I used this piece of software in an earlier setup, and much to my surprise, there's even a Metalink note, that references the product.
Anyway, download it here, documentation can be found here.
Friday, December 07, 2007
Thursday, December 06, 2007
How to setup WNA with Oracle
Just a short note on how to set up Windows Native Authentication (WNA) with Oracle Internet Directory (OID), V10.1.2.2 (patched 10G Rel 2).
Of course, it requires you have your setup done, that is, OID is in place, it synchronises with Actice Directory (from AD to OID minimal, or two way), and the external authentication plugin works. Maybe I will publish on those steps and update this entry with the links. (I did, I did! See this entry on OID AD sync in 10.1.4)
Of course, it requires you have your setup done, that is, OID is in place, it synchronises with Actice Directory (from AD to OID minimal, or two way), and the external authentication plugin works. Maybe I will publish on those steps and update this entry with the links. (I did, I did! See this entry on OID AD sync in 10.1.4)
- Create an account in Active Directory for your Single Sign On server. The accout is the short name, i.e. login.home.local should be created in AD as login.
- Generate a keytab file for this account on the AD machine; take care, the process is highly case-sensitive!
ktpass -princ HTTP/login.home.local@BORTEL.AD.LOCAL -pass <ad_passwd> -ptype KRB5_NT_PRINCIPAL +desonly -crypto des-cbc-md5 -mapuser login -out login.keytab
The entry, following the "-princ" flag is uppercase "HTTP/", followed by the fully qualified domain name (FQDN) of your Single Sign On server in lower case, followed by "@YOUR_AD_DOMAIN", where your Active Directory entry should be in uppercase. - Transfer the generated keytab file (in this example, login.keytab) in binary(!) mode to your Single Sign On server. the location is $ORACLE_HOME/j2ee/OC4J_SECURITY/config
- Create the Kerberos configuration file, krb5.conf. Many Unixes locate the file in /etc. The contents of the file:
[libdefaults]
default_realm = BORTEL.AD.LOCAL
[realms]
BORTEL.AD.LOCAL = {
kdc = pdc01.bortel.ad.local:88
}
[domain_realm]
.home.local = BORTEL.AD.LOCAL
Don't be fooled with the "LOCAL" stuff; default_realm is the Active Directory realm (domain, in Windows terminology), the realms entry tells how your AD server is called, and on what port it listens - port 88 is the default for Kerberos.
The last line is very important: it explains the mapping between your default OID context and AD - mind the leading dot. The login account, created in step 1 is login@BORTEL.AD.LOCAL, so users can be found 'under' BORTEL.AD.LOCAL. Similar for OID: the corresponding entries for other users can be found in OID under dc=home, dc=local.
Your setup will differ, and your AD domain probably has an internal named domain, whereas your OID probably has "company_name.com". - Check time on AD and SSO servers; time should be (almost) the same!
- Test your Kerberos config:
kinit –k –t $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab HTTP/login.home.local
It should not respond with anything, just give back the cursor.
I did get the following error, though:The solution is listed in Microsoft KB832572, and is simply setting the 'Do not require Kerberos preauthentication' option with AD for the 'login' account. It's located under Account options on the Account details tab - last entry (you will need to scroll down in the option).
kinit: KRB5 error code 52 while getting initial credentials" - Make a copy of the configuration files for safekeeping:cp $ORACLE_HOME/sso/conf/policy.properties $ORACLE_HOME/sso/conf/policy.properties.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn.xml.org
cp $ORACLE_HOME/opmn/conf/opmn.xml $ORACLE_HOME/opmn/conf/opmn.xml.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/config/jazn-data.xml.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/web.xml.org
cp $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml $ORACLE_HOME/j2ee/OC4J_SECURITY/application-deployments/sso/orion-application.xml.org - Run the ssoca shell:cd $ORACLE_HOME/sso/bin
./ssoca
[snip]
Usage5: To configure the Single Sign-On server to enable Windows Native Authentication, do:
java -jar ossoca.jar wna -mode sso -oh-ad_realm -kdc_host_port -keytab -ssohost -oid -verbose
where:
oh = Oracle Home Path, AD_realm = Active Directory Realm Name, kdc = Kerberos KDC in the format "hostname:port", keytab = path of the keytab file that you created for the SSO server, sso_host = SSO server hostname with domain, oid_server = OID server in the format "ldap://oid.acme.com:389"
The actual command will become:./ssoca wna –mode sso –oh $ORACLE_HOME \
–ad_realm BORTEL.AD.LOCAL –kdc_host_port pdc01.bortel.ad.local:88 \
-keytab $ORACLE_HOME/j2ee/OC4J_SECURITY/config/login.keytab \
–verbose - Test your WNA - you should now be able to go to the OIDDAS pages without being asked to login.
Labels:
Active Directory,
enterprise,
howto,
OID,
WNA
Wednesday, December 05, 2007
How to log on as orcladmin with WNA?
Finally have WNA working, but now there is another "problem": how can I login as orcladmin (or any other user, for that matter)? Because every time, I switch to anything administrative on my oiddas page, Windows Native Authentication kicks in, and presents me with less privileged pages.
The only workaround I have found so far, is to disable WNA for the time being.
In IE, it is located in the Advanced Options (Enable Integrated Windows Authentication, under Security), under FireFox, you would have to remove the Single Sign On server from network.negotiate-auth.trusted-uris, in the about:config.
If anyone has another solution, please comment!
The only workaround I have found so far, is to disable WNA for the time being.
In IE, it is located in the Advanced Options (Enable Integrated Windows Authentication, under Security), under FireFox, you would have to remove the Single Sign On server from network.negotiate-auth.trusted-uris, in the about:config.
If anyone has another solution, please comment!
Thursday, November 22, 2007
Indeed... what if?
Just came across this - nothing to do with Oracle, but there is a point... I think.
Thursday, October 18, 2007
It does not run Oracle
But it is capable of running Linux, and -according to the specsheet- MS Windows XP. I doubt that, with just 256MB on board, but hey - it uses no more than 5 Watts peak, 3 Watts average!
Thursday, October 04, 2007
Tweep-tweep-tweep
Something like that would have been heard, coming from an object, circling the earth, just like an artificial moon.
The space age was born, today, fifty years ago, with the launch of the sputnik.
And it's animal's day, of course.
The space age was born, today, fifty years ago, with the launch of the sputnik.
And it's animal's day, of course.
Tuesday, September 18, 2007
WNA and Firefox
Where IE supports Windows Native Authentication sort of 'Out of the Box', Firefox does not. Here's how to enable Windows Native Authentication (WNA) in forefox:
- type 'about:config' in the address bar
- navigate to the entry 'network.negotiate-auth.trusted-uris' (tip: set the search filter to "network.negotiate"
- enter the domains you want WNA to act upon, e.g. "home.local".
Multiple domains are to be separated by commas; e.g. "home.local,home.networked" - earlier releases indicate that a leading dot is required (e.g. ".home.local" instaed of "home.local")
- type 'about:config' in the address bar
- navigate to the entry 'network.negotiate-auth.trusted-uris' (tip: set the search filter to "network.negotiate"
- enter the domains you want WNA to act upon, e.g. "home.local".
Multiple domains are to be separated by commas; e.g. "home.local,home.networked" - earlier releases indicate that a leading dot is required (e.g. ".home.local" instaed of "home.local")
Wednesday, September 12, 2007
ldapbindssl
Trying to get password synchronisation from Active Directory to Oracle internet Directory (OID) to work. The password filter is a bit hard to find ("CD 1 of the Application Server"), actually it is in de utils directory of this download.
Looks great, upto the part where I try ldapbindssl.
The first attempt resulted in
D:\>ldapbindssl -h idmhost -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 997
LDAP Error Code: 52
Error Message: Server Unavailable
I realized, idmhost was not enough, and changed that to the fully qualified name. This changed the error codes returned:
D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1396
LDAP Error Code: 52
Error Message: Server Unavailable
Not very helpful at all. Searching the internet resulted in just one reference.
However, the System Error Codes are actually Microsoft error codes. So, the 1396 error actually means
And - there is a note on that one (and a bug...): Mealink note 430907.1.
Unfortunately, the note just explains you made a mistake in the Subject of your certificate, there is no example of how it should look. Created a new certicificate (self-signed) with the subject cn=idmhost.home.local. Imported that, but now the error is:
D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1790
LDAP Error Code: 52
And error 1790 means ERROR_TRUST_FAILURE (Network logon failed)
Still have to figure that one out...
Edit: Apparently, someone picked this up - just read the note again, and it now says:
Edit: Managed to get things working, this is the condensed how-to:
On the OID server:
- Create the wallet:
orapki wallet create -wallet ./ -auto_login
- Add the request:
orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024
- you can now export the request, and have it sent to a CA:
orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -request ./idmhost.req
- or, simply sign the request:
orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024 -self_signed -validity 3650
- Now, export the self-signed certificate:
orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -cert ./idmhost.cert
Get this certificate over to the MS Windows machine (I used cut-n-paste, and saved in a cer-file), and use the certificate wizard (click on the .cer file).
After that, the test went OK:
D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Bind Successful
Looks great, upto the part where I try ldapbindssl.
The first attempt resulted in
D:\>ldapbindssl -h idmhost -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 997
LDAP Error Code: 52
Error Message: Server Unavailable
I realized, idmhost was not enough, and changed that to the fully qualified name. This changed the error codes returned:
D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1396
LDAP Error Code: 52
Error Message: Server Unavailable
Not very helpful at all. Searching the internet resulted in just one reference.
However, the System Error Codes are actually Microsoft error codes. So, the 1396 error actually means
ERROR_WRONG_TARGET_NAME (Logon Failure: The target account name is incorrect.)
And - there is a note on that one (and a bug...): Mealink note 430907.1.
Unfortunately, the note just explains you made a mistake in the Subject of your certificate, there is no example of how it should look. Created a new certicificate (self-signed) with the subject cn=idmhost.home.local. Imported that, but now the error is:
D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1790
LDAP Error Code: 52
And error 1790 means ERROR_TRUST_FAILURE (Network logon failed)
Still have to figure that one out...
Edit: Apparently, someone picked this up - just read the note again, and it now says:
For Example, if the OID server hostname is "oid.oracle.com" then the SUBJECT attribute of the server certificate must also be "oid.oracle.com".
Edit: Managed to get things working, this is the condensed how-to:
On the OID server:
- Create the wallet:
orapki wallet create -wallet ./ -auto_login
- Add the request:
orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024
- you can now export the request, and have it sent to a CA:
orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -request ./idmhost.req
- or, simply sign the request:
orapki wallet add -wallet ./ -dn "cn=idmhost.home.local" -keysize 1024 -self_signed -validity 3650
- Now, export the self-signed certificate:
orapki wallet export -wallet ./ -dn "cn=idmhost.home.local" -cert ./idmhost.cert
Get this certificate over to the MS Windows machine (I used cut-n-paste, and saved in a cer-file), and use the certificate wizard (click on the .cer file).
After that, the test went OK:
D:\>ldapbindssl -h idmhost.home.local -p 1636 -D cn=orcladmin -w welcome1
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Bind Successful
Thursday, August 30, 2007
Remove a realm
Playing around with OID and Application Server Hosting, I created some realms. Quite easy to add one, but there's no delete, drop or remove realm option.
So: how to drop a realm, without painstakingly going through the ODM (Oracle Directory Manager) screens, that do not support a cascaded delete?
Appears to be quite simple:
login on the machine your OID runs on, and:
opmnctl stopall
./bulkdelete.sh -connect [tns_alias] \
-base "dc=test2,dc=home,dc=local"
The base is the actual realm you want to drop.
So: how to drop a realm, without painstakingly going through the ODM (Oracle Directory Manager) screens, that do not support a cascaded delete?
Appears to be quite simple:
login on the machine your OID runs on, and:
opmnctl stopall
./bulkdelete.sh -connect [tns_alias] \
-base "dc=test2,dc=home,dc=local"
The base is the actual realm you want to drop.
How to unlock orcladmin
Proving the point that using 'cn=orcladmin' or 'orcladmin' when starting Oracle Internet Directory (OID) Manager (ODM), is actually the same account, I managed to "prove" the point just once too often, resulting in a "your account is locked" error.
So, the question raises: how to unlock you superuser account orcladmin?
Very simple:
login on the Application Server where your OID runs, and:
$ORACLE_HOME/bin/oidpasswd connect=[tns_alias] unlock_su_acct=true
You will be asked to provide the ODS password - which happens to be the same as the ias_admin password, specified at install time. Which happens to be the password for orcladmin, too, unless you changed it.
So, the question raises: how to unlock you superuser account orcladmin?
Very simple:
login on the Application Server where your OID runs, and:
$ORACLE_HOME/bin/oidpasswd connect=[tns_alias] unlock_su_acct=true
You will be asked to provide the ODS password - which happens to be the same as the ias_admin password, specified at install time. Which happens to be the password for orcladmin, too, unless you changed it.
Tuesday, August 28, 2007
Passwords: store them in a Wallet!
Working on OID and database registrations, I found the wallet created by the DBCA does not need to be signed. Basically - it's empty!
Well, not quite; although the oracle Wallet Manager, owm, only shows "there's something", details can be retrieved using mkstore:
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -list
Enter password:
Oracle Secret Store entries:
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.DN
Enter password:
ORACLE.SECURITY.DN = cn=infra,cn=OracleContext,dc=home,dc=local
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Enter password:
ORACLE.SECURITY.PASSWORD = RJT01YL5
oracle10@infra
The password you need to provide, is the password you specified for the wallet at the time you registered the database.
So, if you ever want to know the password of database registration, this is how. Works for 10.2 databases, should work for 10.1 (as 10.1 also knows mkstore), does not work for 9.2 or lower.
Another great option of mkstore (and the reason I found this...) is to store credentials for a database - great for securing database links and batch processes.
More on that in the security manual, here, and an example.
Well, not quite; although the oracle Wallet Manager, owm, only shows "there's something", details can be retrieved using mkstore:
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -list
Enter password:
Oracle Secret Store entries:
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.DN
Enter password:
ORACLE.SECURITY.DN = cn=infra,cn=OracleContext,dc=home,dc=local
oracle10@infra mkstore -wrl /oracle/infra/admin/dev/wallet -viewEntry ORACLE.SECURITY.PASSWORD
Enter password:
ORACLE.SECURITY.PASSWORD = RJT01YL5
oracle10@infra
The password you need to provide, is the password you specified for the wallet at the time you registered the database.
So, if you ever want to know the password of database registration, this is how. Works for 10.2 databases, should work for 10.1 (as 10.1 also knows mkstore), does not work for 9.2 or lower.
Another great option of mkstore (and the reason I found this...) is to store credentials for a database - great for securing database links and batch processes.
More on that in the security manual, here, and an example.
Monday, August 27, 2007
Status 84?
Not feasable to Fix?
Annoying, to say the least - ever been in the situation where the Network Configuration Assistant could not process your tnsnames.ora? Manually edited just once too often?
I ran into this error when using the Enterprise Security Manager - I was mapping an Enterprise Role to Database Roles.
