 11g Release 2 Patchset 1 (11.1.2.1)
  • 11g Release 2 Patchset 2 (11.1.2.2)

Automated Installation using LCM Tools


The Life Cycle Management (LCM) tools are provided to automate the deployment of the IAM Suite; they represent a major step in reducing deployment times and potentially eliminating human errors. The automation capability was introduced in 11.1.2.2.0 and was known as the Deployment Wizard tool.

In 11.1.2.3.0, the LCM tools allow only the installation of single-host scenarios. While this can be seen as limited to proof-of-concept and development deployments, future releases will add capabilities to support multiple hosts, topologies and production environments.

Some of the benefits you will find with the LCM tools are:

  • Use of Oracle IAM Deployment Repository, a single software distribution containing all software required to deploy, patch and upgrade the IAM Suite
  • Automatic installing, configuring, deploying, and patching the IAM software
  • Use of the Environment Health Check Utility to verify your system requirements before you deploy and to verify the environment after you deploy
  • Component-by-component upgrading of the environment deployed with the LCM tools, so as to minimize downtime

Here are the supported topologies for a single-host scenario:

  • Oracle Identity Manager (OIM) Only[RG1]
  • Oracle Access Manager (OAM) Suite and Oracle Mobile Security Suite (OMSS) Only [RG2]
  • OIM-OAM-OMSS Integrated with Directory

Figures 12 and 3 (below) depict these topologies. This article will focus on describing how to automate the deployment of the OIM-OAM-OMSS Integrated with Directorytopology.

01-topo-deploy.jpg

Figure 1. OIM Deployment Topology

02-topo-deploy.jpg

Figure 2. OAM-OMSS Deployment Topology

03-topo-deploy.jpg

Figure 3. OIM-OAM-OMSS Deployment Topology

Roadmap for Automated Deployment



Figure 4 shows the roadmap for automated deployment of the IAM Suite using the LCM tools. Note the different steps that can be executed automatically in sequence or manually on a step-by-step basis, using either a graphical or command line interface.

04-lcm-phases.jpg
  Figure 4. Stages for Automated Deployment

Deployment Prerequisites


The following list summarizes the tasks that you will need to do before automating the deployment of the IAM Suite:

  • Download the compressed Oracle IAM Deployment Repository files. These can be obtained from the Oracle Software Delivery Cloud (requires registration or login) or from My Oracle Support (using a customer account). Figure 5 (below) shows how to get the files from the Software Delivery Cloud; search for Patchset 21037613 in My Oracle Support to find the location to download the files. You will need at least 20 GB of disk space to download all the files.
  • Optionally, you can install the JDK included in the repository or download the latest Java SE Development Kit. At the time of this writing we downloaded the Java SE Development Kit 7u80 or rpm file jdk-7u80-linux-x64.rpm.
  • Unzip the repository files into a staging folder; you will need an additional 20 GB of space to hold the uncompressed files. The LCM tools and Health Check Utility are included, so you don't need to download additional files. Figure 6 (below) shows the top-level directory structure of the staging folder containing the uncompressed files.
  • Although the documentation recommends installing some mandatory patches for middleware components like the Oracle Database and WebLogic Server, you will find out later that the built-in patches in the repository supersede most of the mandatory patches listed in the documentation and thus not all of them need to be installed. For this demonstration we downloaded only the database patch 17501296 from My Oracle Support.

05-cloud-files.jpg

Figure 5. Downloading Install Media

06-repository-tree.jpg

Figure 6. IAM Deployment Repository – Top Level Tree

Automated Deployment


The following steps guide you through automating the deployment of Oracle IAM Suite 11gR2 PS3 (11.1.2.3.0) using the LCM tools, including the steps to configure the operating system (OS), as well as the installation of the underlying database.

The target server used to deploy the consolidated topology was a virtual machine (VM), but you can use any physical server or virtualized infrastructure to do the deployment as long as the configuration meets the minimum requirements (click here to find more details). The following lists the VM configuration used to write this article:

  • OS Type : Linux
  • Virtual CPUs : 2
  • Memory : 32 GB
  • Disk : 70 GB

The guest OS installed in the VM was Oracle Linux 7.1 with the Server with GUI option. The Resources section at the end of this article contain links with further information about Oracle Linux and Oracle IAM documentation.

Installing the Oracle Database


  1. Although the Oracle database software is included in the repository, you will need first to install the database before you can deploy the IAM suite using the LCM tools. The steps below follow a manual approach to preconfiguring the operating environment. To do so, proceed to login as “root” user and run the following commands to create the groups and user needed to start the installation of the database:
          
          /usr/sbin/groupadd oinstall
          /usr/sbin/groupadd dba
          /usr/sbin/useradd -g oinstall -G dba oracle

          Define a password for the new user:
          
          passwd oracle
    Note: Simplify preconfiguration of the operating environment by running the oracle-rdbms-server-11gR2-preinstall rpm is available in the Oracle public yum repository. This link describes the process and will save you some steps in this section.
  2. If you do not have a DNS server to resolve names, then modify the host’s file to add a Fully Qualified Domain Name (FQDN) to the target server. For example, assuming the host name is ora-iambox.local, edit /etc/hosts and add the following entry:
        
