6 Creating the WebLogic Server Domain for Identity Management

This chapter describes how to create a domain using the Configuration Wizard, Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control. You can extend the domain to add Oracle Fusion Middleware components such as Oracle Identity Manager and Oracle Access Manager.

Note:

Oracle strongly recommends that you read the release notes for any additional installation and deployment considerations prior to starting the setup process.

This chapter contains the following sections.

6.1 Enabling ADMINVHN on IDMHOST1

Note that this step is required for failover of the Administration Server, regardless of whether other Oracle Fusion Middleware components are installed later or not.

You will associate the Administration Server with a virtual IP address, ADMINVHN.mycompany.com. Check that ADMINVHN.mycompany.com is enabled on IDMHOST1.

To enable the virtual IP address on Linux, run the following commands as root:

/sbin/ifconfig interface:index IPAddress netmask netmask
/sbin/arping -q -U -c 3 -I interface IPAddress

where interface is eth0, eth1, and so forth, and index is 0, 1, 2, and so forth.

For example:

/sbin/ifconfig eth0:1 100.200.140.206 netmask 255.255.255.0

Enable your network to register the new location of the virtual IP address:

/sbin/arping -q -U -c 3 -I eth0 100.200.140.206

Validate that the address is available by pinging it from another node, for example:

/bin/ping 100.200.140.206

6.2 Running the Configuration Wizard on IDMHOST1 to Create a Domain

Run the Configuration Wizard from the Oracle Common home directory to create a domain containing the Administration Server. Later, you will extend the domain to contain other components.

  1. Change directory to the location of the Configuration Wizard. This is within the Oracle Common Home directory (created in Chapter 4, "Installing the Software").

    IDMHOST1> cd ORACLE_BASE/product/fmw/oracle_common/common/bin

  2. Start the Oracle Fusion Middleware Configuration Wizard:

    IDMHOST1> ./config.sh

  3. On the Welcome screen, select Create a New WebLogic Domain, and click Next.

  4. The Select Domain Source screen is displayed in Figure 6-1.

    Figure 6-1 Select Domain Source Screen

    Select Domain Source screen

    On the Select Domain Source screen, do the following:

    • Select Generate a domain configured automatically to support the following products.

    • Select the following products:

      • Basic WebLogic Server Domain - 10.3.3.0 [wlserver_10.3] (This should be selected automatically.)

      • Oracle Enterprise Manager - 11.1.1.0 [oracle_common]

      • Oracle JRF - 11.1.1.0 [oracle_common] (This should be selected automatically.)

    Click Next.

  5. On the Specify Domain Name and Location screen, enter the domain name (IDMDomain).

    Make sure that the domain directory matches the directory and shared storage mount point recommended in Section 2.4, "Shared Storage and Recommended Directory Structure."

    Enter

    ORACLE_BASE/admin/IDMDomain/aserver/

    for the domain directory and

    ORACLE_BASE/admin/IDMDomain/aserver/applications

    for the application directory. This directory should be in shared storage.

  6. Click Next.

  7. On the Configure Administrator Username and Password screen, enter the username (default is weblogic) and password to be used for the domain's administrator. For example:

    • Name: weblogic

    • User Password: password for weblogic user

    • Confirm User Password: password for weblogic user

    • Description:This user is the default administrator.

    Click Next.

  8. On the Configure Server Start Mode and JDK screen, do the following:

    • For WebLogic Domain Startup Mode, select Production Mode.

    • For JDK Selection, select JROCKIT SDK1.6.0_14

    Click Next.

  9. On the Select Optional Configuration screen, select the following:

    • Administration Server

    • Managed Servers, Clusters and Machines

    Click Next.

  10. On the Configure the Administration Server screen, enter the following values:

    • Name: AdminServer

    • Listen Address: ADMINVHN.mycompany.com.

    • Listen Port: 7001

    • SSL listen port: N/A

    • SSL enabled: unchecked

    Click Next.

  11. On the Configure Managed Servers screen, click Next

  12. On the Configure Clusters screen, click Next

  13. On the Configure Machines screen, click the Unix Machine tab and then click Add to add the following machine. The machine name does not need to be a valid hostname or listen address, it is just a unique identifier of a nodemanager location:

    • Name: ADMINHOST

    • Node manager listen address: localhost

    Leave all other fields to their default values.

