OIM Image: July 2012

Wednesday, 25 July 2012

Changing OPMN Ports (ONS Local, Request, and Remote)

Changing OPMN Ports (ONS Local, Request, and Remote)

You might need such a scenario if you have two opmn processes in a Middleware home. In my case I had one opmn process taking care of OID and another taking care of Web Tier. So I got to change the ports for one of the opmn process for both processes to start simultaneously.

This section describes how to change any of the following port numbers:
ONS Local port
ONS Request port
ONS Remote port

To change these ports:

A. Stop OPMN, and all OPMN-managed processes:

(UNIX) ORACLE_INSTANCE/bin/opmnctl stopall

(Windows)ORACLE_INSTANCE\bin\opmnctl stopall

B. Open the opmn.xml file:

(UNIX) ORACLE_INSTANCE/config/OPMN/opmn

(Windows) ORACLE_INSTANCE\config\OPMN\opmn

C. Under the <notification-server> element, modify the local, remote, or request parameter, depending on the port you are changing, in the <port> element, and then save the file.

For example:

D.Start OPMN, and all OPMN-managed processes:

(UNIX) ORACLE_INSTANCE/bin/opmnctl startall

(Windows) ORACLE_INSTANCE\bin\opmnctl startall

Now you have to unregister OPMN with FMW and again register, so that you will not lose your ability to manage OPMN components (here OID, OVD, OHS) with the help of EM, as a result of changing the ports.

C:\Oracle\Middleware\asinst_1\bin>opmnctl unregisterinstance -adminHost localhost -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (localhost):

Username: weblogic

Password:

Unregistering instance

Command succeeded.

C:\Oracle\Middleware\asinst_1\bin>opmnctl registerinstance -adminHost localhost -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (localhost):

Username: weblogic

Password:

Registering instance

Command succeeded.

After the successful registration, the instance.properties file and ports.prop file gets updated, with the registration information and latest ports information respectively!

procedure to change the ports for OHS.

Below is the procedure to change the ports for OHS.

NOTE: Changing all OHS ports.

As discussed above OHS comes with three ports.

i)Non SSL http port (default 7777, range 7777-7877)

ii)SSL http port (default 4443, range 4443-4543)

iii)Proxy MBean or Admin port(default 9999)

(used internally by Oracle HTTP Server to communicate with Fusion Middleware Control.)

To change the Oracle HTTP Server Listen ports (non-SSL or SSL), there are often dependencies that must also be set. For example, if you are using Oracle Web Cache to improve the performance of your Oracle Fusion Middleware environment, you must modify the Oracle Web Cache origin server settings whenever you modify the Oracle HTTP Server Listen ports.

::Steps to change the Non SSL http port and SSL http port::

Go to EM

From the navigation pane, expand the farm, then Web Tier, then select the Oracle HTTP Server instance.

From the Oracle HTTP Server menu, choose Administration, then Ports Configuration.

Select the Listen port that uses the HTTP(S) protocol, then click Edit.

Change the port number, then click OK.

Restart Oracle HTTP Server. (From the Oracle HTTP Server menu, choose Control,then Restart.)

As a result of this, the http port gets updated in ORACLE_INSTANCE/config/OHS/<ohs_name>/httpd.conf file

and

the https port gets updated in ORACLE_INSTANCE/config/OHS/<ohs_name>/ssl.conf file

(In addition to this, if you are editing the ssl port, make additional changes in the ssl.conf file

edit the SSL Virtual Host Context to the same value as of the changed ssl port number. else

you may find wierd behavior .. the ssl port can turn into a non ssl port.)

If you are using Oracle Web Cache as a reverse proxy, you must update Oracle WebCache. From the Fusion Middleware Control navigation pane, expand the farm, then Web Tier. Select the Oracle Web Cache instance. From the Web Cache menu, choose Administration, then Origin Servers. Select the origin server for which you have changed the port, and click Edit.

The Edit Origin Server page is displayed. In the Port field, change the port number. Click OK. Restart Oracle Web Cache. (From the Web Cache menu, choose Control, then Restart.)

Note: For the OHS that comes along with OID, its not associated with Web Cache, So the above step is not necessary. But if you choose to change the ports of the OHS that was the part of Web Tier, the above step is necessary. The step is just included for sanity purpose.