[AWT-EventQueue-0][2007-8-17:16:14:56:927] java.lang.ArrayIndexOutOfBoundsException: 240
at oracle.net.nl.NVTokens.parseTokens(Unknown Source)
at oracle.net.nl.NVFactory.createNVPair(Unknown Source)
at oracle.net.nl.NLParamParser.addNLPListElement(Unknown Source)
at oracle.net.nl.NLParamParser.initializeNlpa(Unknown Source)
at oracle.net.nl.NLParamParser.(Unknown Source)
at oracle.sysman.vdb.VdbUtil.findInTNSFile(VdbUtil.java:824)
at oracle.sysman.vdb.VdbUtil.findInTNSNAMES(VdbUtil.java:792)
at oracle.sysman.vdb.VdbUtil.buildConnectDescriptor(VdbUtil.java:295)
at oracle.sysman.vdb.VdbUtil.buildConnectDescriptor(VdbUtil.java:224)
at oracle.sysman.vdb.VdbSession.buildConnectionInformation(VdbSession.java:4195)
Not the complete stack - note the "findInTNSFile"
Much to my surprise, the ESM ignores the ldap.ora entries completely, and falls back to the local tnsnames.ora file - which it fails to process. Metalink revealed two related bugs (5527753 and 2887391), of which 2887391 looked like an exact match. 2887391 has a status "Closed, not feasable to fix", which is status 84...
The workaround is to clean up the tnsnames.ora file that is being used, and make it NetCA compatible...
Come on, Oracle! Just this once, make your C programs and java begave the same! If SQL*Plus can process this file correctly, and tnsping can, why can't NetManager, ESM or NetCA?!?
Annoying, to say the least - ever been in the situation where the Network Configuration Assistant could not process your tnsnames.ora? Manually edited just once too often?
I ran into this error when using the Enterprise Security Manager - I was mapping an Enterprise Role to Database Roles.
[AWT-EventQueue-0][2007-8-17:16:14:56:927] java.lang.ArrayIndexOutOfBoundsException: 240
at oracle.net.nl.NVTokens.parseTokens(Unknown Source)
at oracle.net.nl.NVFactory.createNVPair(Unknown Source)
at oracle.net.nl.NLParamParser.addNLPListElement(Unknown Source)
at oracle.net.nl.NLParamParser.initializeNlpa(Unknown Source)
at oracle.net.nl.NLParamParser.
at oracle.sysman.vdb.VdbUtil.findInTNSFile(VdbUtil.java:824)
at oracle.sysman.vdb.VdbUtil.findInTNSNAMES(VdbUtil.java:792)
at oracle.sysman.vdb.VdbUtil.buildConnectDescriptor(VdbUtil.java:295)
at oracle.sysman.vdb.VdbUtil.buildConnectDescriptor(VdbUtil.java:224)
at oracle.sysman.vdb.VdbSession.buildConnectionInformation(VdbSession.java:4195)
Not the complete stack - note the "findInTNSFile"
Much to my surprise, the ESM ignores the ldap.ora entries completely, and falls back to the local tnsnames.ora file - which it fails to process. Metalink revealed two related bugs (5527753 and 2887391), of which 2887391 looked like an exact match. 2887391 has a status "Closed, not feasable to fix", which is status 84...
The workaround is to clean up the tnsnames.ora file that is being used, and make it NetCA compatible...
Come on, Oracle! Just this once, make your C programs and java begave the same! If SQL*Plus can process this file correctly, and tnsping can, why can't NetManager, ESM or NetCA?!?
Friday, August 17, 2007
Enterprise network issues
Just had a situation where I set up an enterprise user on a registered database. Logging on to the instance works on the machine itself:
SQL> create user global_id_schema_user identified globally;
User created.
SQL> grant connect to global_id_schema_user;
Grant succeeded.
SQL> connect bortel
Enter password:
Connected.
SQL> select sys_context('userenv','external_name') from dual;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')
--------------------------------------------------------------------------------
cn=bortel,cn=users,dc=***,dc=nl
SQL> select * from session_roles;
ROLE
------------------------------
CONNECT
However, trying to connect from a remote station, I got the following error:
This strikes as odd, as the database registered successfully.
The TNSPING utility shows
M:\>tnsping oinfra
TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 17-AUG-2007 11:14:15
Copyright (c) 1997, 2006, Oracle. All rights reserved.
Used parameter files:
C:\oracle\DB92\network\admin\sqlnet.ora
Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=machine.at.certain.domain)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=oinfra.machine.at.certain.domain)))
OK (10 msec)
Looks like the service_name is not within the listener. I know this setup uses hardcoded aliases in listener.ora (which is going to change - this client will switch to instances registering themselves, using local_listener). Sure enough, on the database server:
me@machine> lsnrctl services listener_machine
LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:29:21
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:136 refused:0
LOCAL SERVER
The command completed successfully
Not a trace of the fully qualified service name "oinfra.machine.at.certain.domain".
The solution to this is to add GLOBAL_DBNAME to the listener.ora file:
Then, do a reload of the listener configuration, and check the results:
After that, the remote login succeeds:
SQL> conn bortel@oinfra
Enter password:
Connected.
SQL> create user global_id_schema_user identified globally;
User created.
SQL> grant connect to global_id_schema_user;
Grant succeeded.
SQL> connect bortel
Enter password:
Connected.
SQL> select sys_context('userenv','external_name') from dual;
SYS_CONTEXT('USERENV','EXTERNAL_NAME')
--------------------------------------------------------------------------------
cn=bortel,cn=users,dc=***,dc=nl
SQL> select * from session_roles;
ROLE
------------------------------
CONNECT
However, trying to connect from a remote station, I got the following error:
SQL> conn bortel@oinfra
Enter password:
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
Enter password:
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
This strikes as odd, as the database registered successfully.
The TNSPING utility shows
M:\>tnsping oinfra
TNS Ping Utility for 32-bit Windows: Version 10.2.0.3.0 - Production on 17-AUG-2007 11:14:15
Copyright (c) 1997, 2006, Oracle. All rights reserved.
Used parameter files:
C:\oracle\DB92\network\admin\sqlnet.ora
Used LDAP adapter to resolve the alias
Attempting to contact (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=machine.at.certain.domain)(PORT=1521))
(CONNECT_DATA=(SERVICE_NAME=oinfra.machine.at.certain.domain)))
OK (10 msec)
Looks like the service_name is not within the listener. I know this setup uses hardcoded aliases in listener.ora (which is going to change - this client will switch to instances registering themselves, using local_listener). Sure enough, on the database server:
me@machine> lsnrctl services listener_machine
LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:29:21
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:136 refused:0
LOCAL SERVER
The command completed successfully
Not a trace of the fully qualified service name "oinfra.machine.at.certain.domain".
The solution to this is to add GLOBAL_DBNAME to the listener.ora file:
SID_LIST_LISTENER_MACHINE =
(SID_LIST =
(SID_DESC =
(SID_NAME = oinfra)
(global_dbname=oinfra.machine.at.certain.domain)
(ORACLE_HOME = /oracle/....)
(connection_data =
(sid = oinfra)
)
)
)
Then, do a reload of the listener configuration, and check the results:
me@machine>lsnrctl reload listener_machine
LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:55:55
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
The command completed successfully
me@machine>lsnrctl services listener_machine
LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:56:04
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra.machine.at.certain.domain" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
The command completed successfully
LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:55:55
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
The command completed successfully
me@machine>lsnrctl services listener_machine
LSNRCTL for HPUX: Version 10.2.0.2.0 - Production on 17-AUG-2007 11:56:04
Copyright (c) 1991, 2005, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=oinfra)))
Services Summary...
Service "oinfra.machine.at.certain.domain" has 1 instance(s).
Instance "oinfra", status UNKNOWN, has 1 handler(s) for this service...
Handler(s):
"DEDICATED" established:0 refused:0
LOCAL SERVER
The command completed successfully
After that, the remote login succeeds:
SQL> conn bortel@oinfra
Enter password:
Connected.
Wednesday, July 11, 2007
Oracle 11g
No downloads yet, but marketing starts spinning up.
All features and why we should is here. Have fun reading.
[Edit] It's downloadable; the Linux versions, that is.
[Edit]As of today, october, 23, 2007, 11G for windows is avaiable from otn.
All features and why we should is here. Have fun reading.
[Edit] It's downloadable; the Linux versions, that is.
[Edit]As of today, october, 23, 2007, 11G for windows is avaiable from otn.
Monday, July 09, 2007
Cannot login Enterprise Manager
It happened to me the other day: I could no longer login to an Enterprise Manager site, and I was sure I had the correct password. It might have something to do with running ssoReplSetup.jar.
Anyway, the solution is to use a hidden option of emctl: reset. These are the steps to revitalize your OEM:
Anyway, the solution is to use a hidden option of emctl: reset. These are the steps to revitalize your OEM:
- edit $ORACLE_HOME/sysman/j2ee/jazn-data.xml
- find ias_admin entry
- remove line with "credentials"
- save file
- emctl set password reset <new_password>
- (re)start oem: emctl start iasconsole
Wednesday, June 27, 2007
Sunday, June 10, 2007
High performance, High availablity in Oracle Application Server
Last update: Aug, 10, 10:53 (11g Download!)Ambitious?
Here is what I want to do. I have done setups according to the Enterprise Deployment Guide, ending up with a configuration similar to what you can see here, and I've also witnessed stuff, described in numerous metalink articles (so it must be hard :) ) and in the High Availability Guide, that lead to this.
Now, for some reason, my current assignment does not allow RAC setups. Reasoning fails, but I have given up after a year-and-a-half: "This is the first release of RAC - we don't do first releases". Which is crap, of course , since the predecessors have been around some 8 (yes - eight) releases: 7.1, 7.2, 7,3, 8.0, 8.1, 9.0, 9.1, 10.1 and now 10.2. Thanks to Oracle Marketing...
Anyway, that leads to a point where the database has become the single point of failure, when using the Enterprise setup. This setup uses the same (Clustered) database as OID storage, as well as the Application Server Repository.
Using the High Availability Guide, you will not have High Performance: as one link in the chain breaks, the whole chain is unavailable - you will still have the parallel chain, so availability does not suffer, just performance. This is due to the fact the databases do act as backups for OID, but not for the Application Server Metadata!
So, where the first setup is clustered on Application Server level, the second is not. Where the second setup allows one chain to become completely, or partially unavailable, the first approach will fail in the database department (which is not, and cannot be RAC!). What I want is best of both! I want Application Server Clustering, and Load Balancing, and Replication and Fail-Over! So, there you have it.
Ambitious? Sure!
Can it be done? Well, I actually don't know. You are here to find out.
When do you know? Well, at the end of the story, and this may become a lengthy one. I do not want to split is, as I did with the Enterprise Security entries, so I will update this article as I go.
Preparations
I have to my disposal three machines, all equipped with two harddisks. The latest replacement is equipped with an Intel E6600 processor, 4GB ram and two 320GiB SATA disks. It replaced the AMD 2100+ with 1.5GB memory and two 80GB ATA100 disks in a stripe set.
For test purposes, I already had a "server", which has been used before.
Both machines have been rebuilt, using the previous post.
All three machines are interconnected via a gigabit switch, using proper, short, 1GB certified network cables. The gigabit ethernet interfaces are the onboard ones, and price of the switch is not an issue anymore.
So much for the hardware; as for the software, better start early, as there is some 6,832MB (well over 6GB!) to be downloaded! Of course, the 400MB from CentOS is already completed. That leaves:
Installation
Once done downloading the software, and redistributing over all systems (see the previous post), I started installing.
Installation phase 1: the databases
Well, nothing much to tell about installing that base and patch level on Windows, but for some tricks:
Installation phase 2: create the Repository
Unpack the zip file, and install the Metadata Repository Creation Assistant. After that, just run the bloody thing - not much to tell here, apart from the strange behavior where 23 datafiles, totalling 1.4GB of diskspace gets written, deleted and written again. I chose to have the repository related files all in one location (hey - this is just a demo!), but separate them from the other database datafiles, by using a one level deeper subdirectory "rep".
If the checks on paramaters fail, alter them. This is a fairly easy install.
Installation phase 3: prepare for Replication - create the second instance
I used RMAN clone database for this. I need a (clean) backup anyway, so here we go. There are two stages: making the backup, and restoring the clone:
Phase 3a: backup.
Open a Command Line Interface (MS Windows: Run-> cmd, *ix: your favorite shell)
set your environment variables
Phase 3b: clone.
Create the (empty) directories for the clone (data/admin)
Copy init.ora and alter directory paths and instancename
Add newly created instance to tnsnames.ora and listener.ora.
Start listener.
MS Windows only: create the service:
Open a Command Line Interface (MS Windows: Run-> cmd)
Create passwordfile:
orapwd.exe file=%ORACLE_HOME%\database\PWDoidrep.ora password=oracle force=y
set oracle_sid=oidrep
sqlplus / as sysdba
startup nomount pfile=D:\oracle\admin\oidrep\pfile\initoidrep.ora
exit
Let's clone!
That is it! This is a screen scrape from the actual session (some lines are snipped for brevity):
So - all in all the cloning took 13 minutes.
In contrast to earlier releases, that did not create the tempfile, belonging to the temporary tablespace, there is no more need to create a tempfile - it's there!
Bounce the db, to make sure the spfile is picked up
No worries about dbid, either...
That concludes the database preparations.
Installation phase 4: prepare the Network
I made a distinction between two stages: getting the balancer, and adding virtual addresses.
First off, a little bit about the setup. As said earlier on, I (only) have 3 machines, and the complete configuration requires ate least four, better yet, six. As 6=3*2, every machine gets a double function, some even triple functions (and no - you do not want to VMWare this - your host will not cope with it...)
Phase 4a: get, make and install balance.Logon to your machines as root. I need the c-compiler, so let's get it:
Next, download the source tarball from http://www.inlab.de/balance-3.35.tar.gz to /install
Now, if you would run make make install at this stage, you would get a (minor) error; there's a slight typographical error on line 11 of the makefile, so change the Makefile file:
And run "make install":
Not doing so, will lead to this error:
No harm done, simply edit the Makefile, and rerun... Failure to do so will not have any effect on the program, you just will not have the man-pages.
Phase 4b: virtual addresses and names to your local network.
Remember, basically, I wanted:
So, network wise, I would need:
Physically, I have used the machine names OIDHOST and IDMHOST so far. See previous posting about that. What I'm going to do, is install the first OID and IDM installs on the OIDHOST and IDMHOST repectively, and the second OID and IDM installs go on the IDMHOST and OIDHOST respectively.
Both application servers will serve OID as well as IDM:
This leads to:
In addition: db1020.home.local resides on 192.128.1.104, as does oidrep, the replication instance.
Let's add the addresses:
On IDMHOST:
On OIDHOST:
Check by running ifconfig:
You may alse define (permanent) virtual addresses here. If you insist on doing it by hand, create the appropiate files (ifcfg-eth0:1, etc) in /etc/sysconfig/network-scripts:
Alternatively, add the ifconfig eth0:1 lines to /etc/rc.local:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/sbin/ifconfig eth0:1 192.168.1.215
/sbin/ifconfig eth0:2 192.168.1.216
/sbin/ifconfig eth0:3 192.168.1.217
Change the hosts files on all machines, under Linux, it is /etc/hosts:
Do not foget to add these to the database host (C:\WINDOWS\system32\drivers\etc)! Failing in doing so will reslove in nasty install errors
Let's reboot the systems to see if everything acts as we want: reboot -n
Try to ping every host defined, from every machine. If that is successfull, let's do the vandango:
Similar:
That concludes phase 4.
