8-76 Oracle Fusion Middleware High Availability Guide Once the Oracle Directory Integration Platform server is up and running, it reads further details from Oracle Internet Directory for handling its synchronization and provisioning functions. For information on creating synchronization profiles and provisioning profiles, see: ■ Creating Synchronization Profiles in the Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform. ■ Managing Provisioning Profiles Using oidprovtool in the Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform.

8.5.1.1.5 External Dependencies Oracle Directory Integration Platform uses an Oracle

Internet Directory to store its metadata. The Quartz Scheduler uses the ODSSM schema to store its scheduling information in the database. The same database is used by Oracle Internet Directory and Oracle Directory Integration Platform. The ODSSM schema required for Oracle Directory Integration Platform is created as part of Oracle Internet Directory schema creation. Oracle Directory Integration Platform is also dependent on the Oracle Credential Store Framework CSF, a secure framework provided by Oracle and the Java Keystore JKS to store wallets and credentials used to connect to Oracle Internet Directory and third party LDAP stores over SSL. Oracle Directory Integration Platform is also dependent on the Oracle Fusion Middleware Common Audit Framework, which is installed by default.

8.5.1.1.6 Oracle Directory Integration Platform Log File Oracle Directory Integration

Platform is a J2EE application deployed on top of Oracle WebLogic Server. All log messages are logged in the server log file of the Oracle WebLogic Server that the application is deployed on. The default location of the server log is: WEBLOGIC_SERVER_HOME user_projectsdomainsdomainNameserversserverNamelogs serverName -diagnostic.log

8.5.2 Oracle Directory Integration Platform High Availability Concepts

This section provides conceptual information about using Oracle Directory Integration Platform in a high availability configuration. In the Oracle Directory Integration Platform high availability configuration described in this section, Oracle Directory Integration Platform and Oracle Directory Services Manager are installed and configured on two hosts in a two-node high availability active-active configuration.

8.5.2.1 Oracle Directory Integration Platform High Availability Architecture

Figure 8–7 shows the Oracle Directory Integration Platform and Oracle Directory Services Manager high availability architecture in an active-active configuration. Quartz Threads Maximum number of threads that can be used by Quartz for scheduling the processes. Table 8–6 Cont. Configuration Parameters Required to Start Directory Integration Parameter Description Configuring High Availability for Identity Management Components 8-77 Figure 8–7 Oracle Directory Integration Platform and Oracle Directory Services Manager in a High Availability Architecture In Figure 8–7 , the application tier includes the IDMHOST1 and IDMHOST2 computers. On IDMHOST1, the following installations have been performed: ■ An Oracle Directory Integration Platform instance and Oracle Directory Services Manager instance have been installed on the WLS_ODS1 Managed Server. The Oracle RAC database has been configured in a JDBC multi data source to protect the instances from Oracle RAC node failure. ■ A WebLogic Administration Server has been installed. Under normal operations, this is the active Administration Server. On IDMHOST2, the following installations have been performed: ■ An Oracle Directory Integration Platform instance and Oracle Directory Services Manager instance have been installed in the WLS_ODS2 Managed Server. The WEBHOST1 WEBHOST2 IDMHOST1 IDMHOST2 RAC Firewall Firewall Cluster_ODS DIP ODSM WLS_ODS1 DIP ODSM WLS_ODS2 OHS OHS Admin Server Admin Server Multi_DS LDAP Store - such as OID Multi_DS Load Balancer 8-78 Oracle Fusion Middleware High Availability Guide Oracle RAC database has been configured in a JDBC multi data source to protect the instances from Oracle RAC node failure. The instances in the WLS_ODS2 Managed Server on IDMHOST2 and the instances in the WLS_ODS1 Managed Server on IDMHOST1 are configured as the CLUSTER_ODS cluster. ■ A WebLogic Administration Server has been installed. Under normal operations, this is the passive Administration Server. You will make this Administration Server active if the Administration Server on IDMHOST1 becomes unavailable.