  14. Click Next.

  15. On the Assign Servers to Machines screen, assign servers to machines as follows:

    • ADMINHOST: AdminServer

    Click Next.

  16. On the Configuration Summary screen, validate that your choices are correct, then click Create.

  17. On the Create Domain screen, click Done.

6.3 Creating boot.properties for the Administration Server on IDMHOST1

Create a boot.properties file for the Administration Server on IDMHOST1. The boot.properties file enables the Administration Server to start without prompting you for the administrator username and password.

For the Administration Server:

  1. Create the following directory structure.

    mkdir -p ORACLE_BASE/admin/IDMDomain/aserver/IDMDomain/servers/AdminServer/security

  2. In a text editor, create a file called boot.properties in the last directory created in the previous step, and enter the username and password in the file. For example:

    username=weblogic
password=password for weblogic user

Note:

The username and password entries in the file are not encrypted until you start the Administration Server, as described in Section 6.5, "Updating the Node Manager Credentials." For security reasons, minimize the time the entries in the file are left unencrypted. After you edit the file, start the server as soon as possible so that the entries are encrypted.

6.4 Starting Node Manager on IDMHOST1

Perform these steps to start Node Manager on IDMHOST1:

  1. Run the startNodeManager.sh script located under the ORACLE_BASE/wlserver_10.3/server/bin directory.

  2. Run the setNMProps.sh script on IDMHOST1 to set the StartScriptEnabled property to true:

    cd MW_HOME/oracle_common/common/bin
./setNMProps.sh

    Note:

    You must use the StartScriptEnabled property to avoid class loading failures and other problems.

  3. Stop the Node Manager by killing the Node Manager process.

  4. Start Node Manager:

    IDMHOST1> cd ORACLE_BASE/product/fmw/wlserver_10.3/server/bin
IDMHOST1> ./startNodeManager.sh

6.5 Updating the Node Manager Credentials

You start the Administration server by using wlst and connecting to Node Manager. The first start of the Administration Server with Node Manager, however, requires that you change the default username and password that the Configuration Wizard sets for Node Manager. Therefore you must use the start script for the Administration Server for the first start. Follow these steps to start the Administration Server using Node Manager. Steps 1-4 are required for the first start operation, but subsequent starts require only Step 4.

  1. Start the Administration Server using the start script in the domain directory.

    IDMHOST1> cd ORACLE_BASE/admin/domain_name/aserver/domain_name/bin
HOST1> ./startWebLogic.sh

  2. Use the Administration Console to update the Node Manager credentials.

    1. In a browser, go to http://ADMINVHN.mycompany.com:7001/console.

    2. Log in as the administrator.

    3. Click Lock and Edit.

    4. Click Domain_name->Security->General and expand Advanced at the bottom.

    5. Enter a new username for Node Manager or make a note of the existing one and update the Node Manager password.

    6. Save and activate the changes.

  3. Start WLST and connect to the node manager with nmconnect and the credentials set above. Then start the admin server using nmstart.

    IDMHOST1> cd ORACLE_COMMON_HOME/common/bin
IDMHOST1> ./wlst.sh

    Once in the wlst shell, execute the following commands:

    wls:/offline> nmConnect('Admin_User','Admin_Pasword', 'IDMHOST1','5556',
  'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain')
wls:/nm/domain_name> nmStart('AdminServer')

    where Admin_user and Admin_Password are the Node Manager username and password you entered in Step 2.

    Note:

    Admin_user and Admin_Password are only used to authenticate connections between Node Manager and clients. They are independent from the server admin ID and password and are stored in the ORACLE_BASE/admin/domain_name/aserver/domain_name/config/nodemanager/nm_password.properties file.

  4. Do not restart the Administration Server. It will be restarted in Section 6.7, "Stopping and Starting the WebLogic Administration Server."

6.6 Disabling Host Name Verification for the Oracle WebLogic Administration Server

This step is required if you have not set up the appropriate certificates to authenticate the different nodes with the administration server. (See Chapter 16, "Setting Up Node Manager.") If you have not configured the server certificates, you will receive errors when managing the different WebLogic Servers. To avoid these errors, disable host name verification while setting up and validating the topology, and enable it again once the EDG topology configuration is complete as described in Chapter 16, "Setting Up Node Manager."

