6-10 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management protocol. If the listen address, port and protocol are still valid, the console redirects the HTTP request, replacing the host and port information with the Administration Servers listen address and port. When the Administration Console is accessed using a load balancer, you must change the Administration Servers front end URL so that the users browser is redirected to the appropriate load balancer address. To make this change, perform the following steps: 1. Log in to Oracle WebLogic Server Administration Console.

2. Click Lock and Edit.

3. Expand the Environment node in the Domain Structure window.

4. Click Servers to open the Summary of Servers page.

5. Select Admin Server in the Names column of the table. The Settings page for

AdminServeradmin appears.

6. Click the Protocols tab.

7. Click the HTTP tab.

8. Set the Front End Host field to admin.mycompany.com your load balancer

address.

9. Set FrontEnd HTTP Port to 80

10. Save and activate the changes. To eliminate redirections, best practice is to disable the Administration consoles Follow changes feature. To do this, log in to the administration console and click Preferences -Shared Preferences. Deselect Follow Configuration Changes and click Save .

6.12 Enabling WebLogic Plug-in

In Enterprise deployments, Oracle WebLogic Server is fronted by Oracle HTTP servers. The HTTP servers are, in turn, fronted by a load balancer, which performs SSL translation. In order for internal loopback URLs to be generated with the https prefix, Oracle WebLogic Server must be informed that it receives requests through the Oracle HTTP Server WebLogic plug-in. The plug-in can be set at either the domain, cluster, or Managed Server level. Because all requests to Oracle WebLogic Server are through the Oracle OHS plug-in, set it at the domain level. To do this perform the following steps: 1. Log in to the Oracle WebLogic Server Administration Console at: http:ADMINVHN.mycompany.com:7001console

2. Click Lock and Edit.

3. Click IDMDomain In the Domain Structure Menu.

4. Click the Configuration tab.

5. Click the Web Applications sub tab.

6. Select WebLogic Plug-in Enabled.

7. Click Save and Activate the Changes.

8. Restart WebLogic Administration Server, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. Creating the WebLogic Server Domain for Identity Management 6-11

6.13 Validating Access Through Oracle HTTP Server

Verify that the server status is reported as Running in the Administration Console. If the server is shown as Starting or Resuming, wait for the server status to change to Started. If another status is reported such as Admin or Failed, check the server output log files for errors. See Section 20.6, Troubleshooting for possible causes. Validate Administration Console and Oracle Enterprise Manager Fusion Middleware Control through Oracle HTTP Server using the following URLs: ■ http:admin.mycompany.comconsole ■ http:admin.mycompany.comem For information on configuring system access through the load balancer, see Section 2.2.1, Load Balancers.

6.14 Manually Failing Over the WebLogic Administration Server

This section discusses how to fail over the Administration Server to IDMHOST2 and how to fail it back to IDMHOST1. This section contains the following topics: ■ Section 6.14.1, Failing over the Administration Server to IDMHOST2 ■ Section 6.14.2, Starting the Administration Server on IDMHOST2 ■ Section 6.14.3, Validating Access to IDMHOST2 Through Oracle HTTP Server ■ Section 6.14.4, Failing the Administration Server Back to IDMHOST1

6.14.1 Failing over the Administration Server to IDMHOST2

If a node fails, you can fail over the Administration Server to another node. This section describes how to fail over the Administration Server from IDMHOST1 to IDMHOST2. Assumptions: ■ The Administration Server is configured to listen on ADMINVHN.mycompany.com, and not on ANY address. See step 10 in Section 6.2, Running the Configuration Wizard on IDMHOST1 to Create a Domain. ■ The Administration Server is failed over from IDMHOST1 to IDMHOST2, and the two nodes have these IP addresses: – IDMHOST1: 100.200.140.165 – IDMHOST2: 100.200.140.205 – ADMINVIP: 100.200.140.206 Note: After registering the Oracle HTTP Server as described in Section 6.10, Registering Oracle HTTP Server with WebLogic Server, the Oracle HTTP Server should appear as a manageable target in Oracle Enterprise Manager Fusion Middleware Control. To verify this, log in to Fusion Middleware Control. The WebTier item in the navigation tree should show that Oracle HTTP Server has been registered. 6-12 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management This is the Virtual IP address where the Administration Server is running, assigned to interface:index for example, eth1:2, available in IDMHOST1 and IDMHOST2. ■ The domain directory where the Administration Server is running in IDMHOST1 is on a shared storage and is mounted also from IDMHOST2. ■ Oracle WebLogic Server and Oracle Fusion Middleware Components have been installed inIDMHOST2 as described in previous chapters. That is, the same path for IDM_ORACLE_HOME and MW_HOME that exists in IDMHOST1 is available in IDMHOST2. The following procedure shows how to fail over the Administration Server to a different node, IDMHOST2. Linux 1. Stop the Administration Server as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. 2. Migrate the IP address to the second node. a. Run the following command as root on IDMHOST1 where x:y is the current interface used by ADMINVHN.mycompany.com: IDMHOST1 sbinifconfig x:y down For example: IDMHOST1 sbinifconfig eth0:1 down b. Run the following command on IDMHOST2: IDMHOST2 sbinifconfig interface:index IP_Address netmask netmask For example: sbinifconfig eth0:1 10.0.0.1 netmask 255.255.255.0 3. Update routing tables by using arping, for example: IDMHOST2 sbinarping -b -A -c 3 -I eth0 10.0.0.1 Windows 1. Stop the Administration Server as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. 2. Migrate the IP address to the second node. a. Run the following command as root on IDMHOST1 Note: NM in IDMHOST2 does not control the domain at this point, since unpacknmEnroll has not been run yet on IDMHOST2. But for the purpose of AdminServer failover and control of the AdminServer itself, Node Manager is fully functional Note: Ensure that the netmask and interface to be used match the available network configuration in IDMHOST2. Creating the WebLogic Server Domain for Identity Management 6-13 netsh interface ip delete address interface netmask In the following example, the IP address is disabled on the interface Local Area Connection: netsh interface ip delete address Local Area connection 100.200.140.206 b. Run the following command on IDMHOST2: netsh interface ip add address interface IP_Address netmask In the following example, the IP address is enabled on the interface Local Area Connection: netsh interface ip add address Local Area connection 100.200.140.206 255.255.255.0