Installation phase 5: Oracle Internet DirectoryPhase 5a: Preliminaries.
On both machines, create distinct groups and user:
[root@oidhost ~]# groupadd oidown
[root@oidhost ~]# groupadd oidinst
[root@oidhost ~]# useradd oidoracle -g oidinst -G oidown -c 'Oracle Internet Directory software owner'
[root@oidhost ~]# passwd oidoracle
Changing password for user oidoracle.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Make sure I can unpack the cpio and zipped files in the /install directory (which is not owned by oidoracle!)
[root@oidhost ~]# chmod 777 /install
Create the installation directory, and change ownership:
[root@oidhost ~]# mkdir -p /oracle/ias/oraInventory
[root@oidhost ~]# chown -R oidoracle:oidown /oracle
[root@oidhost ~]# su - oidoracle
[oidoracle@oidhost ~]$ cd /install
[oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk1.cpio [oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk2.cpio [oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk3.cpio [oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk4.cpio [oidoracle@oidhost install]$ unzip p4960210_10122_LINUX.zip -d p4960210 [oidoracle@oidhost install]$ unzip p5901894_10122_LINUX.zip -d p5901894 [oidoracle@oidhost install]$ unzip p5922121_10122_LINUX.zip -d p5922121
Phase 5a: first OID install.
I was planning on using non-default ports, so let's do some prepartion for that:
[oidoracle@oidhost install]$ cp Disk1/stage/Response/staticports.ini /oracle/ias/staticports.ini
Now, I need to make the installer aware of the fact, I want ports 3060 and 3130 to be used. The interesting part of staticports.ini:
# Infrastructure
Oracle Internet Directory port = 3060
Oracle Internet Directory (SSL) port = 3130
#Oracle Certificate Authority SSL Server Authentication port = port_num
#Oracle Certificate Authority SSL Mutual Authentication port = port_num
#Ultra Search HTTP port number = port_num
OK - let's fire up the installer:
[oidoracle@oidhost ~]$ export DISPLAY=192.168.1.104:0.0
[oidoracle@oidhost ~]$ /install/Disk1/runInstaller
Enter the correct locations, and...
Let's do what is asked for...
Once more - correct locations...
Infrastucture install...
Let's do Identity Management.
Yeah - don't feel like upping it even further - besides, these are the values, specified in the Linux Installation Manual... Just mark them as okay, and continue.
Of course we have root priveleges - I am not really going to upload a picture showing how to confirm that, just continue to the next:
Remember the envisioned setup: The LDAP services (OID) and Integration will be running here, and the rest (SSO and DAS, no CA this time) on the Identity Management Host (idmhost.home.local)
With all the preparations, make sure we use them! Select the correct file.
Ebter the correct data, and...
What the ...?!? The Oracle Application Server Metadata Repository is not compatible?!? I checked and doublechecked versions - no error there! Back to the drawingboard!
Update:
As far as I can tell, Metalink came up empty, Google came up empty and so did tahiti. I admit, I did not look at all references matching my search criteria, because a lot of hits are about backwards compatibility problems. And I know for a fact, the MCRA versions 10.1.2.0.0 and 10.1.2.0.2 are incompatble, too.
The screen itself leaves no room for informative queries, so all that is left is the log file of the installation itself. This looks like:
What I understand from this, is the fact that OID is not configured, causes the installer to abort. Of course OID isn't configured - I choose to install that!
Anyway - somewhere deep (in /install/Disk1/stage/Queries/DBConnectQueries/8.2/1) there is a file, called DBConnectQueries.jar. Opening it, and searching for GetRepositoryVer showed some interesting stuff (like the development machine, syndey.oracle.com, with system password!), like:
I cannot tell where the second query comes in, but the first does resolve:
I fired up the MRCA again, and tried to redo the install. Nope - remove first, and only then install... Remove drops objects, before dropping tablespaces. There is a faster way to do that... had to do it twice, no indication why, the last line of the first sessions' log reads:
During the process, I observed:
That seems to be different from where I started - but the MCRA did finish OK...
Well, back to cloning and then retry the install!
Update:Started the machines, database instance and listener, balancer om both machines.
Checked hosts. Installer continued smoothly this time:
I left it for what it was - you may consider otherwise, especially when you have plans on extending the root entry (.local, in this case). For .com it may not be such a problem, but for .nl it will be - imagine your company extends abroad. In that case, consider a megalomaniac '.world' as root: your.company.nl.world can expand into your.other.be.world.
MDS stands for Master Definition Site...
229 products(!) to be installed. And I did not even select all options!
Let's take a closer look at the log, then:
OK - see if the process actually runs; switch to $ORACLE_HOME/opmn/bin, and:
Still - retry fails. Then I realize, I already switched on loadbalancing... and sure enough, after killing these balance processes, the wizards continued, only to fail once more:
This is a bit of a silly error message: opmn cannot start the process, because I already started it! Resolution: stop the process manually:
Some (actually, a lot) of wizards later, this is the reward:
Update: (Phase 5c-second OID install)Started both instances, and opened the databases. Logged on to oidhost, and changed .bash_profile; added those lines:
That allows me to:
Logged on to the idmhost, with oidoracle account. Editied the localhosts file again, with the following contents:
Fired up the installer:
Only screens that do differ from above are loaded:
Select three options: Internet Directory, Directory Integration and HA/Replication.
Indicate the correct location of the staticports.ini file.
I had to use SYSTEM here - could not get SYS to work:
Hmmmmmm.... I don't want to choose here! I want both. Maybe this is the reason clustered installs don't replicate? In this manner, there are two farms, and farms cannot cluster. Only whatever application server instance belongs to the farm, can participate in a cluster: 1 farm == 1 repository.
Maybe when I base the instance on a file-based repository, on a shared disk?!?
Next screen, select Replication:
Next screen, select Advanced Replication.
Now, this one is tricky: it states "Master Node", where in fact, this is the second install. True, but this is Multi Master Replication, so in fact: there are no masters (or everyone is the master)!
Same here: "Master", but watch out: the data entered actually refers to the real master, the first installed instance: oidhost.home.local!
Provide the correct connection information, and get used to the "cn=" notation - this is LDAP land... Note the naming of the instance: rms, as in "Replicated Master Site".
That's it... the installer will install, the wizzards wizz, and it all ends in:
Update: Something went wrong, I noticed after reflection. I miss one installer screen; the one that allows me to select the (virtual) ip address and (virtual) server name! It should have been presented because of the changes I made to oraparam.ini (SHOW_HOSTNAME=ALWAYS_SHOW) .
Update:
Before attempting to get replication to work, I'll need to fix the network component. That means adding the "other" entry to each tnsnames.ora, so each file is identical:
It also means, I need to add a default domain - OID seems to make it a habit of sometimes using a domain qualified call, sometimes not. Consequently, db1020 as well as db1020.home.local must be resolved. Added this to sqlnet.ora:
The same is true for the database server(s); they need to be able to connect lateron - afterall, it is database based replication, not Application Server!
Next stop: replication!
Update: (Phase 6 - install Replication)
After all these preparations, starting replication should be quite easy: use the remtool (reminding me of a REMoval tool, what's in a name?): (some logging has been snipped to save space)
If the setup fails with
Now, start replication services, and see if they run:
Same thing on other machine:
Well, fire up the Directory Manager, connect to both LDAP servers, and navigate to cn=Entry Management,dc=local,dc=home,cn=users,cn=orcladmin.
On the first machine, oidhost, you will see this (notice the timestamp):
The replicated machine, idmhost, will show this:
Note, not only are the timestamps the same, and I did not do the two installs simultaniously, but the modifiersname is the replication process:
Update:
Starting up all processes (e.g. after a startup; I do not leave my test machines on 24*7), is as easy as 1-2-3:
This odisrv is a bit of a nag. It is running perfectly on the other machine:
However, opmnctl does not seem to control it, after a few stopall and startall, I had this:
Oh well. What bothers me is the fact odisrv does not run on idmhost; the log shows:
On odihost, the correct startup message in the log:
Update: (don't try this - see below)
Change the port on idmhost.home.local from 389 to 3060, ran dcmctl updateconfig.
Then, I ran this, and all of a sudden, it worked!
[oidoracle@idmhost log]$ odisrvreg -D cn=orcladmin -w Welcome1 -p 3060
Registering for the first time...
DIS registration successful.
[oidoracle@idmhost log]$ $ORACLE_HOME/ldap/bin/ldapcheck
Checking Oracle Internet Directory Processes ...ALL
Process oidmon is Alive as PID 5645
Process oidldapd is Alive as PID 5648
Process oidldapd is Alive as PID 5660
Process oidrepld is Alive as PID 5697
Process odisrv is Alive as PID 5964
I'd have expected the odisrvreg utility to report "already registered - updating". This leaves a somewhat eery feeling; anyone knowing what is going on, please comment!
I'll update myself on that: the odisrv process does not need to run on both sides - it's supposed to failover. However, I still fail to see how - I even tried kill -9 (all processes), but could not get odisrv to start on the other node.
Let's continue with phase 7: installation of the middle tier:
Machines are fired up, all processes are up-and-running.
Phase 7a: Preliminaries (see phase 5a).
Phase 7b: Install first middle tier (SSO and DAS server).
Now, fire up Cywin X server, and:
frankbo@cs-frank03 ~
$ xhost +
access control disabled, clients can connect from any host
frankbo@cs-frank03 ~
$ ssh idmoracle@idmhost
idmoracle@idmhost's password:
Last login: Sun Jul 8 14:35:34 2007 from dbhost.home.local
[idmoracle@idmhost ~]$ export DISPLAY=192.168.1.104:0.0
[idmoracle@idmhost ~]$ /install/Disk1/runInstaller -invPtrLoc /oracle/idm/oraInventory/oraInst.loc
Fill in the correct settings:
Ditto:
It's still called "Infrastructure", although this is the middle tier:
And I still am not done with the Identity Management Install:
Oh, well, we've been here before...
So let's get started - note I added HA and Replication:
Select the correct file - it needs to pick up the ports actually in use by the OID install (phase 5)
This is an odd one: I am *not* adding a listener, so why this check is executed is beyond me. The resolution is to stop the services on this machine (logon as oidoracle, and issue an opmnctl stopall, or stopproc ias-component=OID)
Once the "error" hurdle is taken, select Cluster:
First install, so I have to create a cluster:
Name it:
Specify correct host; I had the "crossed" setup, so this SSO install (middle tier) will be served by the first install of the Infrastructure, which was on the oidhost:
Specify the password of orcladmin on the OID host:
I make a mistake here - specified the port, as used in metalink note 370458.1. Consequently, I had to change the loadbalancer:
balance -b login.home.local http idm1:7779 % idm2:7779 %
Make up a password, or -better yet- have one generated:
And finally - after a while, and the execution of the (in-)famous root.sh script:
This is what the last screen has to tell:
Now - let me see if the loadbalancer works.
The defaul (login.home.local) Delegated Administration Service page:
After a successfull login:
After Logout, the node information is shown:
Ok - next step: phase 7c: passwordsI need to synchronize all passwords. One of the installation Wizards did randomize all passwords used in this setup. As connections may float, I do want passwords to be the same on both nodes. The script ssoReplSetup.jar is a Java script, residing in $ORACLE_HOME/sso/lib.
Update:
[oidoracle@oidhost ~]$ cd $ORACLE_HOME/sso/lib
[oidoracle@oidhost lib]$ export LD_LIBRARY_PATH=$ORACLE_HOME/lib32:$LD_LIBRARY_PATH
[oidoracle@oidhost lib]$ echo $LD_LIBRARY_PATH
/oracle/ias/oid10.1.2/lib32:/oracle/ias/oid10.1.2/lib
[oidoracle@oidhost lib]$ $ORACLE_HOME/jdk/bin/java -jar ssoReplSetup.jar -prompt
OracleAS Single Sign-On Replication Setup Tool
Release 10.1.2.0.0
Copyright (c) 2003, 2004 Oracle. All rights reserved.
Reading input paramterers ...
Enter MDS OID hostname : oidhost.home.local
Enter MDS OID port : 3060
Enter MDS OID administrator : cn=orcladmin
Enter MDS OID password : Welcome1
Enter MDS OID SSL Enabled (Y/N) : n
Enter RMS OID hostname : idmhost.home.local
Enter RMS OID port : 3060
Enter RMS OID administrator : cn=orcladmin
Enter RMS OID password : Welcome1
Enter RMS OID SSL Enabled (Y/N) : n
Enter RMS SYS DB password : MANAGER
Done reading parameters.
Contacting OID: ldap://oidhost.home.local:3060 ...
OID context received for MDS admin user, cn=orcladmin
Contacting RMS OID: ldap://idmhost.home.local:3060 ...
OID context received for RMS admin user, cn=orcladmin
MDS DB dn: orclReferenceName=DB1020.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
RMS DB dn: orclReferenceName=OIDREP.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
Starting password synchronization between MDS DB and RMS DB.
ERROR: RMS DB connection failed.
Action: Please check the RMS DB SYS Password.
Exception: java.sql.SQLException: ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
java.sql.SQLException: ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:137)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:304)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:271)
at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOauth(T4CTTIoauthenticate.java:647)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:307)
at oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:433)
at oracle.jdbc.driver.T4CConnection.(T4CConnection.java:150)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:31)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:512)
at java.sql.DriverManager.getConnection(DriverManager.java:171)
at oracle.security.sso.server.conf.SyncSSOPwd.syncUpPwds(SyncSSOPwd.java:303)
at oracle.security.sso.server.conf.SyncSSOPwd.main(SyncSSOPwd.java:752)
Checking the password revealed:
The last line indicates I should use the SSL port (3130):
[oidoracle@oidhost lib]$ $ORACLE_HOME/jdk/bin/java -jar ssoReplSetup.jar -prompt
OracleAS Single Sign-On Replication Setup Tool
Release 10.1.2.0.0
Copyright (c) 2003, 2004 Oracle. All rights reserved.
Reading input paramterers ...
Enter MDS OID hostname : oidhost.home.local
Enter MDS OID port : 3130
Enter MDS OID administrator : cn=orcladmin
Enter MDS OID password : Welcome1
Enter MDS OID SSL Enabled (Y/N) : Y
Enter RMS OID hostname : idmhost.home.local
Enter RMS OID port : 3130
Enter RMS OID administrator : cn=orcladmin
Enter RMS OID password : Welcome1
Enter RMS OID SSL Enabled (Y/N) : Y
Enter RMS SYS DB password : manager
Done reading parameters.
Contacting OID: ldap://oidhost.home.local:3130 ...
OID context received for MDS admin user, cn=orcladmin
Contacting RMS OID: ldap://idmhost.home.local:3130 ...
OID context received for RMS admin user, cn=orcladmin
MDS DB dn: orclReferenceName=DB1020.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
RMS DB dn: orclReferenceName=OIDREP.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
Starting password synchronization between MDS DB and RMS DB.
Creating RMS DB connection ... Done.
Synchronizing the password for orasso ...
MDS - orasso password: *****
Modifying orasso schema pwd value in RMS OID...