Perform these steps to disable host name verification:

  1. Log in to Oracle WebLogic Server Administration Console.

  2. Click Lock and Edit.

  3. Expand the Environment node in the Domain Structure window.

  4. Click Servers. The Summary of Servers page appears.

  5. Select AdminServer(admin) in the Names column of the table. The Settings page for AdminServer(admin) appears.

  6. Click the SSL tab.

  7. Click Advanced.

  8. Set Hostname Verification to None.

  9. Click Save.

  10. Save and activate the changes.

6.7 Stopping and Starting the WebLogic Administration Server

  1. Stop the administration server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components"

  2. Start WLST and connect to the node manager with nmconnect and the credentials set previously described. Then start the administration server using nmstart.

    IDMHOST1> cd ORACLE_COMMON_HOME/common/bin
IDMHOST1> ./wlst.sh

    Once in the wlst shell, execute the following commands:

    wls:/offline> nmConnect('Admin_User','Admin_Pasword', 'IDMHOST1','5556',  'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain')
wls:/nm/domain_name> nmStart('AdminServer')

    where Admin_user and Admin_Password are the Node Manager username and password you entered in Step 2 of Section 6.5, "Updating the Node Manager Credentials."

Note:

Admin_user and Admin_Password are only used to authenticate connections between Node Manager and clients. They are independent from the server admin ID and password and are stored in the ORACLE_BASE/admin/domain_name/aserver/domain_name/config/nodemanager/nm_password.properties file.

6.8 Validating the Administration Server

Perform these steps to ensure that the Administration Server is properly configured:

  1. In a browser, go to http://ADMINVHN.mycompany.com:7001/console.

  2. Log in as the WebLogic administrator, for example: weblogic.

  3. Check that you can access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em.

  4. Log in to Oracle Enterprise Manager Fusion Middleware Control as the WebLogic administrator, for example: weblogic.

6.9 Configuring Oracle HTTP Server for the Administration Server

To enable Oracle HTTP Server to route to the Administration Server, you must set the the corresponding mount points in your HTTP Server configuration.

  1. On each of the web servers on WEBHOST1 and WEBHOST2 create a file called admin.conf in the directory:

    ORACLE_INSTANCE/config/OHS/component/moduleconf

    This file will have the following entries:

    NameVirtualHost *:7777
 
<VirtualHost *:7777>
 
   ServerName admin.mycompany.com:80
   ServerAdmin [email protected]
   RewriteEngine On
   RewriteOptions inherit
   RewriteRule ^/console/jsp/common/logout.jsp /oamsso/logout.html [PT]
   RewriteRule ^/em/targetauth/emaslogout.jsp /oamsso/logout.html [PT]
 
# Admin Server and EM
   <Location /console>
      SetHandler weblogic-handler
      WebLogicHost ADMINVHN.mycompany.com
      WeblogicPort 7001
   </Location>
 
   <Location /consolehelp>
      SetHandler weblogic-handler
      WebLogicHost ADMINVHN.mycompany.com
      WeblogicPort 7001
   </Location>
 
   <Location /em>
      SetHandler weblogic-handler
      WebLogicHost ADMINVHN.mycompany.com
      WeblogicPort 7001
   </Location>
 
</VirtualHost>

    Note:

    Values such as admin.mycompany:80 and you@youraddress that are noted in this document serve as examples only. Enter values based on the actual environment.

  2. Restart Oracle HTTP Server on both WEBHOST1 and WEBHOST2, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

    WEBHOST1> ORACLE_BASE/admin/instance_name/bin/opmnctl restartproc ias-component=ohs1
 
WEBHOST2> ORACLE_BASE/admin/instance_name/bin/opmnctl restartproc ias-component=ohs2

6.10 Registering Oracle HTTP Server With WebLogic Server

For Oracle Enterprise Manager Fusion Middleware Control to be able to manage and monitor the Oracle HTTP server, you must register the Oracle HTTP server with the domain. To do this, you must register Oracle HTTP Server with WebLogic Server using the following command:

WEBHOST1> cd ORACLE_BASE/admin/instance_name/bin
WEBHOST1> ./opmnctl registerinstance -adminHost ADMINVHN.mycompany.com \
   -adminPort 7001 -adminUsername weblogic

You must also run this command from WEBHOST2 for OHS2.