Restart OPMN and all system components in that Oracle instance:

opmnctl stopall

opmnctl startall

Note: If you change the port or make other changes that affect the URL, such as changing the hostname, enabling or disabling SSL, you need to re-register partner applications with the SSO server using the new URL.

(Here its not required as such application is not configured)

::Steps to change the Proxy MBean or Admin port(default 9999)::

When editing a port number, the Admin port cannot be edited using Fusion Middleware Control.

Also The Oracle HTTP Server administration (proxy MBean) virtual host and its configuration, defined in the admin.conf file,

must not be edited with the WebLogic Scripting Tool (WLST).

Although this is a port Oracle HTTP Server uses for its

internal communication with Fusion Middleware Control, in most of the cases it

does not need to be changed. If you really want to change it, manually edit the

ORACLE_INSTANCE/config/OHS/<ohs_name>/admin.conf file.

In an Oracle Instance that is registered with a WebLogic domain, if the Oracle HTTP Server administration port (proxy MBean port in the admin.conf file) is changed after creating the component, then you must update the component registration with the WebLogic domain using the opmnctl updatecomponentregistration command, as follows:

opmnctl updatecomponentregistration -componentType OHS -componentName name

-proxyPort port

For example, if the proxy port of an Oracle HTTP Server component named ohs1 has

been changed to 9998, then use the following command:

opmnctl updatecomponentregistration -componentType OHS -componentName ohs1 -proxyPort 9998

sample run:

C:\Oracle\Middleware\asinst_1\bin>opmnctl updatecomponentregistration -componentType OHS -componentName ohs1 -proxyPort 9998

Command requires login to weblogic admin server (localhost):

Username: weblogic

Password:

Updating component registration on admin server.

Command succeeded.

Additional notes on OAM 11g

Pre requisite: OAM 11g basic install steps should have been completed.

Oracle Access Manager (OAM) : is Access Management Product acquired from Oblix in 2005.

# OAM 11g User Interface (UI) is based on Application Development Framework (ADF)

# Three type of Web Agents are supported in OAM 11g -
a) AccessGate/WebGate from 11g
b) AccessGate/WebGate from 10g (for backward compatibility) and
c) mod_osso for Oracle 10g Single Sign-On integration

You can set up either Oracle HTTP Server WebGate or mod_OSSO as an Agent for Oracle Access Manager (OAM).

Setting up an Agent involves the following steps:

1. Installing and Configuring the Agent (WebGate or mod_osso)
2. Registering the Agent as a Partner Application
3. Restarting the WebLogic Managed Servers

The Oracle HTTP Server WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization.

Oracle HTTP Server 11g WebGate for Oracle Access Manager is not intended for use in Oracle Identity and Access Management

environments where you want to set up integration among Oracle Identity and Access Management components.

1.The following is the procedure for Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager.

A. Installing Oracle HTTP Server 11g (11.1.1.3.0, 11.1.1.4.0, or 11.1.1.5.0)-- Installation steps

Since we are on 11.1.1.5 for every component, We are now installing Oracle Http Server 11.1.1.5. You may get a question, if we can use the OHS that was installed along with OID. Thats not possible. Webgate installer needs OHS that was of webtier type(Web Tier installer is a tool).

This is a restriction imposed by the webgate installer.

We should first install Oracle Http Server 11.1.1.2 and can patch it to 11.1.1.5. Which in turn means we should use Oracle Web Tier installer 11.1.1.2 and then go to 11.1.1.5 more information on Oracle Web Tier installer tool is below

FMW 11g Web Tier Utilities encompasses products such as
* Oracle HTTP Server
* Oracle Web Cache

Oracle Process Manager and Notification Server (OPMN) is also installed by default. Together, these products are responsible for managing incoming HTTP requests, caching web messages, and sending XML and HTML back to the client.

The Oracle HTTP Server 11g is based on an Apache 2.2 version.

Once it is installed with Oracle Fusion Middleware, it is supported and maintained as the Oracle HTTP Server. For this reason, it will differ from its originating Apache version, and should not be compared for all situations.