Modification of orasso user password in RMS OID successful.
Modifying the orasso user password in secondary database ...
Modification of orasso password in RMS db successful.
Synchronizing the password for orasso_ds ...
MDS - orasso_ds password: *****
Modifying orasso_ds schema pwd value in RMS OID...
Modification of orasso_ds user password in RMS OID successful.
Modifying the orasso_ds user password in secondary database ...
Modification of orasso_ds password in RMS db successful.
Synchronizing the password for orasso_pa ...
MDS - orasso_pa password: *****
Modifying orasso_pa schema pwd value in RMS OID...
Modification of orasso_pa user password in RMS OID successful.
Modifying the orasso_pa user password in secondary database ...
Modification of orasso_pa password in RMS db successful.
Synchronizing the password for orasso_public ...
MDS - orasso_public password: *****
Modifying orasso_public schema pwd value in RMS OID...
Modification of orasso_public user password in RMS OID successful.
Modifying the orasso_public user password in secondary database ...
Modification of orasso_public password in RMS db successful.
Synchronizing the password for orasso_ps ...
MDS - orasso_ps password: *****
Modifying orasso_ps schema pwd value in RMS OID...
Modification of orasso_ps user password in RMS OID successful.
Modifying the orasso_ps user password in secondary database ...
Modification of orasso_ps password in RMS db successful.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
Retrieved SSO_SERVER pwd: *****
Decrypted SSO_SERVER pwd: *****
Connected to RMS DB as ORASSO user.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
MDS node LDAP connection SSL usage: Y
Setting OID configurations in RMS DB Done.
Setting up the SSO Server site token in the prefs table...
Updating SSO preference store for the SSO Server site token...
SSO Replication configuration successfully finished.
Same thing needs to be done on the replicated site, idmhost.home.local. I found it not very clear whether this should be done in the middle tier, or in the infrastructure - the notes suggest the first, and so does the point in time: after the first middle-tier install.
Rest assured: it should run from the infrastructure - the sites, where the OID processes and replication run.
All that is left to install now, is the last middle tier:
The installation is the same as the first one, except for some names, that are different (obviously): the cluster is called SSOClusterB (could have been the same, by the way), the ldapserver is idmhost.home.local (I am installing on oidhost!), so I will not post any screendumps of that.
Instead, stay tuned for replication woes, and usage notes.
Last and Final Update:
To show that the whole things is two-fold:
There you have it - two partner applications.
In a nutshell:
Here is what I want to do. I have done setups according to the Enterprise Deployment Guide, ending up with a configuration similar to what you can see here, and I've also witnessed stuff, described in numerous metalink articles (so it must be hard :) ) and in the High Availability Guide, that lead to this.
Now, for some reason, my current assignment does not allow RAC setups. Reasoning fails, but I have given up after a year-and-a-half: "This is the first release of RAC - we don't do first releases". Which is crap, of course , since the predecessors have been around some 8 (yes - eight) releases: 7.1, 7.2, 7,3, 8.0, 8.1, 9.0, 9.1, 10.1 and now 10.2. Thanks to Oracle Marketing...
Anyway, that leads to a point where the database has become the single point of failure, when using the Enterprise setup. This setup uses the same (Clustered) database as OID storage, as well as the Application Server Repository.
Using the High Availability Guide, you will not have High Performance: as one link in the chain breaks, the whole chain is unavailable - you will still have the parallel chain, so availability does not suffer, just performance. This is due to the fact the databases do act as backups for OID, but not for the Application Server Metadata!
So, where the first setup is clustered on Application Server level, the second is not. Where the second setup allows one chain to become completely, or partially unavailable, the first approach will fail in the database department (which is not, and cannot be RAC!). What I want is best of both! I want Application Server Clustering, and Load Balancing, and Replication and Fail-Over! So, there you have it.
Ambitious? Sure!
Can it be done? Well, I actually don't know. You are here to find out.
When do you know? Well, at the end of the story, and this may become a lengthy one. I do not want to split is, as I did with the Enterprise Security entries, so I will update this article as I go.
Preparations
I have to my disposal three machines, all equipped with two harddisks. The latest replacement is equipped with an Intel E6600 processor, 4GB ram and two 320GiB SATA disks. It replaced the AMD 2100+ with 1.5GB memory and two 80GB ATA100 disks in a stripe set.
For test purposes, I already had a "server", which has been used before.
Both machines have been rebuilt, using the previous post.
All three machines are interconnected via a gigabit switch, using proper, short, 1GB certified network cables. The gigabit ethernet interfaces are the onboard ones, and price of the switch is not an issue anymore.
So much for the hardware; as for the software, better start early, as there is some 6,832MB (well over 6GB!) to be downloaded! Of course, the 400MB from CentOS is already completed. That leaves:
- Downloads from oracle:
- 10G release2 Database (640MB for the Windows version)
- 10G Release2 Companion (another 640MB for the Windows version)
- Patch 10.2.0.3 (almost 900MB for Windows)
- CPU Apr2007 for the database (another 140MB)
- iAS 10G release 2 (2 GB in 4 cpio files)
- iAS 10G release 2 patchset (4960210 - 1.7GB)
- CPU Apr2007 patches for Identity Management and OID installs - some 12 MB
- Metadata Repository Creation Assistant V10.1.2.0.2 (400MB zipfile)
I chose the Windows version; basically it does not matter, it executes against remote databases
- Balance (http://www.inlab.de/balance.html)
Installation
Once done downloading the software, and redistributing over all systems (see the previous post), I started installing.
Installation phase 1: the databases
Well, nothing much to tell about installing that base and patch level on Windows, but for some tricks:
- Install the baseline version of the software, do not create a database, or select a prebaked one.
- Install ultraSearch from the Companion CD.
- Patch software, twice (patches 5337014 and 5948242)
db_block_size=8192 db_file_multiblock_read_count=16 open_cursors=300 db_domain="home.local" db_name=db1020 background_dump_dest=D:\oracle\admin\db1020\bdump core_dump_dest=D:\oracle\admin\db1020\cdump user_dump_dest=D:\oracle\admin\db1020\udump control_files=("D:\oracle\oradata\db1020\control01.ctl", "D:\oracle\oradata\db1020\control02.ctl", "D:\oracle\oradata\db1020\control03.ctl") job_queue_processes=10 compatible=10.2.0.3.0 processes=400 sga_target=600M audit_file_dest=D:\oracle\admin\db1020\adump remote_login_passwordfile=EXCLUSIVE pga_aggregate_target=122683392 db_cache_size=144M undo_management=AUTO undo_tablespace=UNDOTBS1 aq_tm_processes=2 shared_pool_size=175M java_pool_size=120M
Installation phase 2: create the Repository
Unpack the zip file, and install the Metadata Repository Creation Assistant. After that, just run the bloody thing - not much to tell here, apart from the strange behavior where 23 datafiles, totalling 1.4GB of diskspace gets written, deleted and written again. I chose to have the repository related files all in one location (hey - this is just a demo!), but separate them from the other database datafiles, by using a one level deeper subdirectory "rep".
If the checks on paramaters fail, alter them. This is a fairly easy install.
Installation phase 3: prepare for Replication - create the second instance
I used RMAN clone database for this. I need a (clean) backup anyway, so here we go. There are two stages: making the backup, and restoring the clone:
Phase 3a: backup.
Open a Command Line Interface (MS Windows: Run-> cmd, *ix: your favorite shell)
set your environment variables
RMAN target / shutdown startup mount backup database;
Phase 3b: clone.
Create the (empty) directories for the clone (data/admin)
Copy init.ora and alter directory paths and instancename
Add newly created instance to tnsnames.ora and listener.ora.
Start listener.
MS Windows only: create the service:
Open a Command Line Interface (MS Windows: Run-> cmd)
oradim -new -sid oidrep -pfile D:\oracle\admin\oidrep\pfile\initoidrep.ora
Create passwordfile:
orapwd.exe file=%ORACLE_HOME%\database\PWDoidrep.ora password=oracle force=y
set oracle_sid=oidrep
sqlplus / as sysdba
startup nomount pfile=D:\oracle\admin\oidrep\pfile\initoidrep.ora
exit
Let's clone!
set oracle_sid=db1020 rman connect target / connect auxiliary sys/oracle@oidrep.home.local duplicate target database to oidrep pfile=D:\oracle\admin\oidrep\pfile\initoidrep.ora db_file_name_convert=( 'D:\oracle\oradata\db1020', 'D:\oracle\oradata\oidrep', 'D:\oracle\oradata\db1020\rep', 'D:\oracle\oradata\oidrep\rep') logfile 'D:\oracle\oradata\oidrep\redo01.log' size 100M, 'D:\oracle\oradata\oidrep\redo02.log' size 100M, 'D:\oracle\oradata\oidrep\redo03.log' size 100M;
That is it! This is a screen scrape from the actual session (some lines are snipped for brevity):
C:\Documents and Settings\frankbo>oradim -new -sid oidrep -pfile D:\oracle\admin\oidrep\pfile\initoidrep.ora Instance created. C:\Documents and Settings\frankbo>orapwd.exe file=%ORACLE_HOME%\database\PWDoidrep.ora password=oracle force=y C:\Documents and Settings\frankbo>set oracle_sid=oidrep C:\Documents and Settings\frankbo>sqlplus / as sysdba SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jun 3 13:38:53 2007 Copyright (c) 1982, 2006, Oracle. All Rights Reserved. Connected to an idle instance. SQL> startup nomount pfile=D:\oracle\admin\oidrep\pfile\initoidrep.ora ORACLE instance started. Total System Global Area 629145600 bytes Fixed Size 1292132 bytes Variable Size 318769308 bytes Database Buffers 301989888 bytes Redo Buffers 7094272 bytes SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production With the Partitioning, OLAP and Data Mining options C:\Documents and Settings\frankbo>set oracle_sid=db1020 C:\Documents and Settings\frankbo>rman Recovery Manager: Release 10.2.0.3.0 - Production on Sun Jun 3 13:41:49 2007 Copyright (c) 1982, 2005, Oracle. All rights reserved. RMAN> connect target / connected to target database: DB1020 (DBID=4124432604) RMAN> connect auxiliary sys/oracle@oidrep.home.local connected to auxiliary database: OIDREP (not mounted) RMAN> duplicate target database to oidrep 2> pfile=D:\oracle\admin\oidrep\pfile\initoidrep.ora 3> db_file_name_convert=( 4> 'D:\oracle\oradata\db1020', 'D:\oracle\oradata\oidrep', 5> 'D:\oracle\oradata\db1020\rep', 'D:\oracle\oradata\oidrep\rep') 6> logfile 'D:\oracle\oradata\oidrep\redo01.log' size 100M, 7> 'D:\oracle\oradata\oidrep\redo02.log' size 100M, 8> 'D:\oracle\oradata\oidrep\redo03.log' size 100M; Starting Duplicate Db at 03-JUN-07 using target database control file instead of recovery catalog allocated channel: ORA_AUX_DISK_1 channel ORA_AUX_DISK_1: sid=432 devtype=DISK contents of Memory Script: { set newname for datafile 1 to "D:\ORACLE\ORADATA\OIDREP\SYSTEM01.DBF"; set newname for datafile 2 to [snip - this goes on and on] "D:\ORACLE\ORADATA\OIDREP\REP\GDEFAULT1_OID.DBF"; set newname for datafile 27 to "D:\ORACLE\ORADATA\OIDREP\REP\SVRMG1_OID.DBF"; restore check readonly clone database ; } executing Memory Script executing command: SET NEWNAME [snipped more of the same] executing command: SET NEWNAME Starting restore at 03-JUN-07 using channel ORA_AUX_DISK_1 channel ORA_AUX_DISK_1: starting datafile backupset restore channel ORA_AUX_DISK_1: specifying datafile(s) to restore from backup set restoring datafile 00001 to D:\ORACLE\ORADATA\OIDREP\SYSTEM01.DBF restoring datafile 00002 to D:\ORACLE\ORADATA\OIDREP\UNDOTBS01.DBF [snip - this goes on and on] restoring datafile 00027 to D:\ORACLE\ORADATA\OIDREP\REP\SVRMG1_OID.DBF channel ORA_AUX_DISK_1: reading from backup piece D:\ORACLE\DB\10.2.0\DATABASE\01IIVGIE_1_1 channel ORA_AUX_DISK_1: restored backup piece 1 piece handle=D:\ORACLE\DB\10.2.0\DATABASE\01IIVGIE_1_1 tag=TAG20070529T215523 channel ORA_AUX_DISK_1: restore complete, elapsed time: 00:09:37 Finished restore at 03-JUN-07 sql statement: CREATE CONTROLFILE REUSE SET DATABASE "OIDREP" RESETLOGS NOARCHIVELOG MAXLOGFILES 16 MAXLOGMEMBERS 3 MAXDATAFILES 100 MAXINSTANCES 8 MAXLOGHISTORY 292 LOGFILE GROUP 1 'D:\oracle\oradata\oidrep\redo01.log' SIZE 100 M , GROUP 2 'D:\oracle\oradata\oidrep\redo02.log' SIZE 100 M , GROUP 3 'D:\oracle\oradata\oidrep\redo03.log' SIZE 100 M DATAFILE 'D:\ORACLE\ORADATA\OIDREP\SYSTEM01.DBF' CHARACTER SET WE8MSWIN1252 contents of Memory Script: { switch clone datafile all; } executing Memory Script released channel: ORA_AUX_DISK_1 datafile 2 switched to datafile copy input datafile copy recid=1 stamp=624289967 filename=D:\ORACLE\ORADATA\OIDREP\UNDOTBS01.DBF datafile 3 switched to datafile copy input datafile copy recid=2 stamp=624289967 filename=D:\ORACLE\ORADATA\OIDREP\SYSAUX01.DBF [snip - this goes on and on] datafile 27 switched to datafile copy input datafile copy recid=26 stamp=624289971 filename=D:\ORACLE\ORADATA\OIDREP\REP\SVRMG1_OID.DBF contents of Memory Script: { recover clone database noredo , delete archivelog ; } executing Memory Script Starting recover at 03-JUN-07 allocated channel: ORA_AUX_DISK_1 channel ORA_AUX_DISK_1: sid=431 devtype=DISK Finished recover at 03-JUN-07 contents of Memory Script: { shutdown clone; startup clone nomount pfile= 'D:\oracle\admin\oidrep\pfile\initoidrep.ora'; } executing Memory Script database dismounted Oracle instance shut down connected to auxiliary database (not started) Oracle instance started Total System Global Area 629145600 bytes Fixed Size 1292132 bytes Variable Size 318769308 bytes Database Buffers 301989888 bytes Redo Buffers 7094272 bytes sql statement: CREATE CONTROLFILE REUSE SET DATABASE "OIDREP" RESETLOGS NOARCHIVELOG MAXLOGFILES 16 MAXLOGMEMBERS 3 MAXDATAFILES 100 MAXINSTANCES 8 MAXLOGHISTORY 292 LOGFILE GROUP 1 'D:\oracle\oradata\oidrep\redo01.log' SIZE 100 M , GROUP 2 'D:\oracle\oradata\oidrep\redo02.log' SIZE 100 M , GROUP 3 'D:\oracle\oradata\oidrep\redo03.log' SIZE 100 M DATAFILE 'D:\ORACLE\ORADATA\OIDREP\SYSTEM01.DBF' CHARACTER SET WE8MSWIN1252 contents of Memory Script: { set newname for tempfile 1 to "D:\ORACLE\ORADATA\OIDREP\TEMP01.DBF"; switch clone tempfile all; catalog clone datafilecopy "D:\ORACLE\ORADATA\OIDREP\UNDOTBS01.DBF"; catalog clone datafilecopy "D:\ORACLE\ORADATA\OIDREP\SYSAUX01.DBF"; [snip - this goes on and on] catalog clone datafilecopy "D:\ORACLE\ORADATA\OIDREP\REP\GDEFAULT1_OID.DBF"; catalog clone datafilecopy "D:\ORACLE\ORADATA\OIDREP\REP\SVRMG1_OID.DBF"; switch clone datafile all; } executing Memory Script executing command: SET NEWNAME renamed temporary file 1 to D:\ORACLE\ORADATA\OIDREP\TEMP01.DBF in control file cataloged datafile copy datafile copy filename=D:\ORACLE\ORADATA\OIDREP\UNDOTBS01.DBF recid=1 stamp=624289989 cataloged datafile copy datafile copy filename=D:\ORACLE\ORADATA\OIDREP\SYSAUX01.DBF recid=2 stamp=624289989 cataloged datafile copy datafile copy filename=D:\ORACLE\ORADATA\OIDREP\USERS01.DBF recid=3 stamp=624289989 [snip - this goes on and on] cataloged datafile copy datafile copy filename=D:\ORACLE\ORADATA\OIDREP\REP\SVRMG1_OID.DBF recid=26 stamp=624289994 datafile 2 switched to datafile copy input datafile copy recid=1 stamp=624289989 filename=D:\ORACLE\ORADATA\OIDREP\UNDOTBS01.DBF datafile 3 switched to datafile copy input datafile copy recid=2 stamp=624289989 filename=D:\ORACLE\ORADATA\OIDREP\SYSAUX01.DBF datafile 4 switched to datafile copy [snip - this goes on and on] datafile 27 switched to datafile copy input datafile copy recid=26 stamp=624289994 filename=D:\ORACLE\ORADATA\OIDREP\REP\SVRMG1_OID.DBF contents of Memory Script: { Alter clone database open resetlogs; } executing Memory Script database opened Finished Duplicate Db at 03-JUN-07 RMAN> exit Recovery Manager complete. C:\Documents and Settings\frankbo>time /t 01:54 PM
So - all in all the cloning took 13 minutes.