        192.168.0.140 ora-iambox.local ora-iambox
        
        Note: If you need to change your host name, try the command below; you will also need to update the /etc/hosts and /etc/sysconfig/network files with the new name.
        
        hostname -b [new_host_name]
  3. Proceed to install the Java SE Development Kit. For example, assuming the rpm version was downloaded in /root/Downloads, login as “root” user and run the following commands:
        
        cd /root/Downloads
        rpm -ivh jdk-7u80-linux-x64.rpm
        Run the following commands to verify the installation:
        
        rpm -q jdk
        rpm -q --list jdk | grep "bin/java"
        Edit /etc/profile and add the following lines to export JAVA_HOME and add it to the system path:
        
        export JAVA_HOME=/usr/java/jdk1.7.0_80
        export PATH=$JAVA_HOME/bin:$PATH
        
  4. This step is optional and will depend on whether you extracted the repository files in the target server or in a network drive. In our case, we extracted all files in a SMB share drive Volume_2 in host 192.168.0.17. As “root” user, the following commands will mount a local SMB point to the share drive:
        
        mkdir /IAM
        mount -t cifs -o rw,username=smbuser,password=Passw0rd //192.168.0.17/volume_2 /IAM
        
  5. As “root” user, run the following commands to install the packages needed by the database installer:
        
        yum install libaio-devel
        yum install elfutils-libelf-devel
        yum install compat-libstdc++-33-3.2.3
        yum install gcc-c++
        
        Note: You’ll need internet access to succeed with the above commands.
  6. Log in as “oracle” user to run the installer for the Oracle database (see Figure 7, below). Since the database files are included in the deployment repository, we just need to point to the location of the repository to start the installation. For example, assuming the repository is located inside mounting point /IAM subfolder /SOFTWARE/OracleIAM, we run the following commands:
          
          cd /IAM/SOFTWARE/OracleIAM/installers/database/Disk1
          ./runInstaller
    07-db-install.jpg
    Figure 7. Database Installer
  7. Because this is a demo installation, in the Configure Security Updates window, we leave the email field empty and uncheck the box to receive security updates. Click Next to continue. Then click Yes to the warning message.
  8. In the Download Software Update window, select Skip software update and click Next to continue.
  9. In the Select Installation Option window, select Create and configure database and click Next to continue.
  10. In the System Class window, select Server Class and click Next to continue.
  11. In the Grid Installation Options window, select Single instance database installation and click Next to continue.
  12. In the Select Install Type window, select Typical install and click Next to continue.
  13. In the Typical Install Configuration window, enter the following values and click Next to continue.
        
        Oracle base : /home/oracle/app/oracle
        Software location : /home/oracle/app/oracle/product/11.2.0/dbhome_1
        Storage type : File System
        Database file loc : /home/oracle/app/oracle/oradata
        Database edition : Enterprise Edition (4.7GB)
        OSDBA Group : dba
        Global db name : iam.local
        Admin Password : Passw0rd
        
  14. In the Create Inventory window, make sure the following values are entered and selected. Click Next to continue.
        
        Inventory Directory : /home/oracle/app/oraInventory
        oraInventory Group Name : oinstall
  15. In the Perform Prerequisite Checks window, click the Fix and Check Again button to fix the warnings.
          
          Follow the instructions in the Execute Fixup Scripts window (Figure 8, below). To do so, open a terminal session as “root” user and run the requested script. E.g.:
          
          /tmp/CVU_11.2.0.4.0_oracle/runfixup.sh
          
          Then, come back to the Execute Fixup Scripts window and click OKto continue.

    08-db-script.jpg
    Figure 8. Execute Fixup Scripts Window
  16. Back in the Perform Prerequisite Checks window, if two warnings are displayed (swap size and pdksh), click the Ignore All checkbox and then click Next to continue.
        
        Click Yes to continue if a warning message is displayed.
        
        Note: pdksh is a package that is already installed in Oracle Linux, and the swap size can be different depending on the amount of memory installed in the server.
  17. In the Summary window (Figure 9, below), review the installation parameters and click Install
    to start the installation.
          
          Note: If during the installation, an error with “invoking target agent nmhs...” is displayed, without closing the message window proceed to open a terminal as “root” user. Edit the following file: /home/oracle/app/oracle/product/11.2.0/dbhome_1/sysman/lib/ins_emagent.mk
          
          And change the following lines, from:
          $(SYSMANBIN)emdctl:
          $(MK_EMAGENT_NMECTL)
          
          To:
          $(SYSMANBIN)emdctl:
          $(MK_EMAGENT_NMECTL) -lnnz11
          
          Then, back to the message window, click on the Retrybutton to continue with the installation.