6.11 Setting the Front End URL for the Administration Console

Oracle WebLogic Server Administration Console tracks changes that are made to ports, channels and security using the console. When changes made through the console are activated, the console validates its current listen address, port and protocol. If the listen address, port and protocol are still valid, the console redirects the HTTP request, replacing the host and port information with the Administration Server's listen address and port. When the Administration Console is accessed using an load balancer, you must change the Administration Server's front end URL so that the user's browser is redirected to the appropriate load balancer address. To make this change, perform the following steps:

  1. Log in to Oracle WebLogic Server Administration Console.

  2. Click Lock and Edit.

  3. Expand the Environment node in the Domain Structure window.

  4. Click Servers to open the Summary of Servers page.

  5. Select Admin Server in the Names column of the table. The Settings page for AdminServer(admin) appears.

  6. Click the Protocols tab.

  7. Click the HTTP tab.

  8. Set the Front End Host field to admin.mycompany.com (your load balancer address).

  9. Set FrontEnd HTTP Port to 80

  10. Save and activate the changes.

To eliminate redirections, best practice is to disable the Administration console's Follow changes feature. To do this, log in to the administration console and click Preferences->Shared Preferences. Deselect Follow Configuration Changes and click Save.

6.12 Validating Access Through Oracle HTTP Server

Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported (such as Admin or Failed), check the server output log files for errors. See Section 19.6, "Troubleshooting" for possible causes.

Validate Administration Console and Oracle Enterprise Manager Fusion Middleware Control through Oracle HTTP Server using the following URLs:

  • http://admin.mycompany.com/console

  • http://admin.mycompany.com/em

For information on configuring system access through the load balancer, see Section 2.2.1, "Load Balancers."

Note:

After the registering Oracle HTTP Server as described in Section 6.10, "Registering Oracle HTTP Server With WebLogic Server."

the Oracle HTTP Server should appear as a manageable target in Enterprise Manager. To verify this, log into Oracle Enterprise Manager Fusion Middleware Control. The WebTier item in the navigation tree should show that Oracle HTTP Server has been registered.

6.13 Manually Failing Over the Administration Server

This section discusses how to fail over the Administration Server to IDMHOST2 and how to fail it back to IDMHOST1.

This section contains the following topics:

6.13.1 Failing over the Administration Server to IDMHOST2

If a node fails, you can fail over the Administration Server to another node. This section describes how to fail over the Administration Server from IDMHOST1 to IDMHOST2.

Assumptions:

  • The Administration Server is configured to listen on ADMINVHN.mycompany.com, and not on ANY address. See step 10 in Section 6.2, "Running the Configuration Wizard on IDMHOST1 to Create a Domain."

  • The Administration Server is failed over from IDMHOST1 to IDMHOST2, and the two nodes have these IP addresses:

    • IDMHOST1: 100.200.140.165

    • IDMHOST2: 100.200.140.205

    • ADMINVIP: 100.200.140.206

      This is the Virtual IP address where the Administration Server is running, assigned to interface:index (for example, eth1:2), available in IDMHOST1 and IDMHOST2.

  • The domain directory where the administration server is running in IDMHOST1 is on a shared storage and is mounted also from IDMHOST2.

    Note:

    NM in IDMHOST2 does not control the domain at this point since unpack/nmEnroll has not been run yet on IDMHOST2 But for the purpose of AdminServer failover and control of the AdminServer itself, node manager will be fully functional

  • Oracle WebLogic Server and Oracle Fusion Middleware Components have been installed in IDMHOST2 as described in previous chapters. That is, the same path for ORACLE_HOME and MW_HOME that exists in IDMHOST1 is available in IDMHOST2.

The following procedure shows how to fail over the Administration Server to a different node, IDMHOST2.