In contrast to earlier releases, that did not create the tempfile, belonging to the temporary tablespace, there is no more need to create a tempfile - it's there!
C:\Documents and Settings\frankbo>set oracle_sid=oidrep C:\Documents and Settings\frankbo>sqlplus / as sysdba SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jun 3 14:02:11 2007 Copyright (c) 1982, 2006, Oracle. All Rights Reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production With the Partitioning, OLAP and Data Mining options SQL> select name from v$tempfile; NAME -------------------------------------------------------------------------------- D:\ORACLE\ORADATA\OIDREP\TEMP01.DBF SQL> create spfile from pfile='D:\oracle\admin\oidrep\pfile\initoidrep.ora'; File created.
Bounce the db, to make sure the spfile is picked up
SQL> show parameter pfile NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ spfile string D:\ORACLE\DB\10.2.0\DATABASE\SPFILEOIDREP.ORA SQL> select dbid, db_unique_name from v$database; DBID DB_UNIQUE_NAME ---------- ------------------------------ 3574270531 oidrep SQL> connect sys/manager@db1020.home.local as sysdba Connected. SQL> / DBID DB_UNIQUE_NAME ---------- ------------------------------ 4124432604 db1020
No worries about dbid, either...
That concludes the database preparations.
Installation phase 4: prepare the Network
I made a distinction between two stages: getting the balancer, and adding virtual addresses.
First off, a little bit about the setup. As said earlier on, I (only) have 3 machines, and the complete configuration requires ate least four, better yet, six. As 6=3*2, every machine gets a double function, some even triple functions (and no - you do not want to VMWare this - your host will not cope with it...)
Phase 4a: get, make and install balance.Logon to your machines as root. I need the c-compiler, so let's get it:
yum install gcc
Next, download the source tarball from http://www.inlab.de/balance-3.35.tar.gz to /install
[root@idmhost ~]# cd /install/ [root@idmhost install]# gunzip balance-3.35.tar.gz [root@idmhost install]# tar -xf balance-3.35.tar [root@idmhost install]# cd balance-3.35
Now, if you would run make make install at this stage, you would get a (minor) error; there's a slight typographical error on line 11 of the makefile, so change the Makefile file:
#MANDIR=${BINDIR}/../man/man1 MANDIR=/usr/share/man/man1
And run "make install":
[root@idmhost balance-3.35]# make install install -o root -g root -m 755 balance \ /usr/sbin/balance install -o root -g root -m 755 balance.1 \ /usr/share/man/man1 mkdir -p /var/run/balance chmod 1777 /var/run/balance [root@idmhost balance-3.35]#
Not doing so, will lead to this error:
[root@idmhost balance-3.35]# make install install -o root -g root -m 755 balance \ /usr/sbin/balance install -o root -g root -m 755 balance.1 \ /usr/sbin/../man/man1 install: cannot create regular file `/usr/sbin/../man/man1': No such file or directory make: *** [install] Error 1 [root@idmhost balance-3.35]#
No harm done, simply edit the Makefile, and rerun... Failure to do so will not have any effect on the program, you just will not have the man-pages.
Phase 4b: virtual addresses and names to your local network.
Remember, basically, I wanted:
- A load-balanced request to two SSO servers.
- Those SSO servers request a loadbalanced OID.
- Those two OID processes use SQL*Net time out and loadbalancing to query two active databases, which are clones of eachother.
So, network wise, I would need:
- Two SSO instances (addresses: IDM_IP1 and IDM_IP2), being served by a loadbalancer. This loadbalancer is actually a HTTP balancer, serving the SSO and DAS pages (the Identity Management Layer).
As you do not want to bother people with the distinction between IDM_IP1 or IDM_IP2, the balancer should have a name. From now on, that is login.home.local. Ip address is IDM_IP0. - The SSO/DAS pages are requesing OID services through a load balancer, but that is an LDAP loadbalancer. It only needs to server LDAP requests (I am going to use the non-priveleged port range, 3060 (non-ssl) and 3130 (SSL), in stead of the default 386 and 636).
Physically, I have used the machine names OIDHOST and IDMHOST so far. See previous posting about that. What I'm going to do, is install the first OID and IDM installs on the OIDHOST and IDMHOST repectively, and the second OID and IDM installs go on the IDMHOST and OIDHOST respectively.
Both application servers will serve OID as well as IDM:
IDMHOST: IDM1 OID2 OIDHOST: IDM2 OID1The first loadbalancer, the HTTP one, will sit on IDMHOST, the second will sit on OIDHOST.
This leads to:
IDMHOST/original address: 192.168.1.220 IDMHOST/IDM1 address: 192.168.1.225 IDMHOST/OID2 address: 192.168.1.226 IDMHOST/login.home.local: 192.168.1.227 OIDHOST/original address: 192.168.1.210 OIDHOST/IDM2 address: 192.168.1.215 OIDHOST/OID1 address: 192.168.1.216 OIDHOST/ldapbal.home.local: 192.168.1.217
In addition: db1020.home.local resides on 192.128.1.104, as does oidrep, the replication instance.
Let's add the addresses:
On IDMHOST:
ifconfig eth0:1 192.168.1.225 ifconfig eth0:2 192.168.1.226 ifconfig eth0:3 192.168.1.227
On OIDHOST:
ifconfig eth0:1 192.168.1.215 ifconfig eth0:2 192.168.1.216 ifconfig eth0:3 192.168.1.217
Check by running ifconfig:
eth0 Link encap:Ethernet HWaddr 00:50:DA:4A:BC:2A inet addr:192.168.1.210 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:daff:fe4a:bc2a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12641 errors:0 dropped:0 overruns:1 frame:0 TX packets:9048 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9696620 (9.2 MiB) TX bytes:1106121 (1.0 MiB) Interrupt:169 Base address:0xd800 eth0:1 Link encap:Ethernet HWaddr 00:50:DA:4A:BC:2A inet addr:192.168.1.215 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:169 Base address:0xd800 eth0:2 Link encap:Ethernet HWaddr 00:50:DA:4A:BC:2A inet addr:192.168.1.216 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:169 Base address:0xd800 eth0:3 Link encap:Ethernet HWaddr 00:50:DA:4A:BC:2A inet addr:192.168.1.217 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:169 Base address:0xd800Or use Webmin, the Networking entry, Network Configuration, Network Interfaces.
You may alse define (permanent) virtual addresses here. If you insist on doing it by hand, create the appropiate files (ifcfg-eth0:1, etc) in /etc/sysconfig/network-scripts:
BOOTPROTO=none DEVICE=eth0:1 NETMASK=255.255.255.0 MTU=1500 BROADCAST=192.168.1.255 ONPARENT=yes IPADDR=192.168.1.225 NETWORK=192.168.1.0 ONBOOT=yes
Alternatively, add the ifconfig eth0:1 lines to /etc/rc.local:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/sbin/ifconfig eth0:1 192.168.1.215
/sbin/ifconfig eth0:2 192.168.1.216
/sbin/ifconfig eth0:3 192.168.1.217
Change the hosts files on all machines, under Linux, it is /etc/hosts:
127.0.0.1 localhost.localdomain localhost 192.168.1.210 oidhost.home.local 192.168.1.220 idmhost.home.local 192.168.1.104 dbhost.home.local 192.168.1.225 idm1.home.local idm1 192.168.1.226 oid2.home.local oid2 192.168.1.227 login.home.local login 192.168.1.215 idm2.home.local idm2 192.168.1.216 oid1.home.local oid1 192.168.1.217 ldapbalancer.home.local ldapbalancer
Do not foget to add these to the database host (C:\WINDOWS\system32\drivers\etc)! Failing in doing so will reslove in nasty install errors
(ORA-31203: DBMS_LDAP: PL/SQL - Init Failed, java class not found)
Let's reboot the systems to see if everything acts as we want: reboot -n
Try to ping every host defined, from every machine. If that is successfull, let's do the vandango:
[root@idmhost ~]# balance -b login.home.local http idm1:http % idm2:http % [root@idmhost ~]# balance -b login.home.local https idm1:https % idm2:https %
Similar:
[root@oidhost ~]# balance -b ldapbalancer.home.local 3060 oid1:3060 oid2:3060 [root@oidhost ~]# balance -b ldapbalancer.home.local 3130 oid1:3130 oid2:3130
That concludes phase 4.
Installation phase 5: Oracle Internet DirectoryPhase 5a: Preliminaries.
On both machines, create distinct groups and user:
[root@oidhost ~]# groupadd oidown
[root@oidhost ~]# groupadd oidinst
[root@oidhost ~]# useradd oidoracle -g oidinst -G oidown -c 'Oracle Internet Directory software owner'
[root@oidhost ~]# passwd oidoracle
Changing password for user oidoracle.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Make sure I can unpack the cpio and zipped files in the /install directory (which is not owned by oidoracle!)
[root@oidhost ~]# chmod 777 /install
Create the installation directory, and change ownership:
[root@oidhost ~]# mkdir -p /oracle/ias/oraInventory
[root@oidhost ~]# chown -R oidoracle:oidown /oracle
[root@oidhost ~]# su - oidoracle
[oidoracle@oidhost ~]$ cd /install
[oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk1.cpio [oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk2.cpio [oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk3.cpio [oidoracle@oidhost install]$ cpio -idmv< /install/as_linux_x86_portal_wireless_101202_disk4.cpio [oidoracle@oidhost install]$ unzip p4960210_10122_LINUX.zip -d p4960210 [oidoracle@oidhost install]$ unzip p5901894_10122_LINUX.zip -d p5901894 [oidoracle@oidhost install]$ unzip p5922121_10122_LINUX.zip -d p5922121
Phase 5a: first OID install.
I was planning on using non-default ports, so let's do some prepartion for that:
[oidoracle@oidhost install]$ cp Disk1/stage/Response/staticports.ini /oracle/ias/staticports.ini
Now, I need to make the installer aware of the fact, I want ports 3060 and 3130 to be used. The interesting part of staticports.ini:
# Infrastructure
Oracle Internet Directory port = 3060
Oracle Internet Directory (SSL) port = 3130
#Oracle Certificate Authority SSL Server Authentication port = port_num
#Oracle Certificate Authority SSL Mutual Authentication port = port_num
#Ultra Search HTTP port number = port_num
OK - let's fire up the installer:
[oidoracle@oidhost ~]$ export DISPLAY=192.168.1.104:0.0
[oidoracle@oidhost ~]$ /install/Disk1/runInstaller
Enter the correct locations, and...
Let's do what is asked for...
Once more - correct locations...
Infrastucture install...
Let's do Identity Management.
Yeah - don't feel like upping it even further - besides, these are the values, specified in the Linux Installation Manual... Just mark them as okay, and continue.
Of course we have root priveleges - I am not really going to upload a picture showing how to confirm that, just continue to the next:
Remember the envisioned setup: The LDAP services (OID) and Integration will be running here, and the rest (SSO and DAS, no CA this time) on the Identity Management Host (idmhost.home.local)
With all the preparations, make sure we use them! Select the correct file.
Ebter the correct data, and...
What the ...?!? The Oracle Application Server Metadata Repository is not compatible?!? I checked and doublechecked versions - no error there! Back to the drawingboard!
Update:
As far as I can tell, Metalink came up empty, Google came up empty and so did tahiti. I admit, I did not look at all references matching my search criteria, because a lot of hits are about backwards compatibility problems. And I know for a fact, the MCRA versions 10.1.2.0.0 and 10.1.2.0.2 are incompatble, too.
The screen itself leaves no room for informative queries, so all that is left is the log file of the installation itself. This looks like:
Calling Query DBConnectQueries8.2 GetSchemaVer SchemaName = *Protected value, not to be logged* SchemaPassword = *Protected value, not to be logged* ConnectString = 192.168.1.104:1521/db1020.home.local SqlQuery = select attrval from ods.ds_attrstore where entryid=1 and attrname = 'orcldirectoryversion' Query Returned: OID 10.1.2.1.0 OID Schema value returned from SQL is OID 10.1.2.1.0. Extracted version is 10.1.2.1.0. Calling Query DBConnectQueries8.2 IsOIDConfigured SchemaName = *Protected value, not to be logged* SchemaPassword = *Protected value, not to be logged* ConnectString = 192.168.1.104:1521/db1020.home.local Query Returned: false Calling Query DBConnectQueries8.2 IsUserWithDBAPriv User = *Protected value, not to be logged* Password = *Protected value, not to be logged* ConnectString = 192.168.1.104:1521/db1020.home.local Query Returned: true Calling Query DBConnectQueries8.2 GetRepositoryVer User = *Protected value, not to be logged* Password = *Protected value, not to be logged* ConnectString = 192.168.1.104:1521/db1020.home.local Query Returned: Null Using the default value for query. Error:*** Alert: The Oracle Application Server Metadata Repository that you have specified is not a compatible version for configuring Oracle Internet Directory. Please specify another database. ***
What I understand from this, is the fact that OID is not configured, causes the installer to abort. Of course OID isn't configured - I choose to install that!