    09-db-summary.jpg
    Figure 9. Summary Window
  18. During the installation, the Database Configuration Assistance window shows the progress of the database creation. Once the installation is completed, the resulting values are displayed. Click OK to continue. Here is a sample output:
        
        For details check the log file at:
        /home/oracle/app/oracle/cfgtoollogs/dbca/iam
        
        Database information:
        Global Database Name : iam.local
        System Identifier (SID) : iam
        Server Parameter File : /home/oracle/app/oracle/product/11.2.0/dbhome_1/dbs/spfileiam.ora
        
        The database Control URL is https://ora-iambox.local:1158/em
  19. In the Execute Configuration Scripts window, note the instructions and run the scripts by opening a terminal as “root” user and running the following commands:
        
        /home/oracle/app/oraInventory/orainstRoot.sh
        /home/oracle/app/oracle/product/11.2.0/dbhome_1/root.sh
        
        When running the second script, you will be prompted to enter a local bin directory. Press Enter to accept the default value of /usr/local/bin. Once the execution is completed, return to the Configuration Scripts window and click OK to continue.
  20. The Finish window is displayed in Figure 10, below. Proceed to write down the URL location to access the Enterprise Manager Database Control, then click Close to close the installer.
          
          Enterprise Manager Database Control URL – (iam)
          https://ora-iambox.local:1158/em

    10-db-finish.jpg
    Figure 10. Finish Window
  21. Check the installation. Open a browser window and enter the Database Control URL along with the following credentials:
        
        Console URL: https://ora-iambox.local:1158/em
        User : sys
        Pass : Passw0rd
        Connect as : SYSDBA
        
        If everything worked OK, the Enterprise Management console is displayed.
        
        Note: The IAM schema repositories are created by the LCM tools during the deployment, so there is no need to run the Repository Creation Utility (RCU) tool.
  22. Install mandatory patch 17501296. Log in as “oracle” user and unzip the patch bundle into temporary folder /tmp, then follow the instructions below.
  23. Run the following commands to shut down the database:

          export ORACLE_SID=iam
          export ORACLE_UNQNAME=iam
          export ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1
          export PATH=$PATH:$ORACLE_HOME/OPatch
          cd $ORACLE_HOME/bin
          ./sqlplus / as sysdba
          SQL> shutdown immediate;
          SQL> exit
          
          Now apply the patch by running the following commands:
          cd /tmp/p17501296_112040_Generic/17501296
          opatch apply

          Check if the patch has been applied successfully:
          opatch lsinventory
          
          Start the database:
          cd $ORACLE_HOME/bin
          ./sqlplus / as sysdba
          SQL> startup
          
  24. Finally, as “oracle” user, set the environment variables. To do so, follow the instructions below.
        
        Edit the user profile:
        vi .bash_profile
        
        Add the following lines to the end:
        export ORACLE_SID=iam
        export ORACLE_UNQNAME=iam
        export ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1
        export PATH=$ORACLE_HOME/bin:$PATH
        
        Reload the user profile
        . .bash_profile
  25. In preparation for installing the LCM tools and deploying the IAM suite, you need to configure OS kernel parameters and install some libraries. Open a terminal session as “root” user and follow the instructions below.
        
        Edit /etc/sysctl.conf and update the following lines:
        kernel.shmmax = 10737418240
        kernel.shmall = 2621440
        
        Edit /etc/security/limits.conf and update the following line:
        oracle hard nofile 150000
        
        Run the following commands:
        yum install xclock
        yum install lsb
        yum install compat-libcap1
        yum install ksh
        
        Re-start the operating system by running:
        shutdown -r now
        
        Note: After re-starting the server, you will need to start the database and enterprise console. Log in as “oracle” user and follow the instructions below.
        
        Start the database listener:
        cd $ORACLE_HOME/bin
        ./lsnrctl start

Preparing the OS and Database


  1. In preparation for installing the LCM tools and deploying the IAM suite, you need to configure OS kernel parameters and install some libraries. Open a terminal session as “root” user and follow the instructions below.
          
          Edit /etc/sysctl.conf and update the following lines:
          kernel.shmmax = 10737418240
          kernel.shmall = 2621440
          
          Edit /etc/security/limits.conf and update the following line:
          oracle hard nofile 150000
          
          Run the following commands:
          yum install xclock
          yum install lsb
          yum install compat-libcap1
          yum install ksh
          
          Re-start the operating system by running:
          shutdown -r now
          
          Note: After re-starting the server, you will need to start the database and enterprise console. Log in as “oracle” user and follow the instructions below.
          
          Start the database listener:
          cd $ORACLE_HOME/bin
          ./lsnrctl start

          Run “sqlplus” to start the database instance:
          ./sqlplus / as sysdba
          SQL> startup

          Start the enterprise manager console:
          ./emctl start dbconsole
  2. As “oracle” user, configure the Oracle database:
          
          Run “sqlplus” to configure the database:
    ./sqlplus / as sysdba
 SQL> @$ORACLE_HOME/rdbms/admin/xaview.sql
 SQL> alter system set processes = 500 scope=spfile sid='*';
 SQL> alter system set open_cursors = 1600 scope=spfile sid='*';
 SQL> alter system set session_cached_cursors = 500 scope=spfile sid='*';
 SQL> alter system set session_max_open_files = 50 scope=spfile sid='*';
 SQL> alter system set sessions = 500 scope=spfile sid='*';