Similar to OID, Oracle Web Tier can be installed with out a domain and can be administered from command line. But to use the ability of OEM FMW to administrate Oracle Web Tier, the web logic domain with which you are going to associate web tier components, should have been configured using both the Enterprise Manager and Java Required Files (JRF) domain templates. It is not possible to create this domain during the installation of Oracle Web Tier,

and so the domain must already exist prior to installation and configuration. Alternatively, you can install Oracle Web Tier without configuring the components, then create a WebLogic Server domain, then run the configuration tool to associate your Oracle Web Tier components with that domain.

Below is the procedure to install OHS using web tier installer, associating OHS with a existing weblogic domain.

-->Ensure that the weblogic admin server is up and running.

-->execute setup.exe inside disk1 of webtier 11.1.1.2 installation package(V18762-01.zip).

-->choose the install and configure option and follow the screens.

-->first installation happens, then followed by configuration.

-->Once you installer, similar patch the installation using 11.1.1.5 webtier patch set. (V26010-01.zip)

Once the above process completes, inside MW_HOME a folder Oracle_WT1 gets created.
Run the opmnctl status command

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin>opmnctl status
Processes in Instance: instance1
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
webcache1 | WebCache-admin | 3804 | Alive
webcache1 | WebCache | 3372 | Alive
ohs1 | OHS | 1884 | Alive
This information shows the components configured for this installation. The status
"Alive" means the component is up and running.
This opmnctl runs as a windows service. This service is similar but different from the service which
monitors oid and ovd.
C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin>opmnctl status -l
Processes in Instance: instance1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component | process-type | pid | status | uid | memused | uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
webcache1 | WebCache-admin | 3804 | Alive | 1675299287 | 17372 | 23:57:34 | http_admin:7786
webcache1 | WebCache | 3372 | Alive | 1675299286 | 34268 | 23:57:34 | http_stat:7787,http_invalidation:7788,https_listen:7789,http_listen:7785
ohs1 | OHS | 1884 | Alive | 1675299285 | 20212 | 23:58:15 | https:9999,https:4443,http:7777

Use the port numbers in this display to point your browser to the appropriate pages.

Use the format:http://system_name:port_number

Below are all the urls that should be tested.

Oracle HTTP Server http://localhost:7777
Oracle HTTP Server SSL https://localhost:4443
Oracle Web Cache http://localhost:7785
Oracle Web Cache SSL https://localhost:7789

Oracle Web Cache Administration http://localhost:7786
Oracle Web Cache Statistics http://localhost:7787

username for above two urls is ias_admin and password is what you have specified during installation process.

Note:Oracle HTTP Server comes configured with two listen ports: a non-SSL port (http) and an SSL port (https). The default, non-SSL port is 7777. If port 7777 is occupied, the next available port number, within a range of 7777-7877, is assigned. The default SSL port is 4443. Similarly, if port 4443 is occupied, the next available port number, within a range of 4443-4543, is assigned.

An additional SSL port (9999) is configured to run out-of-the-box in the admin.conf file. It is called Proxy MBean or Admin port and is used internally by Oracle HTTP Server to communicate with Fusion Middleware Control.

Note: WebCache ‘invalidation port’ 7788 expects the request to send a XML message indicating the cache contents that must be invalidated.That’s the reason any request from a browser will fail.You can find more information in the product documentation

Now here is the scenario.

During the OID,OVD installation you will get a OHS along with OID and OVD.that means, if you start the opmnctl.bat at C:\Oracle\Middleware\asinst_1\bin
you can get the OID, OVD and OHS up and running.

Which implies there are two OHS in the middleware home, one that was installed along with OID (being monitored by the opmn service located at C:\Oracle\Middleware\asinst_1\bin) and the other that was installed along with Web Tier (being monitored by the OPMN Service located at C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin)

The reason we installed a separate OHS as a part of Web Tier, even if we have a OHS that we got during the OID installation is because, for the Webgate installation as a part of AM that we are actually discussing,The OHS should be in a middleware home

containing an Oracle Home for Oracle Web tier and the directory structure is important.

As discussed earlier, in OID posts, you cannot skip the installation of OHS during OID installation, but can always skip its configuration. OHS might be packaged along with OID installer for OIF. But this is an assumption.

hmm thats okay.. finally we got two opmn processes and two OHS.
Note that these two OHS were installed using the same ports.
Even these two OPMN services are installed using the same ports.
So these two cant be started at a same time, if the situation demands...So inorder to run these two services at the same time, we should change the OPMN ports and also the OHS ports for one of the servers.