Anyway - somewhere deep (in /install/Disk1/stage/Queries/DBConnectQueries/8.2/1) there is a file, called DBConnectQueries.jar. Opening it, and searching for GetRepositoryVer showed some interesting stuff (like the development machine, syndey.oracle.com, with system password!), like:
select version from app_registry where comp_id = 'MRC'; select version from ias_versions where id = 'mrc';
I cannot tell where the second query comes in, but the first does resolve:
SQL> select comp_id, version, status from app_registry; COMP_ID VERSION STATUS ------------------------------ ------------------------------ ----------- PORTAL 10.1.2.0.2 VALID SSO 10.1.2.0.2 VALID WORKFLOW 10.1.2.0.2 VALID B2B 10.1.2.0.2 VALID BAM 10.1.2.0.2 VALID MRC LOADING OCA 10.1.2.0.2 VALID OID 10.1.2.0.2 VALID DCM 10.1.2.0.2 VALID DISCOVERER 10.1.2.0.2 VALID
I fired up the MRCA again, and tried to redo the install. Nope - remove first, and only then install... Remove drops objects, before dropping tablespaces. There is a faster way to do that... had to do it twice, no indication why, the last line of the first sessions' log reads:
Repository Loader actionStartingThe correct, completed session goes on after that:
Repository Loader actionStarting Repository Loader actionFinished Repository Loader ActionQueueFinished Unloading...And continues dropping tablespaces, and explaining the wizard has stopped, about twenty times. Mysteries...
During the process, I observed:
SQL> select comp_id, version, status from app_registry; no rows selected SQL> / COMP_ID VERSION STATUS ------------------------------ ------------------------------ ----------- MRC LOADING DISCOVERER 10.1.2.0.2 VALID DCM 10.1.2.0.2 VALID SQL> / COMP_ID VERSION STATUS ------------------------------ ------------------------------ ----------- PORTAL LOADING SSO 10.1.2.0.2 VALID WORKFLOW 10.1.2.0.2 VALID B2B 10.1.2.0.2 VALID BAM 10.1.2.0.2 VALID MRC LOADING OCA 10.1.2.0.2 VALID OID 10.1.2.0.2 VALID DISCOVERER 10.1.2.0.2 VALID DCM 10.1.2.0.2 VALID 10 rows selected. SQL> / COMP_ID VERSION STATUS ------------------------------ ------------------------------ ------- SYNDICATION 10.1.2.0.2 VALID PORTAL 10.1.2.0.2 VALID SSO 10.1.2.0.2 VALID WORKFLOW 10.1.2.0.2 VALID B2B 10.1.2.0.2 VALID BAM 10.1.2.0.2 VALID MRC 10.1.2.0.2 VALID OCA 10.1.2.0.2 VALID OID 10.1.2.0.2 VALID WIRELESS 10.1.2.0.2 VALID DISCOVERER 10.1.2.0.2 VALID DCM 10.1.2.0.2 VALID WCS 10.1.2.0.2 VALID UDDI 10.1.2.0.2 VALID
That seems to be different from where I started - but the MCRA did finish OK...
Well, back to cloning and then retry the install!
Update:Started the machines, database instance and listener, balancer om both machines.
Checked hosts. Installer continued smoothly this time:
I left it for what it was - you may consider otherwise, especially when you have plans on extending the root entry (.local, in this case). For .com it may not be such a problem, but for .nl it will be - imagine your company extends abroad. In that case, consider a megalomaniac '.world' as root: your.company.nl.world can expand into your.other.be.world.
MDS stands for Master Definition Site...
229 products(!) to be installed. And I did not even select all options!
Let's take a closer look at the log, then:
Leaving Ldap Post Installation Set File Permissions Stopping OID Server using OPMN.. Starting OID Server using OPMN.. Mon Jun 18 19:09:49 CEST 2007 Bind request issued. Waiting for OID Server response. with a retryCount:20 Mon Jun 18 19:10:19 CEST 2007 Bind request issued. Waiting for OID Server response. javax.naming.CommunicationException: oidhost.home.local:3060 [Root exception is java.net.ConnectException: Connection refused]
OK - see if the process actually runs; switch to $ORACLE_HOME/opmn/bin, and:
[oidoracle@oidhost bin]$ ./opmnctl status Processes in Instance: mds.oidhost.home.local -------------------+--------------------+---------+--------- ias-component | process-type | pid | status -------------------+--------------------+---------+--------- DSA | DSA | N/A | Down LogLoader | logloaderd | N/A | Down dcm-daemon | dcm-daemon | 5816 | Alive HTTP_Server | HTTP_Server | N/A | Down OID | OID | N/A | DownNo wonder, OID is down... Let's just start all processes:
[oidoracle@oidhost bin]$ ./opmnctl startall opmnctl: starting opmn and all managed processes... [oidoracle@oidhost bin]$ ./opmnctl status Processes in Instance: mds.oidhost.home.local -------------------+--------------------+---------+--------- ias-component | process-type | pid | status -------------------+--------------------+---------+--------- DSA | DSA | N/A | Down LogLoader | logloaderd | N/A | Down dcm-daemon | dcm-daemon | 5816 | Alive HTTP_Server | HTTP_Server | 7753 | Alive OID | OID | 7758 | Alive
Still - retry fails. Then I realize, I already switched on loadbalancing... and sure enough, after killing these balance processes, the wizards continued, only to fail once more:
This is a bit of a silly error message: opmn cannot start the process, because I already started it! Resolution: stop the process manually:
[oidoracle@oidhost bin]$ ./opmnctl stopproc type=ohs
opmnctl: stopping opmn managed processes...
opmnctl: stopping opmn managed processes...
Some (actually, a lot) of wizards later, this is the reward:
Update: (Phase 5c-second OID install)Started both instances, and opened the databases. Logged on to oidhost, and changed .bash_profile; added those lines:
export ORACLE_HOME=/oracle/ias/oid10.1.2 export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/opmn/bin:$PATH
That allows me to:
[oidoracle@oidhost ~]$ opmnctl startall opmnctl: starting opmn and all managed processes... [oidoracle@oidhost ~]$ opmnctl status Processes in Instance: mds.oidhost.home.local -------------------+--------------------+---------+--------- ias-component | process-type | pid | status -------------------+--------------------+---------+--------- DSA | DSA | N/A | Down LogLoader | logloaderd | N/A | Down dcm-daemon | dcm-daemon | 3906 | Init HTTP_Server | HTTP_Server | 3904 | Alive OID | OID | 3912 | Alive
Logged on to the idmhost, with oidoracle account. Editied the localhosts file again, with the following contents:
Oracle Internet Directory port = 3060 Oracle Internet Directory (SSL) port = 3130 #Oracle Certificate Authority SSL Server Authentication port = port_num #Oracle Certificate Authority SSL Mutual Authentication port = port_num #Ultra Search HTTP port number = port_num
Fired up the installer:
[oidoracle@idmhost oracle]$ /install/Disk1/runInstaller -paramFile /oracle/ias/oraparam.ini
Only screens that do differ from above are loaded:
Select three options: Internet Directory, Directory Integration and HA/Replication.
Indicate the correct location of the staticports.ini file.
I had to use SYSTEM here - could not get SYS to work:
Hmmmmmm.... I don't want to choose here! I want both. Maybe this is the reason clustered installs don't replicate? In this manner, there are two farms, and farms cannot cluster. Only whatever application server instance belongs to the farm, can participate in a cluster: 1 farm == 1 repository.
Maybe when I base the instance on a file-based repository, on a shared disk?!?
Next screen, select Replication:
Next screen, select Advanced Replication.
Now, this one is tricky: it states "Master Node", where in fact, this is the second install. True, but this is Multi Master Replication, so in fact: there are no masters (or everyone is the master)!
Same here: "Master", but watch out: the data entered actually refers to the real master, the first installed instance: oidhost.home.local!
Provide the correct connection information, and get used to the "cn=" notation - this is LDAP land... Note the naming of the instance: rms, as in "Replicated Master Site".
That's it... the installer will install, the wizzards wizz, and it all ends in:
Update: Something went wrong, I noticed after reflection. I miss one installer screen; the one that allows me to select the (virtual) ip address and (virtual) server name! It should have been presented because of the changes I made to oraparam.ini (SHOW_HOSTNAME=ALWAYS_SHOW) .
Update:
Before attempting to get replication to work, I'll need to fix the network component. That means adding the "other" entry to each tnsnames.ora, so each file is identical:
OIDREP.home.local = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = dbhost.home.local)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = oidrep.home.local) ) ) db1020.home.local = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = dbhost.home.local)(PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = db1020.home.local) )
It also means, I need to add a default domain - OID seems to make it a habit of sometimes using a domain qualified call, sometimes not. Consequently, db1020 as well as db1020.home.local must be resolved. Added this to sqlnet.ora:
names.default_domain=home.local
The same is true for the database server(s); they need to be able to connect lateron - afterall, it is database based replication, not Application Server!
Next stop: replication!
Update: (Phase 6 - install Replication)
After all these preparations, starting replication should be quite easy: use the remtool (reminding me of a REMoval tool, what's in a name?): (some logging has been snipped to save space)
[oidoracle@oidhost oid10.1.2]$ remtool -asrsetup -v ------------------------------------------------------------------------------ ASR Setup for OID Replication WARNING: Make sure that the replication administrator that you enter below does not exist already in any of the nodes that will be part of the DRG to be created now. If the user exists, that user will be dropped and will be created newly. ------------------------------------------------------------------------------ Enter replication administrator's name : repadmin Enter replication administrator's password : Reenter replication administrator's password : Enter Master Definition Site (MDS) details : Enter global name of MDS : db1020.home.local Enter SYSTEM user password of MDS : Enter Remote Master Site (RMS) details : Enter global name of RMS # 1 : oidrep.home.local Enter SYSTEM user password of RMS # 1 : Are there more Remote Master Sites in the group? [y/n/q] : n Verify the details you had entered. ------------------------------------------------------------------------------ Replication administrator's name : repadmin Master Definition Site : db1020.home.local Remote Master Site # 1 : oidrep.home.local Are these details correct? [y/n/q] : y ------------------------------------------------------------------------------ ASR setup in progress... DB1020.HOME.LOCAL : Verifying uniqueness of replication agreement entry... DB1020.HOME.LOCAL : Dropping replication administrator repadmin... DB1020.HOME.LOCAL : Creating replication administrator repadmin... DB1020.HOME.LOCAL : Granting privileges or roles required for replication administrator to repadmin... DB1020.HOME.LOCAL : Granting privileges or roles required for replication administrator to repadmin... DB1020.HOME.LOCAL : Granting privileges or roles required for replication administrator to repadmin... DB1020.HOME.LOCAL : Creating purge job... DB1020.HOME.LOCAL : Dropping database link made to OIDREP.HOME.LOCAL... DB1020.HOME.LOCAL : Dropping database link made to OIDREP.HOME.LOCAL... DB1020.HOME.LOCAL : Creating database link to OIDREP.HOME.LOCAL... DB1020.HOME.LOCAL : Scheduling push job to OIDREP.HOME.LOCAL... OIDREP.HOME.LOCAL : Verifying uniqueness of replication agreement entry... OIDREP.HOME.LOCAL : Dropping replication administrator repadmin... OIDREP.HOME.LOCAL : Creating replication administrator repadmin... OIDREP.HOME.LOCAL : Granting privileges or roles required for replication administrator to repadmin... OIDREP.HOME.LOCAL : Granting privileges or roles required for replication administrator to repadmin... OIDREP.HOME.LOCAL : Granting privileges or roles required for replication administrator to repadmin... OIDREP.HOME.LOCAL : Creating purge job... OIDREP.HOME.LOCAL : Dropping database link made to DB1020.HOME.LOCAL... OIDREP.HOME.LOCAL : Creating database link to DB1020.HOME.LOCAL... OIDREP.HOME.LOCAL : Scheduling push job to DB1020.HOME.LOCAL... DB1020.HOME.LOCAL : Dropping replication group LDAP_REP... DB1020.HOME.LOCAL : Creating replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ODS.ASR_CHG_LOG to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ODS.ODS_CHG_STAT to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_LS_CONFIGURATION_INFO_T to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_PS_CONFIGURATION_INFO_T to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_PAPP_CONFIGURATION_INF_T to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_PSEX_APP_INFO$ to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_PSEX_USER_INFO$ to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_ANNOUNCEMENT_CONFIG_T to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWHOSTING_SWITCH$ to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSEC_PERSON$ to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWCTX_COOKIE_INFO$ to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_APPLICATION_INFO_T to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSSO_APPUSERINFO_T to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSEC_ENABLER_CONFIG_INFO$ to replication group LDAP_REP... DB1020.HOME.LOCAL : Adding object TABLE ORASSO.WWSUB_MODEL$ to replication group LDAP_REP... OIDREP.HOME.LOCAL : Dropping replication group LDAP_REP... DB1020.HOME.LOCAL : Adding replication site OIDREP.HOME.LOCAL to replication group LDAP_REP... DB1020.HOME.LOCAL : Executing deferred administrative requests... OIDREP.HOME.LOCAL : Executing deferred administrative requests... DB1020.HOME.LOCAL : Generating replication support for TABLE ODS.ASR_CHG_LOG... DB1020.HOME.LOCAL : Executing deferred administrative requests... OIDREP.HOME.LOCAL : Executing deferred administrative requests... DB1020.HOME.LOCAL : Generating replication support for TABLE ODS.ODS_CHG_STAT... DB1020.HOME.LOCAL : Executing deferred administrative requests... OIDREP.HOME.LOCAL : Executing deferred administrative requests... DB1020.HOME.LOCAL : Generating replication support for TABLE ORASSO.WWSSO_LS_CONFIGURATION_INFO_T... ORASSO.WWSSO_PS_CONFIGURATION_INFO_T... ORASSO.WWSSO_PAPP_CONFIGURATION_INF_T... ORASSO.WWSSO_PSEX_APP_INFO$... ORASSO.WWSSO_PSEX_USER_INFO$... ORASSO.WWSSO_ANNOUNCEMENT_CONFIG_T... ORASSO.WWHOSTING_SWITCH$... ORASSO.WWSEC_PERSON$... ORASSO.WWCTX_COOKIE_INFO$... ORASSO.WWSSO_APPLICATION_INFO_T... ORASSO.WWSSO_APPUSERINFO_T... ORASSO.WWSEC_ENABLER_CONFIG_INFO$... ORASSO.WWSUB_MODEL$... DB1020.HOME.LOCAL : Verifying initialization parameter... DB1020.HOME.LOCAL : Altering init param value of global_names to TRUE... CORRECTED: DB1020.HOME.LOCAL : Initialization parameter global_names' value has been altered to TRUE. Alter INIT.ORA file to reflect the above change. OIDREP.HOME.LOCAL : Verifying initialization parameter... OIDREP.HOME.LOCAL : Altering init param value of global_names to TRUE... CORRECTED: OIDREP.HOME.LOCAL : Initialization parameter global_names' value has been altered to TRUE. Alter INIT.ORA file to reflect the above change. DB1020.HOME.LOCAL : Verifying uniqueness of replication agreement entry... OIDREP.HOME.LOCAL : Verifying uniqueness of replication agreement entry... DB1020.HOME.LOCAL : Verifying replication agreement entry... DB1020.HOME.LOCAL : Inserting replication agreement entry oidhost_db1020... CORRECTED: DB1020.HOME.LOCAL : "oidhost_db1020" hostname has been added to replication agreement entry. DB1020.HOME.LOCAL : Inserting replication agreement entry idmhost_oidrep... CORRECTED: DB1020.HOME.LOCAL : "idmhost_oidrep" hostname has been added to replication agreement entry. OIDREP.HOME.LOCAL : Verifying replication agreement entry... OIDREP.HOME.LOCAL : Inserting replication agreement entry oidhost_db1020... CORRECTED: OIDREP.HOME.LOCAL : "oidhost_db1020" hostname has been added to replication agreement entry. OIDREP.HOME.LOCAL : Inserting replication agreement entry idmhost_oidrep... CORRECTED: OIDREP.HOME.LOCAL : "idmhost_oidrep" hostname has been added to replication agreement entry. DB1020.HOME.LOCAL : Resuming replication activity... DB1020.HOME.LOCAL : Executing deferred administrative requests... OIDREP.HOME.LOCAL : Executing deferred administrative requests... ------------------------------------------------------------------------------ ASR setup has been configured successfully. ------------------------------------------------------------------------------ Directory Replication Group (DRG) details : -------- ------------- ----------------------- ------------- ------------- ---- Instance Host Name Global Name Version Replicaid Site Name Type -------- ------------- ----------------------- ------------- ------------- ---- db1020 CS-FRANK03 DB1020.HOME.LOCAL OID 10.1.2.1. oidhost_db102 MDS oidrep CS-FRANK03 OIDREP.HOME.LOCAL OID 10.1.2.1. idmhost_oidre RMS -------- ------------- ----------------------- ------------- ------------- ---- [oidoracle@oidhost oid10.1.2]$
If the setup fails with
ORA-12154: TNS:could not resolve the connect identifier specified
in the dropping/creating database links part, right at the beginning, make sure global_name (select * from global_name) is the same as your service_name in tnsnames.ora.Now, start replication services, and see if they run:
[oidoracle@oidhost oid10.1.2]$ oidctl connect=db1020.home.local server=oidrepld instance=1 flags="-h oidhost.home.local -p 3060" start [oidoracle@oidhost oid10.1.2]$ $ORACLE_HOME/ldap/bin/ldapcheck Checking Oracle Internet Directory Processes ...ALL Process oidmon is Alive as PID 3897 Process oidldapd is Alive as PID 3898 Process oidldapd is Alive as PID 3904 Process oidrepld is Alive as PID 8451 Process odisrv is Alive as PID 3899
Same thing on other machine:
[oidoracle@idmhost bin]$ oidctl connect=oidrep.home.local server=oidrepld instance=1 flags="-h idmhost.home.local -p 389" start Waiting for OIDMON to stop OIDREPLD, see oidmon.log for details. [oidoracle@idmhost bin]$ ./ldapcheck Checking Oracle Internet Directory Processes ...ALL Process oidmon is Alive as PID 3602 Process oidldapd is Alive as PID 3611 Process oidldapd is Alive as PID 3615 Process oidrepld is Alive as PID 5457 Process odisrv is Alive as PID 3612Does it work?