          The following commands may also needed if the Health Check Utility reported an error with DBParameterCheck. Make sure your OS virtual memory is equal or greater than MEMORY_TARGET value (4GB):
    SQL> alter system set sga_target = 536879120 scope=spfile sid='*';
 SQL> alter system set pga_aggregate_target = 104857600 scope=spfile sid='*';
 SQL> alter system set sga_max_size = 4294967296 scope=spfile sid='*';
 SQL> alter system set MEMORY_MAX_TARGET = 4294967296 scope=spfile sid='*';
 SQL> alter system set MEMORY_TARGET = 4294967296 scope=spfile sid='*';

          Re-start the database by running:
    SQL> shutdown immediate;
 SQL> startup

Installing the LCM Tools


11-lcm-installer.jpg

Figure 11. LCM Tools Installer

  1. In the Welcome window (see Figure 11, above), click Next to continue.
  2. In the Install Software Updates window, select Skip Software Updates and click Next to continue.
  3. In the Prerequisite Checks window (see Figure 12, below), review the results and click Next
    to continue.
          
          Note:If the previous OS and database settings were completed, should be no errors or warnings.
    12-lcm-prerequisites.jpg
    Figure 12. Prerequisite Checks Window
  4. In the Specify Installation Location, enter the following values, then click Next to continue:
        
        Oracle Middleware Home : /home/oracle/Middleware
        Oracle HOME Location : Oracle_IDMLCM1
        
  5. In the Installation Summary window, review the results and click Install to start the installation.
  6. Once the installation is completed, click Next to continue.
  7. In the Installation Complete window (Figure 13, below), review the results and click Finishto close the installer.

    13-lcm-complete.jpg
    Figure 13. Installation Complete Window

Copying Required Patches


  1. The documentation recommends installing at least mandatory patches during the installation of the IAM environment. However, the patches listed in the documentation for WebLogic at the time of this writing (see below) were all superseded by built-in patch 19637463 (12UV), included in the IAM deployment repository, and thus do not need to be installed.
        
        For WebLogic Server:
        Patch 16844206 fixes an issue in getting environment variables in Windows Server
        Patch 14404715 fixes an issue when sending JMS messages
        Patch 18398295 fixes an issue with multi-byte character set
        
        For Oracle Database:
        Patch 17501296 fixes a bug when deleting rows from a table. This patch cannot be deployed with the LCM tools; its installation is described in Step 22: Installing the Oracle Database.
  2. To automate the deployment, the LCM tools need a response file containing all the configuration parameters needed to perform the deployment. Therefore, log in as “oracle” user and run the Deployment Wizard by running the following commands:
        
        export IDMLCM_HOME=/home/oracle/Middleware/Oracle_IDMLCM1
        cd $IDMLCM_HOME/provisioning/bin
        ./iamDeploymentWizard.sh

Generating the Response File


  1. To automate the deployment, the LCM tools need a response file containing all the configuration parameters needed to perform the deployment. Therefore, log in as "oracle" user and run the Deployment Wizard by running the following commands:
          
          export IDMLCM_HOME=/home/oracle/Middleware/Oracle_IDMLCM1
          cd $IDMLCM_HOME/provisioning/bin
          ./iamDeploymentWizard.sh
    14-deploy-welcome.jpg
    Figure 14. Welcome Window
  2. In the Welcome window (Figure 14), click Next to continue.
  3. In the Choose IAM Installation Option, select Create a New Identity and Access Management Deployment Response File and click Next to continue.
  4. In Specify Security Updates windows, uncheck “I wish to receive security updates...”. Leave the other fields blank and click Next to continue.
        
        Click Yes to the warning message to continue.
  5. In Describe Response File, leave the default values and click Next to continue.
        
        Title : Identity and Access Management Deployment Response File
        Version : 1.0
  6. In Select IAM Products window (Figure 15, below), select OIM-OAM-OMSS Integrated with Directory* and click Nextto continue.

    15-deploy-products.jpg
    Figure 15. Select IAM Products Window
  7. In Directory Selection, select Configure New Directory and leave the default value Oracle Unified Directory. Click Next to continue.
  8. In Select Topology, select Single Node and enter the server name. Click Next to continue.
        
        Host name : ora-iambox.local
  9. In Select Installation and Configuration Locations, enter the following values and click Next to continue:
        
        Lifecycle Management Store Location : /home/oracle/lcm_store
        Software Repository Location : /IAM/MySOFTWARE/OracleIAM
        Software Installation Location : /home/oracle/oim-oam-omss
        Shared Configuration Location : /home/oracle/oim-oam-omss/config
  10. In the Directory Configuration window, enter the following values and click Next to continue:
        
        Port : 1389
        SSL : 1636
        Realm DN : dc=acme,dc=com
        User container : cn=Users,dc=acme,dc=com
        Group container : cn=Groups,dc=acme,dc=com
        System ID container : cn=SystemIDs,dc=acme,dc=com
  11. In Configure Oracle HTTP Server, review the assigned values and click Next to continue.
        
        Hostname : ora-iambox.local
        HTTP Port : 7777
        SSL Port : 4443
        OHS Admin SSL Port : 9999
        OPMN Local Port : 6703
        OPMN Remote Port : 6704
        OAM Admin Front End Port : 7777
        OIM Admin Front End Port : 7778
        Instance Name : ohs1
  12. In Configure Oracle Identity Manager, review the assigned values and click Next to continue.
        