For detailed procedure of how to change the opmn ports, refer to one of my posts regarding the same.

Now you have to change the ports for one of the OHS.
I choose to change the ports for the OHS that was installed along with OID installation.

For detailed procedure of how to change the OHS ports, refer to one of my posts regarding the same.

After making the necessary changes to one of the OPMN services and OHS, both OHS and OPMN services can be started simultaneously.

B. Microsoft Visual C++ libraries installation

Ensure you follow the following pre requistes if you are on Win 2003/2008 If you are using Windows 2003 or Windows 2008 64-bit operating systems, you must install Microsoft Visual C++ 2005 libraries on the machine hosting the Oracle HTTP Server 11g Webgate for Oracle Access Manager.

These libraries are included in the Microsoft Visual C++ 2005 SP1 Redistributable Package (x64), which can be downloaded from the following website:

http://www.microsoft.com/DownLoads/details.aspx?familyid=EB4EBE2
D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en

In addition, install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update, which can be downloaded from the following website:

http://www.microsoft.com/en-in/download/details.aspx?id=26347

C.Run the Oracle HTTP Server Webgate Installer to install Oracle HTTP Server 11g Webgate for Oracle Access Manager D:\Softwares\Oracle Access Manager WebGates (11.1.1.5.0)\Disk1\install\win64\setup.exe

Provide the java path, middleware path, and proceed as directed by the installer.

Note: this java path is different from the java path of your computer, this is the path of the java created When you install Oracle HTTP Server. The jdk directory is created under the <WebTier_Home> directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer.

D. Post install steps::

-->Go to

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate

[ <Webgate_Home>\webgate\ohs\tools\deployWebGate]

On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location:

deployWebgateInstance.bat -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1

[deployWebgateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>]

Note:<Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate.

The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server.

Sample run:

Microsoft Windows [Version 5.2.3790]

C:\Documents and Settings\Administrator>cd C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate>deployWebgateInstance.bat -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1

Copying files

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\config\oblog_config_wg.xml

1 File(s) copied

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cacert.pem

1 File(s) copied

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cakey.pem

1 File(s) copied

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate>

-->Make following modifications to 'PATH' variable

<Webgate_Installation_Directory>\webgate\ohs\lib -- "C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\lib"

and

<Oracle_Home_for_Oracle_HTTP_Server>\bin --"C:\Oracle\Middleware\Oracle_WT1\bin"

to your PATH variable

-->Go to <Webgate_Home>\webgate\ohs\tools\EditHttpConf in command line

(C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>)

and execute the following command

to copy the "apache_webgate.template" from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf

EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]

The -oh <WebGate_Oracle_Home> and -o <output_file> parameters are optional.

Webgate_Instance_Directory == C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1

Webgate_Oracle_Home == C:\Oracle\Middleware\Oracle_OAMWebGate1

The <output_file> is the name of the temporary output file used by the tool, say.. Edithttpconf.log

so the command is

EditHttpConf.exe -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1 -o Edithttpconf.log

sample run::

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>EditHttpConf.exe -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1 -o Edithttpconf.log

The web server configuration file was successfully updated

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/httpd.conf has been backed up as C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/httpd.conf.ORIG

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>

note: This is the additional line added to httpd.conf

include "C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/webgate.conf"

E. Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager

--> go to C:\Program Files\Oracle\Inventory\logs

and verify the installDATE-TIME_STAMP.out log file to verify the installation.

Before you can get started with the new Oracle HTTP Server 11g Webgate agent for
Oracle Access Manager, you have to complete a few steps.

they are
@Register the New Webgate Agent
@Copy Generated Files and Artifacts to the Webgate Instance Location
@Restart the Oracle HTTP Server Instance

2. Registering the Agent as a Partner Application

A.Register the New Webgate Agent

You can register the new Webgate agent with Oracle Access Manager by using the Oracle Access Manager Administration Console.

Alternatively, you can use the RREG command-line tool to register a new Webgate agent. The tool can be run in two modes: In-Band mode, and Out-Of-Band mode.

I am using In-Band mode.