Well, fire up the Directory Manager, connect to both LDAP servers, and navigate to cn=Entry Management,dc=local,dc=home,cn=users,cn=orcladmin.
On the first machine, oidhost, you will see this (notice the timestamp):
The replicated machine, idmhost, will show this:
Note, not only are the timestamps the same, and I did not do the two installs simultaniously, but the modifiersname is the replication process:
cn=replication dn,orclreplicaid=idmhost_oidrep,cn=replication configurationNext step: install the Single Sign On and Delegated Administration Services
Update:
Starting up all processes (e.g. after a startup; I do not leave my test machines on 24*7), is as easy as 1-2-3:
Last login: Fri Jun 22 08:30:59 2007 from dbhost.home.local [oidoracle@idmhost ~]$ opmnctl startall opmnctl: starting opmn and all managed processes... [oidoracle@idmhost ~]$ opmnctl status Processes in Instance: rms.idmhost.home.local -------------------+--------------------+---------+--------- ias-component | process-type | pid | status -------------------+--------------------+---------+--------- DSA | DSA | N/A | Down LogLoader | logloaderd | N/A | Down dcm-daemon | dcm-daemon | N/A | Down HTTP_Server | HTTP_Server | 3503 | Alive OID | OID | 3518 | Alive [oidoracle@idmhost ~]$ $ORACLE_HOME/ldap/bin/ldapcheck Checking Oracle Internet Directory Processes ...ALL Process oidmon is Alive as PID 3518 Process oidldapd is Alive as PID 3531 Process oidldapd is Alive as PID 3537 Process oidrepld is Alive as PID 3565 Not Running ---- Process odisrv
This odisrv is a bit of a nag. It is running perfectly on the other machine:
[oidoracle@oidhost ~]$ $ORACLE_HOME/ldap/bin/ldapcheck Checking Oracle Internet Directory Processes ...ALL Process oidmon is Alive as PID 3944 Process oidldapd is Alive as PID 3978 Process oidldapd is Alive as PID 3981 Process oidrepld is Alive as PID 4013 Process odisrv is Alive as PID 3983
However, opmnctl does not seem to control it, after a few stopall and startall, I had this:
[oidoracle@oidhost ~]$ $ORACLE_HOME/ldap/bin/ldapcheck Checking Oracle Internet Directory Processes ...ALL Process oidmon is Alive as PID 6410 Process oidldapd is Alive as PID 6411 Process oidldapd is Alive as PID 6426 Process oidrepld is Alive as PID 6585 Process odisrv is Alive as PID 6170 Process odisrv is Alive as PID 6414
Oh well. What bothers me is the fact odisrv does not run on idmhost; the log shows:
----------------------------------------------------- Oracle Directory Integration Server instance# 01 started.. ----------------------------------------------------- Sat Jun 23 12:59:08 CEST 2007 : Starting Server to execute Profile Group :default against LDAP Server (idmhost.home.local:3130) Sat Jun 23 12:59:09 CEST 2007 : SSL Mode :1 Sat Jun 23 12:59:09 CEST 2007 : Exception :javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] Sat Jun 23 12:59:09 CEST 2007 : Aborting.. : null Sat Jun 23 12:59:09 CEST 2007 : Exiting with Status -1: null
On odihost, the correct startup message in the log:
----------------------------------------------------- Oracle Directory Integration Server instance# 01 started.. ----------------------------------------------------- Sat Jun 23 12:26:56 CEST 2007 : Starting Server to execute Profile Group :default against LDAP Server (oidhost.home.local:3130) Sat Jun 23 12:26:56 CEST 2007 : SSL Mode :1Guess I need to sort that out, before continuing to the next step.
Update: (don't try this - see below)
Change the port on idmhost.home.local from 389 to 3060, ran dcmctl updateconfig.
Then, I ran this, and all of a sudden, it worked!
[oidoracle@idmhost log]$ odisrvreg -D cn=orcladmin -w Welcome1 -p 3060
Registering for the first time...
DIS registration successful.
[oidoracle@idmhost log]$ $ORACLE_HOME/ldap/bin/ldapcheck
Checking Oracle Internet Directory Processes ...ALL
Process oidmon is Alive as PID 5645
Process oidldapd is Alive as PID 5648
Process oidldapd is Alive as PID 5660
Process oidrepld is Alive as PID 5697
Process odisrv is Alive as PID 5964
I'd have expected the odisrvreg utility to report "already registered - updating". This leaves a somewhat eery feeling; anyone knowing what is going on, please comment!
I'll update myself on that: the odisrv process does not need to run on both sides - it's supposed to failover. However, I still fail to see how - I even tried kill -9 (all processes), but could not get odisrv to start on the other node.
Let's continue with phase 7: installation of the middle tier:
Machines are fired up, all processes are up-and-running.
Phase 7a: Preliminaries (see phase 5a).
[root@idmhost ~]# groupadd idmown
[root@idmhost ~]# groupadd idminst
[root@idmhost ~]# useradd idmoracle -g idminst -G idmown -c 'Oracle Identity Mgmnt/SSO sw owner'
[root@idmhost ~]# passwd idmoracle
Changing password for user idmoracle.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@idmhost ~]# mkdir /oracle/idm
[root@idmhost ~]# chown idmoracle:idmown /oracle/idm
[root@idmhost ~]# su - idmoracle
[idmoracle@idmhost ~]$ cp /install/Disk1/stage/Response/staticports.ini /oracle/idm/
edit staticports.ini: OID port: 3060, SSL OID port: 3130.[root@idmhost ~]# groupadd idminst
[root@idmhost ~]# useradd idmoracle -g idminst -G idmown -c 'Oracle Identity Mgmnt/SSO sw owner'
[root@idmhost ~]# passwd idmoracle
Changing password for user idmoracle.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@idmhost ~]# mkdir /oracle/idm
[root@idmhost ~]# chown idmoracle:idmown /oracle/idm
[root@idmhost ~]# su - idmoracle
[idmoracle@idmhost ~]$ cp /install/Disk1/stage/Response/staticports.ini /oracle/idm/
Phase 7b: Install first middle tier (SSO and DAS server).
Now, fire up Cywin X server, and:
frankbo@cs-frank03 ~
$ xhost +
access control disabled, clients can connect from any host
frankbo@cs-frank03 ~
$ ssh idmoracle@idmhost
idmoracle@idmhost's password:
Last login: Sun Jul 8 14:35:34 2007 from dbhost.home.local
[idmoracle@idmhost ~]$ export DISPLAY=192.168.1.104:0.0
[idmoracle@idmhost ~]$ /install/Disk1/runInstaller -invPtrLoc /oracle/idm/oraInventory/oraInst.loc
Fill in the correct settings:
Ditto:
It's still called "Infrastructure", although this is the middle tier:
And I still am not done with the Identity Management Install:
Oh, well, we've been here before...
So let's get started - note I added HA and Replication:
Select the correct file - it needs to pick up the ports actually in use by the OID install (phase 5)
This is an odd one: I am *not* adding a listener, so why this check is executed is beyond me. The resolution is to stop the services on this machine (logon as oidoracle, and issue an opmnctl stopall, or stopproc ias-component=OID)
Once the "error" hurdle is taken, select Cluster:
First install, so I have to create a cluster:
Name it:
Specify correct host; I had the "crossed" setup, so this SSO install (middle tier) will be served by the first install of the Infrastructure, which was on the oidhost:
Specify the password of orcladmin on the OID host:
I make a mistake here - specified the port, as used in metalink note 370458.1. Consequently, I had to change the loadbalancer:
balance -b login.home.local http idm1:7779 % idm2:7779 %
Make up a password, or -better yet- have one generated:
And finally - after a while, and the execution of the (in-)famous root.sh script:
This is what the last screen has to tell:
The following J2EE Applications have been deployed and are accessible at the URLs listed below. Use the following URL to access the Oracle Enterprise Manager 10g Application Server Control Console : http://idmhost.home.local:1156 The following information is available in: /oracle/idm/idm10.1.2/install/setupinfo.txt Oracle Application Server 10g (10.1.2.0.2) Usernames and Default password information: Please refer to Oracle Application Server 10g Administrator Guide for more information. Install Type: Identity Management Configured Components: Oracle HTTP Server | Oracle Application Server Containers for J2EE | Oracle Application Server Single Sign-On | Oracle Application Server Delegated Administration Service | High Availability and Replication | A new Oracle Application Server Cluster (Identity Management) has been created named SSOClusterA. The current instance has been joined this cluster at the end of installation. Load Balancer Servers and ports specified for this instance: HTTP Load Balancer: login.home.local: LDAP Load Balancer: oidhost.home.local SSL Port:3130 Non-SSL Port: 3060 Access URL for Oracle Delegated Administration Services for this instance: http://login.home.local:80/oiddas Administrator URL for Oracle Application Server Single-Sign On for this instance: http://login.home.local:80/pls/orasso Use the following URL to access the Oracle HTTP Server and the Welcome Page: http://login.home.local:80 ----------------------------------------- Use the following URL to access the Oracle Enterprise Manager Application Server Control: http://idmhost.home.local:1156 Instance Name: idm1012_01.idmhost.home.local Installation of Oracle Application Server Infrastructure is Complete. Please note that any URLs created in this install may not be functional immediately.
Now - let me see if the loadbalancer works.
The defaul (login.home.local) Delegated Administration Service page:
After a successfull login:
After Logout, the node information is shown:
Ok - next step: phase 7c: passwordsI need to synchronize all passwords. One of the installation Wizards did randomize all passwords used in this setup. As connections may float, I do want passwords to be the same on both nodes. The script ssoReplSetup.jar is a Java script, residing in $ORACLE_HOME/sso/lib.
Update:
[oidoracle@oidhost ~]$ cd $ORACLE_HOME/sso/lib
[oidoracle@oidhost lib]$ export LD_LIBRARY_PATH=$ORACLE_HOME/lib32:$LD_LIBRARY_PATH
[oidoracle@oidhost lib]$ echo $LD_LIBRARY_PATH
/oracle/ias/oid10.1.2/lib32:/oracle/ias/oid10.1.2/lib
[oidoracle@oidhost lib]$ $ORACLE_HOME/jdk/bin/java -jar ssoReplSetup.jar -prompt
OracleAS Single Sign-On Replication Setup Tool
Release 10.1.2.0.0
Copyright (c) 2003, 2004 Oracle. All rights reserved.
Reading input paramterers ...
Enter MDS OID hostname : oidhost.home.local
Enter MDS OID port : 3060
Enter MDS OID administrator : cn=orcladmin
Enter MDS OID password : Welcome1
Enter MDS OID SSL Enabled (Y/N) : n
Enter RMS OID hostname : idmhost.home.local
Enter RMS OID port : 3060
Enter RMS OID administrator : cn=orcladmin
Enter RMS OID password : Welcome1
Enter RMS OID SSL Enabled (Y/N) : n
Enter RMS SYS DB password : MANAGER
Done reading parameters.
Contacting OID: ldap://oidhost.home.local:3060 ...
OID context received for MDS admin user, cn=orcladmin
Contacting RMS OID: ldap://idmhost.home.local:3060 ...
OID context received for RMS admin user, cn=orcladmin
MDS DB dn: orclReferenceName=DB1020.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
RMS DB dn: orclReferenceName=OIDREP.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
Starting password synchronization between MDS DB and RMS DB.
ERROR: RMS DB connection failed.
Action: Please check the RMS DB SYS Password.
Exception: java.sql.SQLException: ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
java.sql.SQLException: ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:137)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:304)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:271)
at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOauth(T4CTTIoauthenticate.java:647)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:307)
at oracle.jdbc.driver.PhysicalConnection.
at oracle.jdbc.driver.T4CConnection.
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:31)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:512)
at java.sql.DriverManager.getConnection(DriverManager.java:171)
at oracle.security.sso.server.conf.SyncSSOPwd.syncUpPwds(SyncSSOPwd.java:303)
at oracle.security.sso.server.conf.SyncSSOPwd.main(SyncSSOPwd.java:752)
Checking the password revealed:
SQL> connect sys/manager@db1020 as sysdba
Connected.