        AdminServer Port : 7101
        Port : 14000
        Nodemanager Port : 5556
  13. In the Oracle Identity Manager Database Configuration, enter the following values and click Next to continue.
          
          Create Schema using RCU : [checked]
          SYSDBA Username : sys
          SYSDBA Password : Passw0rd
          Schema prefix : EDGIGD
          Schema User Name : EDGIGD_OIM
          Service Name : iam.local
          Schema Password : Passw0rd

          Single Database Instance : [cheched]
          Host Name : ora-iambox.local
          Listening port : 1521
  14. In Configure SOA windows, review the default values and click Next to continue.
        
        SOA Hostname : ora-iambox.local
        Port : 8001
  15. In Configure Oracle Business Intelligence Publisher, review the default values and click Next to continue.
        
        BIP Host : ora-iambox.local
        Port : 9704
  16. In Configure Oracle Access Manager, review the default values and click Next to continue.
        
        OAM Host : ora-iambox.local
        AdminServer Port : 7001
        OAM Port : 14100
        Nodemanager port : 5556
        OAM Transfer Mode : Simple
        Cookie Domain : .local
  17. In Configure Oracle Mobile Security Manager, review the default values and click Next to continue.
        
        OMSM Host : ora-iambox.local
        OMSM Port : 14180
        OMSM SSL Port : 14181
  18. In Configure Oracle Mobile Security Access Server, review the default values and click Next to continue.
        
        OMSAS Host : ora-iambox.local
        OMSM Port : 9001
        OMSM SSL Port : 9002
        Gateway Instance : gateway1
  19. In Configure Access Policy Manager, review the default values and click Next to continue.
        
        OAM Policy Manager Host : ora-iambox.local
        OAM Policy Manager Port : 14150
        OAM Policy Manager SSL Port : 14151
  20. In Configure Oracle Access Manager Database, enter the following values and click Next to continue:
          
          Create Schema using RCU : [checked]
          SYSDBA Username : sys
          SYSDBA Password : Passw0rd
          Schema Prefix : EDGIAD
          Schema User Name : EDGIAD_OAM
          Service Name : iam.local
          Schema Password : Passw0rd

          Single Database Instance : [checked]
          Host Name : ora-iambox.local
          Listening Port : 1521
  21. In Set User Names and Passwords, enter a value for the password and click Next to continue.
        
        Enter Common IAM Password : Passw0rd
  22. In the Summary window (Figure 16, below), review the final configuration and leave the default values, then click Finish to close the wizard.
          
          Provisioning file : provisioning.rsp
          Provisioning summary : provisioning.summary
          Directory : /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin

    16-deploy-summary.jpg
    Figure 16. Summary Window
  23. Check the resulting response file by looking at the following location:
        
        /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp

Running the Health Check Utility


  1. During deployment using the LCM tools, the Health Check Utility is automatically invoked as part of the pre-installation and post-installation steps. However, this utility can also be invoked manually, which is useful if you want to know if the target server has been properly configured to support the installation. Log in as “oracle” user and follow the instructions below to run the utility from a command line.
  2. To check the Oracle Identity Manager database before installing the Oracle Identity and Access Management environment, run the following commands:
            
            cd /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin
            ./idmhc.sh -manifest ../config/PreInstallChecks_db.xml
            
            If mandatory patch 17501296 for the database was applied, the following result is displayed:
            
            Oracle Identity and Access Environment Health Check Utility Version

    Log directory is not provided. Using /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin as default log directory
    [Executing 1 of 1 plugins]: Verifying DB patches
            Enter the ORACLE HOME path:/home/oracle/app/oracle/product/11.2.0/dbhome_1
            [Plugin succeeded]: Verifying DB patches
    [Total# of Plugins Executed]: 1
            [Total# of Plugins Succeeded]: 1
            [Total# of Plugins Failed]: 0
            [Total# of Plugins with Errors]: 0
            [Total# of Plugins with Warnings]: 0
    [HealthCheck actions summary report]: /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_db_2015-07-12_10_31-23PM.html
    [HealthCheck log file]: /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_db_2015-07-12_10_31-23PM.log
    [HealthCheck XML report]: /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_db_2015-07-12_10_31-23PM.xml
  3. To check all mandatory prerequisites for an Oracle Identity and Access Management environment, run the commands below. If some of the validations fail, an HTML file will be generated containing a summary of the errors and corrective actions.
            
            cd /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin
            ./idmhc.sh -manifest ../config/PreInstallChecks_mandatory.xml
            
            The following result shows three (3) errors highlighted in red:
            
            Oracle Identity and Access Environment Health Check Utility Version
            Log directory is not provided.Using /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin as default log directory

