8-256 Oracle Fusion Middleware High Availability Guide For example, from OIFHOST1, execute the following is command: scp -rp MW_HOMEuser_projectsdomainsIDMDomainconfigfmwconfigserverswls_ oif1applicationsuserOIFHOST2:MW_HOMEuser_ projectsdomainsIDMDomainconfigfmwconfigserverswls_oif2applications

8.13.3.4.2 Start the Managed Server on OIFHOST2 in a Cluster Follow these steps to start the

newly created wls_oif2 Managed Server in a cluster on OIFHOST2: 1. In the left pane of the Oracle WebLogic Server Administration Console, expand Environment and select Clusters. See the Starting and Stopping Oracle Fusion Middleware chapter of the Oracle Fusion Middleware Administrators Guide for information on starting and stopping WebLogic Servers. 2. Click on the link for the cluster cluster_oif containing the Managed Server wls_oif2 you want to stop.

3. Select Control.

4. Under Managed Server Instances in this Cluster, select the check box next to the

Managed Server wls_oif2 you want to start and click Start. 5. On the Cluster Life Cycle Assistant page, click Yes to confirm. WebLogic Node Manager starts the server on the target machine. When the Node Manager finishes its start sequence, the servers state is indicated in the State column in the Server Status table.

8.13.3.4.3 Configure Oracle HTTP Server Oracle HTTP Server is installed on OIFHOST1

and OIFHOST2 along with the Oracle Identity Federation server. Configure the Oracle HTTP Server by following these steps: 1. On OIFHOST1, edit the oif.conf file located under the INSTANCE_ HOME configOHSohsNamemoduleconf directory. 2. If the Identity Management installation is in standalone mode, uncomment and set the WebLogicHost and WebLogicPort variables to reference the WebLogic Server Managed Server where Oracle Identity Federation is running for example: oifhost1.mycompany.com and 7499. 3. If the Identity Management installation is in clustered mode, uncomment and set the WebLogicCluster variable to reference the WebLogic Server Managed Servers where Oracle Identity Federation is running for example: oifhost1.mycompany.com:7499, oifhost2.mycompany.com:7499. 4. Save and exit the oif.conf file. 5. Restart Oracle HTTP Server.

8.13.3.5 Configuring the Load Balancer

In a high availability configuration, Oracle recommends using an external load balancer to front end and load balance requests between the various Oracle Identity Federation instances. In high availability environments, where the Oracle Identity Federation Application is not front-ended by an Oracle HTTP Server Instance, Oracle recommends enabling sticky sessions on the hardware load balancer. Configuring High Availability for Identity Management Components 8-257

8.13.3.5.1 Load Balancer Virtual Server Name Setup Refer to

Section 8.2.5.4, Configuring Virtual Server Names and Ports for the Load Balancer for details.

8.13.3.5.2 Oracle Identity Federation Configuration To configure the Oracle Identity

Federation application to use the load balancer VIP: 1. In the Oracle Enterprise Manager Fusion Middleware Control, navigate to Administration , and then Server Properties. 2. Change the host name and port to reflect the load balancer host and port. 3. In the Oracle Enterprise Manager Fusion Middleware Control, navigate to Administration , and then Identity Provider.and 4. Change the URL to http:LoadBalancerHost:LoadBalancerPort. 5. In the Oracle Enterprise Manager Fusion Middleware Control, navigate to Administration , and then Service Provider. 6. Change the URL to http:LoadBalancerHost:LoadBalancerPort. 7. Repeat these steps for each Managed Server where Oracle Identity Federation is deployed.

8.13.3.6 Validating Oracle Identity Federation High Availability

This section describes how to validate Oracle Identity Federation in a high availability configuration.

1. In a web browser, you will be able to access the following URLs if the

configuration is correct: http:LoadBalancerHost:LoadBalancerPortfedspmetadata http:LoadBalancerHost:LoadBalancerPortfedidpmetadata 2. Follow the instructions in the Obtain Server Metadata and Add Trusted Providers sections of Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation to import metadata from the SP into the IdP and the IDP metadata into the SP. 3. Go to the following URL and do a Single Sign-On operation: http:SP_Host:SP_portfedusertestspsso

8.13.3.7 Enabling Oracle Identity Federation Integration with Highly Available LDAP Servers

By default, Oracle Identity Federation is not configured to be integrated with LDAP Servers deployed in a high availability configuration. To integrate Oracle Identity Federation with highly available LDAP Servers to serve as user data store, federation data store, or authentication engine, Oracle Identity Federation needs to be configured based on the LDAP servers function. Use the WLST script located under the ORACLE_HOMEcommonbin directory. Enter the WLST script environment for Oracle Identity Federation, then set the following properties as needed: ■ To integrate the user data store with a highly available LDAP Server, set the userldaphaenabled boolean property from the datastore group to true; otherwise set it to false: setConfigPropertydatastore,userldaphaenabled, true, boolean 8-258 Oracle Fusion Middleware High Availability Guide ■ To integrate the federation data store with a highly available LDAP Server, set the fedldaphaenabled boolean property from the datastore group to true; otherwise set it to false: setConfigPropertydatastore, fedldaphaenabled,true, boolean ■ To integrate the LDAP authentication engine with a highly available LDAP Server, set the ldaphaenabled boolean property from the authnengines group to true; otherwise set it to false: setConfigPropertyauthnengines,ldaphaenabled, true, boolean

8.13.4 Oracle Identity Federation Failover and Expected Behavior

This section describes steps for performing various failover operations on Oracle Identity Federation instances deployed in a high availability environment and their expected behavior. Follow the steps in this section to perform: ■ Oracle Identity Federation instance failover ■ Oracle Real Application Clusters failover

8.13.4.1 Performing an Oracle Identity Federation Failover

Follow these steps to perform a a test of a failover of an Oracle Identity Federation instance and to check the status of Oracle Identity Federation: 1. Set up Oracle Identity Federation to be able to perform a federation single sign-on operation. 2. Start Single Sign-On operation from Oracle Identity Federation, acting as a Service Provider. One possible way to do this is to use the http:SPhost:SPportfedusertestspsso URL choosing Artifact profile. 3. On the IdP login page, shut down wls_oif1 through the Managed Server page and enter the username and password. 4. The Single Sign-On operation should succeed.

8.13.4.2 Performing an Oracle RAC Failover

Follow these steps to perform an Oracle RAC failover:

1. On one of the database hosts infradbhost1-vip where the Oracle Identity

Federation schema is installed, use the srvctl command to stop a database instance: srvctl stop instance -d db_unique_name -i inst_name_list Note: The testspsso URL referred to in the steps below is the Test SP SSO service that is bundled with Oracle Identity Federation 11g. The testing service enabled by default, but can be disabled by the administrator. In a production environment, the Test SP SSO Service may be disabled. if the Test SP SSO Service is disabled, you can use whatever service you have integrated to start the Federation SSO Flow from the SP.