Setting Up the RREG Tool

go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\client and copy RREG.tar.gz to some folder on your personal space and extract it there. a folder 'rreg' will be created.
Inside that rreg folder, go to input directory, and copy OAM11GRequest_short.xml file

Now go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\input and paste the above file there.

Set the following environment variable in oamreg.bat script.
(available under C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin)
OAM_REG_HOME = C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg
JAVA_HOME="C:\Program Files\Java\jdk1.6.0_25"

Updating the OAM11gRequest_short.xml File

go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\client\rreg\input

Modify the following required parameters in the OAM11GRequest.xml file or in the OAM11GRequest_short.xml file:

I am using OAM11GRequest_short.xml

<serverAddress>
Specify the host and the port of the Administration Server.
<serverAddress>http://localhost:7001</serverAddress>

<agentName>
Specify any custom name for the agent.
<agentName>RREG_OAM11G</agentName>

<agentBaseUrl>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<agentBaseUrl>http://localhost:7777</agentBaseUrl>

<preferredHost>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<preferredHost>http://localhost:7777</preferredHost>

<security>
Specify the security mode, such as open, based on the Webgate installed.
<security>open</security>

Available modes are 'open' , 'cert' and 'simple'

<primaryServerList>
Specify the host and the port of Managed Server for Oracle Access Manager proxy, under a <Server> container element.
<Server>
<primaryServerList>http://localhost:14100</primaryServerList>
</Server>

After modifying the file, save the file and close.

Running the command

Ensure Admin server and managed server for oam are up and running.
<RREG_Home>\bin\oamreg.bat inband input\OAM11GRequest_short.xml

==>
C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin\oamreg.bat inband input\OAM11GRequest_short.xml

Note: Outof Band mode is used in cases where you are an end user and dont have access to the server. For details on how to complete registration, in Outof Band mode, refer to product docs.

sample run:

C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin>oamreg.bat inband input\OAM11GRequest_short.xml
OAM_REG_HOME=C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg
CLASSPATH=C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\rreg.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\RequestResponse.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\commons-codec-1.3.jar;C:\Oracle\Middleware\Oracle
_IDM1\oam\server\rreg\lib\commons-httpclient-3.1.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\commons-logging-1.1.1.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ojmisc.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\se
rver\rreg\lib\jps-internal.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-common.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\identitystore.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\identityutils.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ldapjc
lnt11.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\dms.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\fmw_audit.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ojdl.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\oraclepki.jar;C:\Oracle\Middleware\Oracle_IDM1\
oam\server\rreg\lib\osdt_cert.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_core.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_jce.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_saml.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_xmlsec.j
ar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\xmlparserv2.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-unsupported-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\nap-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\utilities.jar;
------------------------------------------------
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: inband
Filename: C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\input\OAM11GRequest_short.xml
Enter admin username:weblogic
Username: weblogic
Enter admin password:
Do you want to enter a Webgate password?(y/n):
y
Enter webgate password:
Enter webgate password again:
Password accepted. Proceeding to register..
Aug 1, 2012 5:20:51 PM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword
INFO: Passwords matched and accepted.
Do you want to import an URIs file?(y/n):
n

----------------------------------------
Request summary:
OAM11G Agent Name:RREG_OAM11G
Base URL:http://localhost:7777
URL String:RREG_HostId11G
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://localhost:7001
----------------------------------------

Inband registration process completed successfully! Output artifacts are created in the output folder.
C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin>

B.Copy Generated Files and Artifacts to the Webgate Instance Location
Regardless of the method or mode you use to register the new Webgate agent, the following files and artifacts are generated in the <RREG_Home>/output/<Agent
ID> directory:
¦ cwallet.sso
¦ ObAccessClient.xml

Our method is inbound and mode is open.

In OPEN mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:
ie.,

from

C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\output\RREG_OAM11G

to

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1\webgate\config

¦ ObAccessClient.xml
¦ cwallet.sso

3. Restarting the WebLogic Managed Servers

A.Restart the Oracle Http Server using opmn
B.Stop oam_server1
C.Stop wls admin server
D.start wls admin server
E.start oam_server1

Verification of OAM functionality and web agent's registration

A. Open a web browser and hit the non ssl http url of OHS ie.,
http://localhost:7777

B.You will be redirected to the OAM 11g SSO screen

C. Enter the weblogic user name and password and proceed

D. You will be redirected now to the OHS page

Which means, you reached the OHS page, through OAM successfully!!