    [Executing 1 of 12 plugins]: Verifying Kernel Parameters
            [Plugin succeeded]: Verifying Kernel Parameters
            [Executing 2 of 12 plugins]: Verifying Operating system and release
            [Plugin succeeded]: Verifying Operating system and release
            [Executing 3 of 12 plugins]: Check whether ports are free
            [Plugin skipped]: Check whether ports are free
            [Executing 4 of 12 plugins]: Verifying available Disk space
            [Plugin failed]: Verifying available Disk space
            [Executing 5 of 12 plugins]: Verifying available Physical Memory
            [Plugin failed]: Verifying available Physical Memory    [Executing 6 of 12 plugins]: Check Reachability of hosts
            [Plugin skipped]: Check Reachability of hosts
            [Executing 7 of 12 plugins]: Verifying DB Parameter
            [Plugin skipped]: Verifying DB Parameter
            [Executing 8 of 12 plugins]: Verifying DB Schema Connection
            [Plugin failed]: Verifying DB Schema Connection    [Executing 9 of 12 plugins]: Verifying JDK vendor and version
            [Plugin succeeded]: Verifying JDK vendor and version
            [Executing 10 of 12 plugins]: Verifying Packages Installed
            [Plugin succeeded]: Verifying Packages Installed
            [Executing 11 of 12 plugins]: Verifying Path Permissions
            [Plugin skipped]: Verifying Path Permissions
            [Executing 12 of 12 plugins]: Verifying XClock run
            [Plugin succeeded]: Verifying XClock run
    [Total# of Plugins Executed]: 8
            [Total# of Plugins Succeeded]: 5
            [Total# of Plugins Failed]: 3
            [Total# of Plugins with Errors]: 0
            [Total# of Plugins with Warnings]: 0
    [HealthCheck actions summary report]: /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_mandatory_2015-07-13_09_17-48PM.html
    [HealthCheck log file]: /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_mandatory_2015-07-13_09_17-48PM.log
    [HealthCheck XML report]: /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_mandatory_2015-07-13_09_17-48PM.xml
            
            In a browser, open the summary report by typing the string below to see the details of the errors.
            
            home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/bin/logs/healthchecker/IDM_ora-iambox.local-PreInstallChecks_mandatory_2015-07-13_09_17-48PM.html
            
  4. Resolution of the errors varies for each scenario. Here are the corrective actions taken for the three errors in the previous step:
            
            (a) Error verifying available disk space
            The DiskSpaceCheck plugin by default checks the space available in the root volume “/”. However, in our case, the target volume “/home” has 52 GB of disk space available, so this error can be ignored.
            
            (b) Error verifying available physical memory
            The FreeMemoryCheck plugin in the Health Check Utility has a bug that prevents it from properly obtaining the free memory available in Oracle Linux 7.1. This error can be ignored if the target server has at least 32 GB of physical memory.
            
            (c) Error verifying DB schema
            This error can be ignored since we haven't run the installation, the RCU tool hasn't been executed, and thus no schema has been provisioning yet in the database.
            
            Note: The errors can be ignored by editing the Health Check Utility configuration file PreInstallChecks_mandatory.xml and deleting the sections associated with each verification task. The configuration file resides here:
            /home/oracle/Middleware/Oracle_IDMLCM1/healthcheck/config/
            
            For example, for the previous errors, we removed the following sections:
            
            <plugin id="DiskSpaceCheck"
            description="Verifying available Disk space"
            invoke=""
            plugin.class="oracle.idm.healthcheck.plugins.diskspace.DiskSpaceCheckPlugin"
            class.path="$HC_LOCATION/lib/idmhcplugins.jar"
            stoponerror="false"/>

            <plugin id="FreeMemoryCheck"
            description="Verifying available Physical Memory"
            invoke=""
            plugin.class="oracle.idm.healthcheck.plugins.freememcheck.FreeMemCheckPlugin"
            class.path="$HC_LOCATION/lib/idmhcplugins.jar"
            stoponerror="false"/>                     <plugin id="DBSchemaCheck"
            description="Verifying DB Schema Connection"
            invoke="" plugin.class="oracle.idm.healthcheck.plugins.dbschemacheck.DBSchemaCheckPlugin"
            class.path="$HC_LOCATION/lib/idmhcplugins.jar;
            $HC_LOCATION/lib/ojdbc6.jar"
            stoponerror="false"/>

    Alternatively, if you are planning to deploy the IAM Suite using the Deployment Wizard instead of the LCM Tools command line interface, you can opt to bypass the validations when invoking the wizard with the parameter ignoreSysPrereqs. Here’s an example:
            
            /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/iamDeploymentWizard.sh -ignoreSysPrereqs
  5. If errors were generated and corrected, run the Health Check Utility again until no errors are reported.

Running the Deployment with LCM Tools


  1. The LCM tools can be executed interactively (Deployment Wizard) or via command line. In this article we will describe the command line interface. For each stage of the deployment process, we run a task that must run sequentially; that is, each stage must be completed before the next stage can begin. Failure of a stage will require a clean and restart. The following commands run the first task “preverify” of the deployment process.
            
            cd /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target preverify

    The following is a sample output of the “preverify” task:
            2015-07-15 13:35:00.751 TRACE
            BUILD SUCCESSFUL
            Total time: 1 minute 39 seconds

    Successfully finished preverify.
            Proceed with install.
  2. If the previous task completed successfully, run the “install” task. To do so, run the following command (all in one line):
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target install
            
            Note: At this stage, if an error is generated, before you can run the same task again, you will need to cleanup and restart the installation process and then start from the beginning (preverify).
            