SQL> connect sys/manager@oidrep as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
After changing it, I could logon as sysdba - the error is somewhat unclear - the message is right on spot:Connected.
SQL> connect sys/manager@oidrep as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[oidoracle@oidhost lib]$ $ORACLE_HOME/jdk/bin/java -jar ssoReplSetup.jar -prompt
OracleAS Single Sign-On Replication Setup Tool
Release 10.1.2.0.0
Copyright (c) 2003, 2004 Oracle. All rights reserved.
Reading input paramterers ...
Enter MDS OID hostname : oidhost.home.local
Enter MDS OID port : 3060
Enter MDS OID administrator : cn=orcladmin
Enter MDS OID password : Welcome1
Enter MDS OID SSL Enabled (Y/N) : n
Enter RMS OID hostname : idmhost.home.local
Enter RMS OID port : 3060
Enter RMS OID administrator : cn=orcladmin
Enter RMS OID password : Welcome1
Enter RMS OID SSL Enabled (Y/N) : n
Enter RMS SYS DB password : manager
Done reading parameters.
Contacting OID: ldap://oidhost.home.local:3060 ...
OID context received for MDS admin user, cn=orcladmin
Contacting RMS OID: ldap://idmhost.home.local:3060 ...
OID context received for RMS admin user, cn=orcladmin
MDS DB dn: orclReferenceName=DB1020.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
RMS DB dn: orclReferenceName=OIDREP.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
Starting password synchronization between MDS DB and RMS DB.
Creating RMS DB connection ... Done.
Synchronizing the password for orasso ...
MDS - orasso password: *****
Modifying orasso schema pwd value in RMS OID...
Modification of orasso user password in RMS OID successful.
Modifying the orasso user password in secondary database ...
Modification of orasso password in RMS db successful.
Synchronizing the password for orasso_ds ...
MDS - orasso_ds password: *****
Modifying orasso_ds schema pwd value in RMS OID...
Modification of orasso_ds user password in RMS OID successful.
Modifying the orasso_ds user password in secondary database ...
Modification of orasso_ds password in RMS db successful.
Synchronizing the password for orasso_pa ...
MDS - orasso_pa password: *****
Modifying orasso_pa schema pwd value in RMS OID...
Modification of orasso_pa user password in RMS OID successful.
Modifying the orasso_pa user password in secondary database ...
Modification of orasso_pa password in RMS db successful.
Synchronizing the password for orasso_public ...
MDS - orasso_public password: *****
Modifying orasso_public schema pwd value in RMS OID...
Modification of orasso_public user password in RMS OID successful.
Modifying the orasso_public user password in secondary database ...
Modification of orasso_public password in RMS db successful.
Synchronizing the password for orasso_ps ...
MDS - orasso_ps password: *****
Modifying orasso_ps schema pwd value in RMS OID...
Modification of orasso_ps user password in RMS OID successful.
Modifying the orasso_ps user password in secondary database ...
Modification of orasso_ps password in RMS db successful.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
Retrieved SSO_SERVER pwd: *****
Decrypted SSO_SERVER pwd: *****
Connected to RMS DB as ORASSO user.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
MDS node LDAP connection SSL usage: Y
ERROR: MDS node is configured to use LDAP over SSL.
ACTION: Please provide LDAP SSL port for the RMS node.
OracleAS Single Sign-On Replication Setup Tool
Release 10.1.2.0.0
Copyright (c) 2003, 2004 Oracle. All rights reserved.
Reading input paramterers ...
Enter MDS OID hostname : oidhost.home.local
Enter MDS OID port : 3060
Enter MDS OID administrator : cn=orcladmin
Enter MDS OID password : Welcome1
Enter MDS OID SSL Enabled (Y/N) : n
Enter RMS OID hostname : idmhost.home.local
Enter RMS OID port : 3060
Enter RMS OID administrator : cn=orcladmin
Enter RMS OID password : Welcome1
Enter RMS OID SSL Enabled (Y/N) : n
Enter RMS SYS DB password : manager
Done reading parameters.
Contacting OID: ldap://oidhost.home.local:3060 ...
OID context received for MDS admin user, cn=orcladmin
Contacting RMS OID: ldap://idmhost.home.local:3060 ...
OID context received for RMS admin user, cn=orcladmin
MDS DB dn: orclReferenceName=DB1020.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
RMS DB dn: orclReferenceName=OIDREP.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
Starting password synchronization between MDS DB and RMS DB.
Creating RMS DB connection ... Done.
Synchronizing the password for orasso ...
MDS - orasso password: *****
Modifying orasso schema pwd value in RMS OID...
Modification of orasso user password in RMS OID successful.
Modifying the orasso user password in secondary database ...
Modification of orasso password in RMS db successful.
Synchronizing the password for orasso_ds ...
MDS - orasso_ds password: *****
Modifying orasso_ds schema pwd value in RMS OID...
Modification of orasso_ds user password in RMS OID successful.
Modifying the orasso_ds user password in secondary database ...
Modification of orasso_ds password in RMS db successful.
Synchronizing the password for orasso_pa ...
MDS - orasso_pa password: *****
Modifying orasso_pa schema pwd value in RMS OID...
Modification of orasso_pa user password in RMS OID successful.
Modifying the orasso_pa user password in secondary database ...
Modification of orasso_pa password in RMS db successful.
Synchronizing the password for orasso_public ...
MDS - orasso_public password: *****
Modifying orasso_public schema pwd value in RMS OID...
Modification of orasso_public user password in RMS OID successful.
Modifying the orasso_public user password in secondary database ...
Modification of orasso_public password in RMS db successful.
Synchronizing the password for orasso_ps ...
MDS - orasso_ps password: *****
Modifying orasso_ps schema pwd value in RMS OID...
Modification of orasso_ps user password in RMS OID successful.
Modifying the orasso_ps user password in secondary database ...
Modification of orasso_ps password in RMS db successful.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
Retrieved SSO_SERVER pwd: *****
Decrypted SSO_SERVER pwd: *****
Connected to RMS DB as ORASSO user.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
MDS node LDAP connection SSL usage: Y
ERROR: MDS node is configured to use LDAP over SSL.
ACTION: Please provide LDAP SSL port for the RMS node.
The last line indicates I should use the SSL port (3130):
[oidoracle@oidhost lib]$ $ORACLE_HOME/jdk/bin/java -jar ssoReplSetup.jar -prompt
OracleAS Single Sign-On Replication Setup Tool
Release 10.1.2.0.0
Copyright (c) 2003, 2004 Oracle. All rights reserved.
Reading input paramterers ...
Enter MDS OID hostname : oidhost.home.local
Enter MDS OID port : 3130
Enter MDS OID administrator : cn=orcladmin
Enter MDS OID password : Welcome1
Enter MDS OID SSL Enabled (Y/N) : Y
Enter RMS OID hostname : idmhost.home.local
Enter RMS OID port : 3130
Enter RMS OID administrator : cn=orcladmin
Enter RMS OID password : Welcome1
Enter RMS OID SSL Enabled (Y/N) : Y
Enter RMS SYS DB password : manager
Done reading parameters.
Contacting OID: ldap://oidhost.home.local:3130 ...
OID context received for MDS admin user, cn=orcladmin
Contacting RMS OID: ldap://idmhost.home.local:3130 ...
OID context received for RMS admin user, cn=orcladmin
MDS DB dn: orclReferenceName=DB1020.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
RMS DB dn: orclReferenceName=OIDREP.CS.NL,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext
Starting password synchronization between MDS DB and RMS DB.
Creating RMS DB connection ... Done.
Synchronizing the password for orasso ...
MDS - orasso password: *****
Modifying orasso schema pwd value in RMS OID...
Modification of orasso user password in RMS OID successful.
Modifying the orasso user password in secondary database ...
Modification of orasso password in RMS db successful.
Synchronizing the password for orasso_ds ...
MDS - orasso_ds password: *****
Modifying orasso_ds schema pwd value in RMS OID...
Modification of orasso_ds user password in RMS OID successful.
Modifying the orasso_ds user password in secondary database ...
Modification of orasso_ds password in RMS db successful.
Synchronizing the password for orasso_pa ...
MDS - orasso_pa password: *****
Modifying orasso_pa schema pwd value in RMS OID...
Modification of orasso_pa user password in RMS OID successful.
Modifying the orasso_pa user password in secondary database ...
Modification of orasso_pa password in RMS db successful.
Synchronizing the password for orasso_public ...
MDS - orasso_public password: *****
Modifying orasso_public schema pwd value in RMS OID...
Modification of orasso_public user password in RMS OID successful.
Modifying the orasso_public user password in secondary database ...
Modification of orasso_public password in RMS db successful.
Synchronizing the password for orasso_ps ...
MDS - orasso_ps password: *****
Modifying orasso_ps schema pwd value in RMS OID...
Modification of orasso_ps user password in RMS OID successful.
Modifying the orasso_ps user password in secondary database ...
Modification of orasso_ps password in RMS db successful.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
Retrieved SSO_SERVER pwd: *****
Decrypted SSO_SERVER pwd: *****
Connected to RMS DB as ORASSO user.
Setting SSO server preferences table in RMS DB ...
Connected to MDS DB as ORASSO user.
MDS node LDAP connection SSL usage: Y
Setting OID configurations in RMS DB Done.
Setting up the SSO Server site token in the prefs table...
Updating SSO preference store for the SSO Server site token...
SSO Replication configuration successfully finished.
Same thing needs to be done on the replicated site, idmhost.home.local. I found it not very clear whether this should be done in the middle tier, or in the infrastructure - the notes suggest the first, and so does the point in time: after the first middle-tier install.
Rest assured: it should run from the infrastructure - the sites, where the OID processes and replication run.
All that is left to install now, is the last middle tier:
[root@oidhost ~]# mkdir -p /oracle/idm/oraInventory
[root@oidhost ~]# cd /oracle
[root@oidhost oracle]# chown -R idmoracle:idminst idm
The following J2EE Applications have been deployed and are accessible at the URLs listed below.
Use the following URL to access the Oracle Enterprise Manager 10g Application Server Control Console :
http://oidhost.home.local:1156
The following information is available in:
/oracle/idm/idm10.1.2/install/setupinfo.txt
Oracle Application Server 10g (10.1.2.0.2) Usernames and Default password information:
Please refer to Oracle Application Server 10g Administrator Guide for more information.
Install Type: Identity Management
Configured Components: Oracle HTTP Server | Oracle Application Server Containers for J2EE | Oracle Application Server Single Sign-On | Oracle Application Server Delegated Administration Service | High Availability and Replication |
A new Oracle Application Server Cluster (Identity Management) has been created named SSOClusterB. The current instance has been joined this cluster at the end of installation.
Load Balancer Servers and ports specified for this instance:
HTTP Load Balancer: login.home.local:
LDAP Load Balancer: idmhost.home.local
SSL Port:3130
Non-SSL Port: 3060
Access URL for Oracle Delegated Administration Services for this instance:
http://login.home.local:80/oiddas
Administrator URL for Oracle Application Server Single-Sign On for this instance:
http://login.home.local:80/pls/orasso
Use the following URL to access the Oracle HTTP Server and the Welcome Page:
http://login.home.local:80
-----------------------------------------
Use the following URL to access the Oracle Enterprise Manager Application Server Control:
http://oidhost.home.local:1156
Instance Name: idm1012_02.oidhost.home.local
Installation of Oracle Application Server Infrastructure is Complete. Please note that any URLs created in this install may not be functional immediately.
[root@oidhost ~]# cd /oracle
[root@oidhost oracle]# chown -R idmoracle:idminst idm
The following J2EE Applications have been deployed and are accessible at the URLs listed below.
Use the following URL to access the Oracle Enterprise Manager 10g Application Server Control Console :
http://oidhost.home.local:1156
The following information is available in:
/oracle/idm/idm10.1.2/install/setupinfo.txt
Oracle Application Server 10g (10.1.2.0.2) Usernames and Default password information:
Please refer to Oracle Application Server 10g Administrator Guide for more information.
Install Type: Identity Management
Configured Components: Oracle HTTP Server | Oracle Application Server Containers for J2EE | Oracle Application Server Single Sign-On | Oracle Application Server Delegated Administration Service | High Availability and Replication |
A new Oracle Application Server Cluster (Identity Management) has been created named SSOClusterB. The current instance has been joined this cluster at the end of installation.
Load Balancer Servers and ports specified for this instance:
HTTP Load Balancer: login.home.local:
LDAP Load Balancer: idmhost.home.local
SSL Port:3130
Non-SSL Port: 3060
Access URL for Oracle Delegated Administration Services for this instance:
http://login.home.local:80/oiddas
Administrator URL for Oracle Application Server Single-Sign On for this instance:
http://login.home.local:80/pls/orasso
Use the following URL to access the Oracle HTTP Server and the Welcome Page:
http://login.home.local:80
-----------------------------------------
Use the following URL to access the Oracle Enterprise Manager Application Server Control:
http://oidhost.home.local:1156
Instance Name: idm1012_02.oidhost.home.local
Installation of Oracle Application Server Infrastructure is Complete. Please note that any URLs created in this install may not be functional immediately.
The installation is the same as the first one, except for some names, that are different (obviously): the cluster is called SSOClusterB (could have been the same, by the way), the ldapserver is idmhost.home.local (I am installing on oidhost!), so I will not post any screendumps of that.
Instead, stay tuned for replication woes, and usage notes.
Last and Final Update:
To show that the whole things is two-fold:
There you have it - two partner applications.
In a nutshell:
- Install and patch the database software tree(s).
- Create a database, altering default the settings to ones, fit for a Repository. If not done now, the Metadat Creation Repository Assistant (MRCA) will force you.
- Run the MRCA against the newly created database.
- Clone to create the replication database (or reuse the scripts and rerun MRCA)
- Install the first Infrastructure. Options: OID and DIP. Use main database as repository database.
- Install the second Infrastructure. Options: OID, DIP and HA/Replication, use first infrastructure OID setup as reference. Use replica database for repository database.
- Configure your network:
- make sure you can start SQL*Plus from both database, and both Infrastructure environments. Als make sure, you can use shorthand, as well as the fully qualified tns-alias. This step is crucial!
- Also, make sure you have your loadbalacer and naming (DNS or other) in order.
- Setup the OID replication, using the remtool ($ORACLE_HOME/bin/remtool -asrsetup -v)
- Stop and start (using $ORACLE_HOME/opmn/bin/opmnctl) all processes on both Infrastructure installations.
- Start the replication processes; first time only by hand, using oidctl, on both Infrastructure installations.
- Check replication by adding on an entry in one OID environment, wait until it appears in the other. then, delete from the other, and check whther it disappears from the first.
- Install the first Middle Tier (Single Sign On/Delegated Administration Services). Oddly enough, it is still an infrastructure install. Select SSO, DAS and HA, create a new cluster. Specify the first OID install for LDAP, and your loadbalancer.
- Synchronize passwords, generated at random during the installation, across both infrastructures. Use ssoReplSetup.jar -prompt on both Infrastructure installs. Mind the LD_LIBRARY_PATH.
- Install the second Middle Tier (SSO/DAS). Similar to first install.
Subscribe to:
Posts (Atom)