Friday, 6 July 2012

OAM 10G vs OAM 11G

Thursday, 5 July 2012

OAM 11g Basic Install Steps

If detailed screen shots are needed. You can reach me at

oimimage@gmail.com

:::::OAM:::::
1)You have installed OAM along with OIM installation.
2)Now you need to extend the domain either by using weblogic quickstart or %ORACLE_IDM1%/common/bin/config.cmd
3)you must choose Oracle Access Manager with Database Policy
Store - 11.1.1.3.0 [Oracle_IDM2] as the domain configuration template on the Select
Domain Source screen in the Oracle Fusion Middleware Configuration Wizard.
4)Now start the admin server and on the admin console you will see additional managed server oam_server1
5)Start the managed server oam_server1
6)Default oam url is http://localhost:7001/oamconsole
(http://<adminserver-host>:<adminserver-port>/oamconsole)

Fundamental check for basic OAM installation and configuration
a)On the admin server, the oamconsole WebApplication is deployed under the name of oam_admin Enterprise application.
b)On the oam_server1, we have the oam_server Enterprise application.

Patches for Oracle Identity Manager 11g

Most common Oracle IAM 11g products (OID, OVD, OIM, OAM, OIF, OES) are bundled into two software installation media
and software can be downloaded from OTN or from eDelivery.

a) Oracle Identity Management (IDM) : This software media includes OID, OVD, OIF, DIP, and ODSM. latest version of this software (as of May 2012) is 11.1.1.6. All 11g version for this software are:

i) 11.1.1.6 – Full Software (also available as patchset for 11.1.1.5 and prior release).
ii) 11.1.1.5 – Patchset only
iii) 11.1.1.4 - Patchset only
iv) 11.1.1.3 - Patchset only
iv) 11.1.1.2 - Full Software

b) Oracle Identity & Access Management (IDAM) : This software includes OAM, OIM, OAAM, OES, and OIN. latest version of this software (as of May 2012) is 11.1.1.5. All 11g version for this software are:
i) 11.1.1.5 - Full Software (also available as patchset for 11.1.1.3) THIS IS ALSO CALLED AS PSI
ii) 11.1.1.3 - Full Software

Note: IDAM 11.1.1.3 is first version in 11g series and there is NO 11.1.1.4 version for IDAM

More details below

VERSION             PATCH NUMBER
11.1.1.3.1 / BP01    10104765
11.1.1.3.2 / BP02    10257660
11.1.1.3.3 / BP03    11061319
11.1.1.3.4 / BP04    11818697
11.1.1.3.5 / BP05    12409462
11.1.1.3.6 / BP06    12722062
11.1.1.3.7 / BP07    13063982
11.1.1.3.8 / BP08    13589894

VERSION PATCH NUMBER
11.1.1.5.1 / BP01     12748351
11.1.1.5.2 / BP02     13399365
11.1.1.5.3 / BP03     13704894

c) Oracle Identity Analytics (OIA) : This software includes OIA. latest version of this software (as of May 2012) is 11.1.1.5. All 11g version for this software includes
i) 11.1.1.5 - Full Software (also available as patchset for 11.1.1.3)
ii) 11.1.1.3 - Full Software

Monday, 2 July 2012

OID and OVD 11g Basic Install Steps

If detailed screen shots are needed. You can reach me at

oimimage@gmail.com

Since we installed OIM 11.1.1.5, we are now installing OID stack also on 11.1.1.5

Basic Install Steps

1)Run Rcu 11.1.1.5
2)Install ofm_idm_win_11.1.1.2.0_64_disk1_1of1
3)Install p12395123_111150_MSWIN-x86-64 (11.1.1.5 patch set)
4)Start WLS Admin server
5)Go to C:\Oracle\Middleware\Oracle_IDM2\bin and run config.bat and provide details as requested.
We have now configured OID OVD ODIP ODSM and OHS

::::::OID:::::::

1)Go to WLS admin console and you will see an additional managed server 'wls_ods1'
2)Set a new variable ORACLE_INSTANCE as 'C:\Oracle\Middleware\asinst_1'
(The location of writable files in your Oracle Identity Management installation.)

Now execute the below steps.