            The following is a sample output of the “install” task:
            2015-07-15 02:15:59.146 TRACE
            BUILD SUCCESSFUL
            Total time: 136 minutes 37 seconds
    Successfully finished install.
            Proceed with preconfigure.
  3. If the previous task completed successfully, run the “preconfigure” task by running the following command:
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target preconfigure
            
            Note: At this stage, if an error is generated, before you can run the same task again, you will need to cleanup and restart the installation process and then start from the beginning (preverify).
            
            The following is a sample output of the “preconfigure” task:
            2015-07-15 03:54:01.217 TRACE
            BUILD SUCCESSFUL
            Total time: 91 minutes 10 seconds
    Successfully finished preconfigure.
            Proceed with configure.
  4. If the previous task completed successfully, run the “configure” task by running the following command:
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target configure
            
            Note: At this stage, if an error is generated, before you can run the same task again, you will need to cleanup and restart the installation process and then start from post-installation (preconfigure).
            
            The following is a sample output of the “configure” task:
            2015-07-15 17:39:10.267 TRACE
            BUILD SUCCESSFUL
            Total time: 76 minutes 59 seconds
    Successfully finished configure.
            Proceed with configure-secondary.
  5. If the previous task completed successfully, run the “configure-secondary” task by running the following command:
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target configure-secondary
            
            Note: At this stage, if an error is generated, before you can run the same task again, you will need to cleanup and restart the installation process and then start from post-installation (preconfigure).
            
            The following is a sample output of the “configure-secondary” task:
            2015-07-15 18:08:18.592 TRACE
            BUILD SUCCESSFUL
            Total time: 19 minutes 26 seconds
    Successfully finished configure-secondary.
            Proceed with postconfigure.
  6. If the previous task completed successfully, run the “postconfigure” task by running the following command:
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target postconfigure
            
            Note: At this stage, if an error is generated, before you can run the same task again, you will need to cleanup and restart the installation process and then start from post-installation (preconfigure).
            
            The following is a sample output of the “postconfigure” task:
            2015-07-15 19:20:49.018 TRACE
            BUILD SUCCESSFUL
            Total time: 41 minutes 44 seconds
    Successfully finished postconfigure.
            Proceed with startup.
  7. If the previous task completed successfully, run the “startup” task by running the following command:
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target startup
            
            Note: At this stage, if an error is generated, before you can run the same task again, you will need to cleanup and restart the installation process and then start from post-installation (preconfigure).
            
            The following is a sample output of the “startup” task:
            2015-07-15 20:30:38.613 TRACE
            BUILD SUCCESSFUL
            Total time: 46 minutes 53 seconds

    Successfully finished startup.
            Proceed with validate.
  8. If the previous task completed successfully, run the “validate” task by running the following command:
            
            ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target validate
            
            The following is a sample output of the “validate” task:
            2015-07-15 21:08:17.376 TRACE
            BUILD SUCCESSFUL
            Total time: 5 minutes 19 seconds

    Successfully finished validate.

Post-Deployment Tasks


  1. Once the deployment is completed, follow the instructions below to enable help in the WebLogic Administrative Console.
          
          Open a browser window and enter the following values:
          URL : http://ora-iambox.local:7777/oamconsole
          User : oamadmin
          Pass : Passw0rd
  2. The Launch pad is displayed. In the Access Manager pad, click on Application Domains. A Search Application Domains tab opens. In the Name field, enter “IAM Suite” and click Search. In the Search Results, click IAM Suite. Then, click the Resources tab, and then Create to enter the following information:
            
            Type : HTTP
            Description : All resources for WLS console help
            Host Identifier : IAMSuiteAgent
            Resource URL : /consolehelp/**
            Query : Name Value list
            Operations Available : All
            Protection Level : Excluded

    Click Apply to save the changes.

Verifying the Deployment


  1. After completing the deployment and post-deployment tasks, you can verify the installation and connectivity with all the IAM components installed. The instructions below indicate the URL and credentials needed to access the Access Management components. Figures 17 and 18 (below) show the OAM and OIM consoles.
            
            Oracle Access Manager
            WebLogic Administration Console (IAMAccessDomain)
    URL : http://ora-iambox.local:7777/console
            User : weblogic_idm
            Pass : Passw0rd

    Enterprise Manager Console (Farm_IAMAccessDomain)
    URL : http://ora-iambox.local:7777/em
            User : weblogic_idm
            Pass : Passw0rd

    Oracle Access Management Console
    URL : http://ora-iambox.local:7777/oamconsole
            User : oamadmin
            Pass : Passw0rd

    Oracle Access Management Policy Manager Console
    URL : http://ora-iambox.local:7777/access
            User : oamadmin
            Pass : Passw0rd
  2. The instructions below indicate the URL and credentials needed to access the Identity Management components:
            
            Oracle Identity Manager
    WebLogic Administration Console (IAMGovernanceDomain)
    URL : http://ora-iambox.local:7778/console
            User : weblogic_idm
            Pass : Passw0rd