8.5.2.1.1 Starting and Stopping the Cluster In a high availability architecture, Oracle

Directory Integration Platform and Oracle Directory Services Manager are deployed on an Oracle WebLogic Cluster that has at least two servers as a part of the cluster. By default, the WebLogic Server starts, stops and monitors the applications. By default, both the Oracle Directory Integration Platform and Oracle Directory Services Manager applications leverage the high availability features of the underlying WebLogic Clusters. In case of hardware or other failures, session state is available to other cluster nodes that can resume the work of the failed node. In a high availability environment, WebLogic Node Manager is configured to monitor the WebLogic servers. In case of failure, Node Manager restarts the WebLogic Server. If Node Manager cannot restart the server, then the front-ending load balancing router detects failure of a WebLogic instance in the Cluster and routes traffic to surviving instances.

8.5.2.1.2 Cluster-Wide Configuration Changes When Oracle Internet Directory is deployed

in an active-active high availability configuration, all the Oracle Internet Directory instances belonging to the cluster share the same database. Any changes made to Oracle Directory Integration Platform on one Oracle Internet Directory node would automatically be propagated to all the Oracle Internet Directory instances in the cluster. The following subsections describe configuration changes made to the Oracle Directory Integration Platform application in an Oracle Internet Directory multimaster replication deployment. In a multimaster replication deployment, configuration changes need to be applied to all the nodes in the cluster manually, as described below. Directory Integration Profiles Changes made to directory integration profiles on one Oracle Internet Directory node are not automatically replicated to other Oracle Internet Directory nodes in a default multimaster Oracle Internet Directory replication environment. They need to be manually copied over from the primary node to the secondary nodes on a periodic basis. This allows a directory synchronization profile to execute on a secondary node if a problem occurs on the primary node. One of the parameters used by Oracle Directory Integration Platform is orcllastappliedchangenumber. The value assigned to the lastchangenumber attribute in a directory synchronization profile depends on the directory server on which Oracle Directory Integration Platform is running. In an active-active Oracle Directory Integration Platform configuration, you must manually update the lastchangenumber attribute in all instances. The next section details the steps to copy the synchronization profiles and the provisioning profiles from the primary Oracle Internet Directory to the secondary Oracle Internet Directory in a multimaster replication deployment. Configuring High Availability for Identity Management Components 8-79 Directory Synchronization Profiles After copying an export profile to a target node the lastchangenumber attribute must be updated with the value from the target node. Follow the steps below to update the value: 1. Disable the synchronization profile. 2. Get the value of the lastchangenumber attribute on the target node using the ldapsearch command. 3. Use ldapsearch to get the LDIF dump of the profile entry. 4. Use ldapadd to add the profile to the other Oracle Internet Directory instance. 5. Use the updatechgnum operation of the manageSyncProfiles command to update the lastchangenumber attribute in the export profile you copied to the target node with the value you obtained in Step 2. 6. Enable the synchronization profile. Directory Provisioning Profiles In a default multimaster Oracle Internet Directory replication environment, the Oracle Directory Integration Platform is installed in the same location as the primary Oracle Internet Directory. The information and steps in this section are applicable only when multimaster replication is set up. If the primary node fails, event propagation stops for all profiles located on the node. Although the events are queued and not lost while the primary node is stopped, the events will not be propagated to any applications that expect them. To ensure that events continue to be propagated even when the primary node is down for the Version 1.0 and 2.0 profiles, the directory provisioning profiles must be copied to other secondary nodes. However, directory provisioning profiles should only be copied from the primary node to any secondary nodes immediately after an application is installed and before any user changes are made in Oracle Internet Directory. To synchronize the directory provisioning profiles between a primary node and any secondary nodes, you must do the following: 1. On the primary node, use the ldifwrite command to create an LDIF dump of the entries from this container: cn=provisioning profiles,cn=changelog subscriber,cn=oracle internet directory 2. Copy the LDIF dump to the secondary node. 3. Use the ldapadd command to add the profiles on the secondary node.

8.5.2.2 Protection from Failures and Expected Behavior