6.14.2 Starting the Administration Server on IDMHOST2

Perform the following steps to start Node Manager on IDMHOST2: 1. On IDMHOST1, unmount the Administration Server domain directory. For example: umount u01apporacleadminIDMDomainaserver

2. On IDMHOST2, mount the Administration Server domain directory. For example:

mount u01apporacleadminIDMDomainaserver 3. Start Node Manager by using the following commands: IDMHOST2 cd ORACLE_BASEproductfmwwlserver_10.3serverbin IDMHOST2 .startNodeManager.sh 4. Stop Node Manager.

5. Run the setNMProps.sh script to set the StartScriptEnabled property to true

before starting Node Manager: cd MW_HOMEoracle_commoncommonbin .setNMProps.sh 6. Start the Node Manager as described in Section 20.1.5.3, Starting Node Manager for an Administration Server. 7. Start the Administration Server on IDMHOST2. DMHOST2 cd ORACLE_COMMON_HOMEcommonbin Note: Starting and stopping Node Manager at this point is only necessary the first time you run Node Manager. Starting and stopping it creates a property file from a predefined template. The next step adds properties to that property file. Note: You must use the StartScriptEnabled property to avoid class loading failures and other problems. 6-14 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management IDMHOST2 .wlst.sh Once in the wlst shell, execute the following commands: wls:offline nmConnectAdmin_User,Admin_Password, IDMHOST2,5556, IDMDomain,u01apporacleadminIDMDomainaserverIDMDomain wls:nmdomain_name nmStartAdminServer 8. Test that you can access the Administration Server on IDMHOST2 as follows: a. Ensure that you can access the Oracle WebLogic Server Administration Console at http:ADMINVHN.mycompany.com:7001console. b. Check that you can access and verify the status of components in the Oracle Enterprise Manager at http:ADMINVHN.mycompany.com:7001em.

6.14.3 Validating Access to IDMHOST2 Through Oracle HTTP Server

Perform the same steps as in Section 6.13, Validating Access Through Oracle HTTP Server. This is to check that you can access the Administration Server when it is running on IDMHOST2.

6.14.4 Failing the Administration Server Back to IDMHOST1

This step checks that you can fail back the Administration Server, that is, stop it on IDMHOST2 and run it on IDMHOST1. To do this, migrate ADMINVHN back to IDMHOST1 node as follows: 1. On IDMHOST2, unmount the Administration server domain directory. For example: umount u01apporacleadminIDMDomainaserver 2. On IDMHOST1, mount the Administration server domain directory. For example: mount u01apporacleadminIDMDomainaserver 3. Ensure that the Administration Server is not running. If it is, stop it from the WebLogic console, or by running the command stopWeblogic.sh from DOMAIN_HOME bin. 4. Stop the Administration server as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. 5. Disable the ADMINVHN.mycompany.com virtual IP address on IDMHOST2 and run the following command as root on IDMHOST2: IDMHOST2 sbinifconfig x:y down where x:y is the current interface used by ADMINVHN.mycompany.com. 6. Run the following command on IDMHOST1: IDMHOST1 sbinifconfig interface:index 100.200.140.206 netmask 255.255.255.0 7. Update routing tables by using arping. Run the following command from IDMHOST1. Note: Ensure that the netmask and interface to be used match the available network configuration in IDMHOST1 Creating the WebLogic Server Domain for Identity Management 6-15 IDMHOST1 sbinarping -b -A -c 3 -I interface 100.200.140.206 8. If Node Manager is not already started on IDMHOST1, start it, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. 9. Start the Administration Server again on IDMHOST1. IDMHOST1 cd ORACLE_COMMON_HOMEcommonbin IDMHOST1 .wlst.sh Once in the wlst shell, execute wls:offlinenmConnectAdmin_User,Admin_Pasword, IDMHOST1,5556, IDMDomain,u01apporacleadminIDMDomainaserverIDMDomain wls:nmdomain_name nmStartAdminServer 10. Test that you can access the Oracle WebLogic Server Administration Console at http:ADMINVHN.mycompany.com:7001console. 11. Check that you can access and verify the status of components in the Oracle Enterprise Manager at http:ADMINVHN.mycompany.com:7001em.

6.15 Backing Up the WebLogic Domain

It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrators Guide. For information about database backups, refer to the Oracle Database Backup and Recovery Users Guide. To back up the installation at this point, complete these steps: 1. Back up the web tier as described in Section 5.5, Backing up the Web Tier Configuration. 2. Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. 3. Stop Node Manager and all the processes running in the domain, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. 4. Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_ BASE admindomainNameaserver directory. On Linux, type: IDMHOST1 tar -cvf edgdomainback.tar ORACLE_BASEadmindomainNameaserver For information about backing up the application tier configuration, see Section 20.4, Performing Backups and Recoveries. 6-16 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 7 Extending the Domain with Oracle Internet Directory 7-1 7 Extending the Domain with Oracle Internet Directory This chapter describes how to extend the domain with Oracle Internet Directory OID in the enterprise deployment. This chapter includes the following topics: ■ Section 7.1, Identity Store and Policy Store in Oracle Internet Directory