    Enterprise Manager Console (Farm_IAMGovernanceDomain)
    URL : http://ora-iambox.local:7778/em
            User : weblogic_idm
            Pass : Passw0rd

    Oracle Identity Self Service Console
    URL : http://ora-iambox.local:7778/identity
            User : xelsysadm
            Pass : Passw0rd

    Oracle Identity System Administration Console
    URL : http://ora-iambox.local:7778/sysadmin
            USer : xelsysadm
            Pass : Passw0rd

    Oracle Entitlement Server - Authorization Policy Manager Console
    URL : http://ora-iambox.local:7778/apm
            User : weblogic_idm
            Pass : Passw0rd

    Oracle BI Publisher Enterprise Console
    URL : http://ora-iambox.local:7778/xmlpserver
            User : xelsysadm
            Pass : Passw0rd

Start and Stop IAM Suite Components


  1. Along with the deployment, a set of scripts to start and stop all the IAM components are generated and placed in the software location folder. Follow the instructions below to stop and start the IAM suite.
          
          Stop IAM Suite
          cd /home/oracle/oim-oam-omss/config/scripts/
          ./stopall.sh
          
          Start IAM Suite
          cd /home/oracle/oim-oam-omss/config/scripts/
          ./startall.sh
          
          Note: The above scripts use the password stored in the wallet file cwallet.sso, located at /home/oracle/lcm_store/lcmconfig/credconfig
  2. Optionally, you can change the password stored in the cwallet.sso file. To do so, use these commands:
          
          cd /home/oracle/lcm_store/lcmconfig/credconfig
          ./csf-util.sh list
          ./csf-util.sh add
          
          Note: The script prompts for the name of the key, the user, and then the new password.
17-oam-console.jpg
Figure 17. Oracle Access Management Console
18-oim-console.jpg
Figure 18. Oracle Identity System Administration Console

Notes About Cleanup and Restore


When you are ready to cleanup and attempt another deployment, do one of the following:

  • If the deployment failed in the Preconfigure or Install phases, use Cleanup and Restore to cleanup the environment so you can start the deployment again from the beginning.
  • If deployment fails between the Preconfigure stage and the Validate stage, use the Cleanup and Restore feature to cleanup the environment and restore it to the post-install stage.

Figure 4 depicts the previous approach. For example, if the deployment fails during the postconfigure stage, you can use Cleanup and Restore to clean up any changes made since you successfully completed the install stage. Cleanup and Restore can be performed using either the command line deployment tool or the Deployment Wizard.

For example, task “postconfigure” failed during deployment, so we run cleanup and restore:
    ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target cleanup-postconfigure
    ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target restore-postconfigure

Then, assuming the problems were fixed, we start from post-install by running:
    ./runIAMDeployment.sh -responseFile /home/oracle/Middleware/Oracle_IDMLCM1/provisioning/bin/provisioning.rsp -target preconfigure



Conclusion


Oracle IAM Suite 11gR2 PS3 bring a new set of features that improve the user experience and, as we have learned, also automate administrative tasks like installation, patching and configuration of the IAM components. Although the LCM tools are limited in this version, it wouldn’t be surprising to see a more versatile LCM tools in terms of deployment topologies in the next update.

Resources


Comments

Post a Comment

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

-
Image
In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-...
Read more

OIM OIA Custom Code Integration via Web Services

-
This post covers the OIM OIA custom integration via web services. What this integration code does is listen for create or modify event in OIM and if that change is detected for a user profile then propagates it to OIA user in real time. If a user is created in OIM, then create the user in OIA. If a user is modified in OIM, then modify the user in OIA.  OIM changes are detected via Event Handler. OIA web services are invoked to create or modify the user in OIA. OIM Event Handler 1 package com.dubey.deepak.oim.oia.intg; 2 3 import Thor.API.Exceptions.tcAPIException; 4 import Thor.API.Exceptions.tcStaleDataUpdateException; 5 import Thor.API.Exceptions.tcUserNotFoundException; 6 7 import com.dubey.deepak.oim.oia.intg.ItResourceObj; 8 import com.dubey.deepak.oim.oia.intg.OIADBConnector; 9 import com.dubey.deepak.oim.oia.intg.OIAIntegrationConstants; 10 import com.dubey.deepak.oim.oia.intg.OIARequest; 11 import com.dubey.deepak.oim.oia.intg.OIA...
Read more

OIM 11g Custom ADF Application Development

-
Image
In this post , I will cover the steps required to create a custom ADF web application. What this application does is facilitate Account Claim Process. Users has been migrated from some other IAM product to OIM and exist in disabled state and hence cannot login to perform Self Service operations. User needs to identify themselves by providing their personal details like personal identification number, zip code and dob etc. After successfully Identifying themselves they will be able to set a new password and set their challenge questions and answers. During this process the application will activate their account and set the new password and QnA. At the end of the process, they will be able to login OIM with their new password set. The application has been developed using JDeveloper using ADF technology to render user interfaces and MVC design pattern to keep the concerns separate. Application Structure              ...
Read more