  1. Stop the Administration Server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

  2. Migrate the IP address to the second node.

    1. Run the following command as root on IDMHOST1 (where x:y is the current interface used by ADMINVHN.mycompany.com):

      IDMHOST1 > /sbin/ifconfig x:y down

      For example:

      IDMHOST1 > /sbin/ifconfig eth0:1 down

    2. Run the following command on IDMHOST2:

      IDMHOST2> /sbin/ifconfig interface:index IP_Address netmask netmask

      For example:

      /sbin/ifconfig eth0:1 10.0.0.1 netmask 255.255.255.0

    Note:

    Ensure that the netmask and interface to be used match the available network configuration in IDMHOST2.

  3. Update routing tables by using arping, for example:

    IDMHOST2> /sbin/arping -b -A -c 3 -I eth0 10.0.0.1

6.13.2 Starting the Administration Server on IDMHOST2

Perform the following steps to start Node Manager on IDMHOST2:

  1. Run the setNMProps.sh script to set the StartScriptEnabled property to true before starting Node Manager:

    cd MW_HOME/oracle_common/common/bin
./setNMProps.sh

    Note:

    You must use the StartScriptEnabled property to avoid class loading failures and other problems.

  2. Start Node Manager:

    IDMHOST2> cd ORACLE_BASE/product/fmw/wlserver_10.3/server/bin
IDMHOST2> ./startNodeManager.sh

    Start the Administration Server on IDMHOST2.

    IDMHOST2> cd ORACLE_COMMON_HOME/common/bin
IDMHOST2> ./wlst.sh

    Once in wlst shell, execute

    wls:/offline>nmConnect('Admin_User','Admin_Pasword', 'IDMHOST2','5556','domain_name','/u01/app/oracle/admin/domain_name/aserver/domain_name')
wls:/nm/domain_name> nmStart('AdminServer')

  3. Test that you can access the Administration Server on IDMHOST2 as follows:

    1. Ensure that you can access the Oracle WebLogic Server Administration Console at http://ADMINVHN.mycompany.com:7001/console.

    2. Check that you can access and verify the status of components in the Oracle Enterprise Manager at http://ADMINVHN.mycompany.com:7001/em.

6.13.3 Validating Access to IDMHOST2 Through Oracle HTTP Server

Perform the same steps as in Section 6.12, "Validating Access Through Oracle HTTP Server." This is to check that you can access the Administration Server when it is running on IDMHOST2.

6.13.4 Failing the Administration Server Back to IDMHOST1

This step checks that you can fail back the Administration Server, that is, stop it on IDMHOST2 and run it on IDMHOST1. To do this, migrate ADMINVHN back to IDMHOST1 node as follows:

  1. Make sure that the administration server is not running. If it is, stop it from the WebLogic console, or by running the command stopWeblogic.sh from DOMAIN_HOME/bin.

  2. Run the following command on IDMHOST2.

    IDMHOST2> /sbin/ifconfig x:y down

  3. Run the following command on IDMHOST1:

    IDMHOST1> /sbin/ifconfig interface:index 100.200.140.206 netmask 255.255.255.0

    Note:

    Ensure that the netmask and interface to be used match the available network configuration in IDMHOST1

  4. Update routing tables by using arping. Run the following command from IDMHOST1.

    IDMHOST1> /sbin/arping -b -A -c 3 -I interface 100.200.140.206

  5. Start the Administration Server again on IDMHOST1.

    IDMHOST1> cd ORACLE_COMMON_HOME/common/bin
IDMHOST1> ./wlst.sh

    Once in the wlst shell, execute

    wls:/offline>nmConnect(Admin_User,'Admin_Pasword, IDMHOST1,'5556',
     'IDMDomain','/u01/app/oracle/admin/IDMDomain/aserver/IDMDomain'
wls:/nm/domain_name> nmStart('AdminServer')

  6. Test that you can access the Oracle WebLogic Server Administration Console at http://ADMINVHN.mycompany.com:7001/console.

  7. Check that you can access and verify the status of components in the Oracle Enterprise Manager at http://ADMINVHN.mycompany.com:7001/em.

6.14 Backing Up the WebLogic Domain

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.

For information about database backups, refer to the Oracle Database Backup and Recovery Advanced User's Guide.

To back up the installation at this point, complete these steps:

  1. Back up the web tier as described inSection 5.6, "Backing up the Web Tier Configuration."

  2. Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. You can also use operating system tools such as tar for cold backups.

Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory.

IDMHOST1> tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver

For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."