C:\Oracle\Middleware\asinst_1\bin>opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid | memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ohs1                             | OHS                |    2160 | Alive    | 1222706905 |    20208 | 20:19:16 | https:9999,https:4443,http:7777
ovd1                             | OVD                |    3400 | Alive    | 1222706897 |   164132 | 20:26:09 | https:8899,ldap:6501,ldaps:7501,http:8080
oid1                             | oidldapd           |    1776 | Alive    | 1222706907 |    58708 | 20:26:41 | N/A
oid1                             | oidldapd           |    1468 | Alive    | 1222706906 |    22964 | 20:26:42 | N/A
oid1                             | oidmon             |    3916 | Alive    | 1222706894 |    30024 | 20:26:42 | LDAPS:3131,LDAP:3060
EMAGENT                          | EMAGENT            |    3884 | Alive    | 1222706898 |    13348 | 20:25:46 | N/A

Status tells us that OID, OVD,OHS are up and running.

Now execute the following

C:\Oracle\Middleware\Oracle_IDM2>ldapbind -h localhost -p 3060 -D cn=orcladmin -w Passw0rd
bind successful

Many of the activities that you can perform at the command line can also be performed in Oracle Enterprise Manager Fusion Middleware Control or Oracle
Directory Services Manager. A few functions are only available from the command line.

Oracle Internet Directory supports the standard LDAP command-line utilities

ldapadd, ldapaddmt, ldapbind, ldapcompare, ldapdelete, ldapmoddn,
ldapmodify, ldapmodifymt, and ldapsearch.
For example:
ldapbind -D "cn=orcladmin" -q -h "myserver.example.com" -p 3060
ldapsearch -b "cn=subschemas

For further information. refer admin guide.

::::::OVD:::::::

Execute the following command to register Oracle Virtual Directory with the
WebLogic Administration Server. Registering with the WebLogic Administration
Server allows you to manage Oracle Virtual Directory using Fusion Middleware
Control.

Execute the following command to register OVD (Most probably you will get an exception as OVD might have been
registered with FMW control during configuration itself!)

C:\Oracle\Middleware\asinst_1>opmnctl registerinstance -adminHost localhost -adminPort 7001 -adminUsername weblogic

Command requires login to weblogic admin server (localhost):
Username: weblogic
Password:

Registering instance
Command succeeded.

Starting the Oracle Virtual Directory instance, by executing the following
command:
$ORACLE_INSTANCE/bin/opmnctl startall

(This was already done in our case while configuration itself.as we got alive status above while verifying)

Verifying that Oracle Virtual Directory has started by executing the following
command:
$ORACLE_INSTANCE/bin/opmnctl status -l

Now execute the following

C:\Oracle\Middleware\Oracle_IDM2>ldapbind -p 6501
bind successful

:::Common pointers for OID and OVD and OHS::::

For OID or OVD to start serving, there is no necissity to have a weblogic.
You can just power on the system, start the database, start the opmn related service and thats it.

Please see below for further clarity.

I just started the database and the Oracle Process Manager (asinst_1) service.

Now proceed as below

C:\Oracle\Middleware\asinst_1\bin>opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid | memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ohs1                             | OHS                |    1824 | Alive    | 1222707158 |    20216 |   0:10:46 | https:9999,https:4443,http:7777
ovd1                             | OVD                |    2040 | Alive    | 1222707157 |   194720 |   0:10:46 | http:8080,ldap:6501,ldaps:7501,https:8899
oid1                             | oidldapd           |     N/A | Down     |        N/A |      N/A |       N/A | N/A
oid1                             | oidldapd           |     N/A | Down     |        N/A |      N/A |       N/A | N/A
oid1                             | oidmon             |     N/A | Down     |        N/A |      N/A |       N/A | N/A
EMAGENT                          | EMAGENT            |    1996 | Alive    | 1222707155 |    11500 |   0:10:46 | N/A

C:\Oracle\Middleware\asinst_1\bin>opmnctl startall
opmnctl startall: starting opmn and all managed processes...

Oracle Process Manager (asinst_1) service by itself starts all components.
We actually need not issue startall command here. I just showed for a demo here.
In a practical environment, make the opmn process a manual one (you can change in windows services--services.msc)
The reason being, database should be up and running for opmn service to start properly.
So if database and opmn service are both set to automatic, then problems may occur. so set database to automatic. ensure database is up and running, then start opmn. or you can set both to manual.

