1-12 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management ■ In the Oracle Access Manager and Oracle Identity Manager topology, the Identity Management Servers and SOA Servers are active-active deployments; these servers communicate with the data tier at run time. ■ In the OAAM topology, the Oracle Adaptive Access Servers are active-active deployments; they might communicate with the data tier at run time. ■ The WebLogic Administration Server and Oracle Enterprise Manager deployment is active-passive where other components are active-active. ■ The Identity Federation Servers are active-active deployments; the Oracle Identity Federation Server may communicate with the data tier at run time. ■ The WebLogic Administration Server is a singleton component deployed in an active-passive configuration. If IDMHOST1 fails or the Administration Server on IDMHOST1 does not start, the Administration Server on IDMHOST2 can be started. All Managed Servers and components on IDMHOST1 and IDMHOST2 must be configured with the Administration Server virtual IP address.

1.5.2.3 Security Provisions

Oracle WebLogic Server Console, Oracle Enterprise Manager Fusion Middleware Control console, and Oracle Access Manager console are only accessible through admin.mycompany.com, which is only available inside the firewall.

1.5.3 Understanding the Web Tier

The web tier is in the DMZ Public Zone. The HTTP Servers are deployed in the web tier. Most of the Identity Management components can function without the web tier, but for most enterprise deployments, the web tier is desirable. To support enterprise level single sign-on using products such as Oracle Single Sign-On and Oracle Access Manager, the web tier is required. While components such as Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager can function without a web tier, they can be configured to use a web tier, if desired. In the web tier: ■ WEBHOST1 and WEBHOST2 have Oracle HTTP Server, WebGate an Oracle Access Manager component, and the mod_wl_ohs plug-in module installed. The mod_ wl_ohs plug-in module enables requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier. ■ WebGate an Oracle Access Manager component in Oracle HTTP Server uses Oracle Access Protocol OAP to communicate with Oracle Access Manager running on IDMHOST1 and IDMHOST2, in the Identity Management DMZ. WebGate and Oracle Access Manager are used to perform operations such as user authentication. On the firewall protecting the web tier, only the HTTP ports are open: 443 for HTTPS and 80 for HTTP.

1.5.3.1 Architecture Notes

Oracle HTTP Servers on WEBHOST1 and WEBHOST2 are configured with mod_wl_ohs, and proxy requests for the Oracle Enterprise Manager, Oracle Directory Integration Platform, and Oracle Directory Services Manager Java EE applications deployed in WebLogic Server on IDMHOST1 and IDMHOST2. Enterprise Deployment Overview 1-13

1.5.3.2 Security Provisions

The Oracle HTTP Servers process requests received using the URLs sso.mycompany.com and admin.mycompany.com. The nameadmin.mycompany.com is only resolvable inside the firewall. This prevents access to sensitive resources such as the Oracle WebLogic Server console and Oracle Enterprise Manager Fusion Middleware Control console from the public domain.

1.6 Using This Guide

Follow these steps to install the software and extend your domain with the components required in your environment. 1. Read the current chapter, Chapter 1, Enterprise Deployment Overview. 2. Ensure that you have performed all prerequisite steps, as described in Chapter 2, Prerequisites for Enterprise Deployments. 3. Configure the database repository, as described in Chapter 3, Configuring the Database Repositories. 4. Install the software, as described in Chapter 4, Installing the Software. 5. Configure the Web Tier, as described in Chapter 5, Configuring the Web Tier. 6. Create the WebLogic domain, as described in Chapter 6, Creating the WebLogic Server Domain for Identity Management. 7. Extend the domain with Oracle Internet Directory, as described in Chapter 7, Extending the Domain with Oracle Internet Directory. 8. Extend the domain with Oracle Directory Integration Platform optional and ODSM, as described in Chapter 8, Extending the Domain with Oracle Directory Integration Platform and ODSM. 9. If you intend to store your identity data in a directory other than Oracle Internet Directory or in a split directory, perform the procedures described in Chapter 9, Extending the Domain with Oracle Virtual Directory and in Configuring an Identity Store with Multiple Directories in Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite. If your Identity Store includes only Oracle Internet Directory, skip this step. 10. Prepare the Identity and Policy Stores. See Chapter 10, Preparing Identity and Policy Stores. 11. If you are using Oracle Access Manager, follow the steps in Section 1, Enterprise Deployment Overview. Otherwise, ignore this step. 12. If you are using Oracle Adaptive Access Manager, follow the steps in Section 12, Extending the Domain with Oracle Adaptive Access Manager. Otherwise, skip this step. 13. If you are using Oracle Identity Navigator, follow the steps in Section 13, Extending the Domain with Oracle Identity Navigator. Otherwise, skip this step. 14. If you are using Oracle Identity Manager, follow the steps in Section 11, Extending the Domain with Oracle Access Manager 11g and in Section 17, Configuring Server Migration for Oracle Identity Manager. Otherwise, skip this step. 15. If you are using Oracle Identity Federation, follow the steps in Section 15, Extending the Domain with Oracle Identity Federation. Otherwise, skip this step.