C:\Oracle\Middleware\asinst_1\bin>opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid | memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ohs1                             | OHS                |    1824 | Alive    | 1222707158 |    20216 |   0:13:50 | https:9999,https:4443,http:7777
ovd1                             | OVD                |    2040 | Alive    | 1222707157 |   194720 |   0:13:50 | http:8080,ldap:6501,ldaps:7501,https:8899
oid1                             | oidldapd           |    1308 | Alive    | 1222707162 |    51196 |   0:00:14 | N/A
oid1                             | oidldapd           |    3184 | Alive    | 1222707161 |    23020 |   0:00:15 | N/A
oid1                             | oidmon             |    3164 | Alive    | 1222707160 |    30108 |   0:00:15 | LDAPS:3131,LDAP:3060
EMAGENT                          | EMAGENT            |    1996 | Alive    | 1222707155 |    11636 |   0:13:50 | N/A

So all the processes are alive.

Now you can use a normal LDAP browser and connect to either OID or OVD.

Connect with a ldap browser tool with 3060 non ssl port for OID -- working fine
Connect with a ldap browser tool with 6501 non ssl port for OVD -- working fine.
Connect with a ldap browser tool with 3131 ssl port for OID -- wont work-- reason below

OID SSL port 3131 is configured in SSL 'No-Authentication' mode which uses anonymous ciphers for encryption and server authentication is not performed.
LDAP browser tools do not support anonymous ciphers and hence SSL handshake would fail.

Connect with a ldap browser tool with 7501 ssl port for OVD -- working fine

for us to use Enterprise Manager and Oracle Directory Services Manager to administrate OID or OVD, only then we need to
start weblogic server.

so deploying OID and OVD in WLS is only a nice to have feature. You can as well install them without WLS.

Now start admin server for enterprise manager and wls_ods1 managed server for oracle directory services manager.

-->Starting admin server and managed server for wls_ods1

logon to EM using http://localhost:7001/em/

On the left hand side you will have Farm_[Domain name] under which you have OID, OVD, OIM and DIP listed below 'Identity and Access Management'
Similarly you have ODSM under 'Application Deployments' , OHS under 'Web Tier' and many other FMW components.

Using this EM console, we can do most of admin operations of OID and OVD.. Only to utilize this advantage we have deployed OID and OVD in WLS domain.

logon to ODSM using http://localhost:7005/odsm

This is only a web tool to browse OID and OVD using explorer. But this tool has many limitations.
(refer to admin guide of OVD and OID for these limitations)

Connect to OID with ODSM with ldap ssl port(3060) -- Working fine
Connect to OID with ODSM with ldap non ssl port(3131) -- Working fine

OVD cant be connected with ODSM with ldap ports (ssl and non ssl)

Connect to OVD with ODSM with admin ssl port(8899) -- working fine
Connect to OVD with ODSM with admin non ssl port (8080) -- wont work

In addition to above, we have DSML service for OVD.

DSML stands for Directory Service Markuo Language.
DSML v2.0 is a Web Services protocol that closely mirrors LDAP.
DSMLv2 is designed to allow arbitrary Web Services clients to access Directory Services using the client's native protocols (SOAP over HTTP).
DSMLv2 allows content stored in a Directory Service to be easily accessed by standard off-the-shelf
Web Service applications and development tools, removing the need for application developers to use and understand one of the LDAP SDK libraries.

OVD includes a html based gateway that provides DSML and XSLT rendered directory reporting.

Below are the url's supporting the same.

http://localhost:8080/ --> This is Oracle Virtual Directory browser.
if prompted for username and password, provide cn=orcladmin and its password
http://localhost:8080/Browser.htm
http://localhost:8080/secure/Admin.htm
https://localhost:8899/
if prompted for username and password, provide cn=orcladmin and its password

:::::OHS::::
Below are OHS url's
http://localhost:7777/
https://localhost:4443/
Note that OHS got installed along with OID and OVD here.
Actually OID or OVD does not need a OHS.

Most probably OHS is included in OID installation pack because OIF might need that. This is just an assumption. You cannot skip this OHS installation step, but can definitely skip the configuration.