Oracle Internet Directory (OID) 11g: Part IV - OID Installation

This is the final post in my series on OID11g. I'll try and follow-up with a few other posts but essentially from here on out you would be ready to go with OID11g. If you are interested in making your OID highly available using LDAP multi-master replication then stay tuned for that follow-up post.

So OID11g  (11.1.1.5.0) installation actually consists of three phases, namely installation, patching and configuration. That is how I've broken up this post which as a side effect I think, makes it easier to follow. To provide some further clarity, some Fusion Middleware 11.1.1.5.0 components are offered as full installers, but not all. You can get the distribution details for the components on MOS, or via the documentation on on OTN. Unfortunately, OID falls into the case requiring a software installation of 11.1.1.2.0, followed by patching to 11.1.1.5.0 and subsequent configuration to complete the "installation". Hopefully Oracle will move towards full installers for all products much like they've done for the database (and other products such as GoldenGate and so on).

Installation of 11.1.1.2.0

1. Edit your response file for silent installation. The items of interest are highlighted as shown below:

[ENGINE]
#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0


[GENERIC]


#Set this to true if installation and configuration need to be done, all other required variables need to be provided. Variable "INSTALL AND CONFIGURE LATER TYPE" must be set to false if this is set to true as the variables are mutually exclusive
INSTALL AND CONFIGURE TYPE=false


#Set this to true if only Software only installation need to be done. If this is set to true then variable "INSTALL AND CONFIGURE TYPE" must be set to false, since the variables are mutually exclusive.
INSTALL AND CONFIGURE LATER TYPE=true


#Write the name of the Oracle Home directory. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character.
ORACLE_HOME=/oracle/app/fmw/Oracle_IDM1


#Write the complete path to a valid Middleware Home.
AS_HOME_LOCATION=/oracle/app/fmw


#Provide the My Oracle Support Username. If you wish to ignore Oracle Configuration Manager configuration provide empty string for user name.
MYORACLESUPPORT_USERNAME=


#Provide the My Oracle Support Password
MYORACLESUPPORT_PASSWORD=


#Set this to true if you wish to decline the security updates. Setting this to true and providing empty string for My Oracle Support username will ignore the Oracle Configuration Manager configuration
DECLINE_SECURITY_UPDATES=true


#Set this to true if My Oracle Support Password is specified
SECURITY_UPDATES_VIA_MYORACLESUPPORT=false


#Provide the Proxy Host
PROXY_HOST=


#Provide the Proxy Port
PROXY_PORT=


#Provide the Proxy Username
PROXY_USER=


#Provide the Proxy Password
PROXY_PWD=


[SYSTEM]


[APPLICATIONS]

[RELATIONSHIPS]

 
2. Run the installation using OUI for OID 11.1.1.2.0, as the oracle user:

./runInstaller -silent -response /oracle/stage/rsp/oid11g-inst.rsp

Below is a sample execution run:

Starting Oracle Universal Installer...


Checking Temp space: must be greater than 80 MB. Actual 18983 MB Passed
Checking swap space: must be greater than 500 MB. Actual 7724 MB Passed
Preparing to launch Oracle Universal Installer from /tmp/OraInstall2012-01-24_04-05-56PM. Please wait ...[oracle@orads02 Disk1]$ Log: /u01/app/oraInventory/logs/install2012-01-24_04-05-56PM.log
Copyright (c) 1982, 2009, Oracle and/or its affiliates. All rights reserved.
Reading response file..
Expected result: One of enterprise-5.4,enterprise-4,enterprise-5,redhat-5.4,redhat-4,redhat-5,SuSE-10
Actual Result: redhat-5
Check complete. The overall result of this check is: Passed
CertifiedVersions Check: Success.
Checking for binutils-2.17.50.0.6; found binutils-2.17.50.0.6-14.el5-x86_64. Passed
Checking for compat-libstdc++-33-3.2.3-x86_64; found compat-libstdc++-33-3.2.3-61-x86_64. Passed
Checking for compat-libstdc++-33-3.2.3-i386; found compat-libstdc++-33-3.2.3-61-i386. Passed
Checking for elfutils-libelf-0.125; found elfutils-libelf-0.137-3.el5-i386. Passed
Checking for elfutils-libelf-devel-0.125; found elfutils-libelf-devel-0.137-3.el5-x86_64. Passed
Checking for gcc-4.1.1; found gcc-4.1.2-50.el5-x86_64. Passed
Checking for gcc-c++-4.1.1; found gcc-c++-4.1.2-50.el5-x86_64. Passed
Checking for glibc-2.5-12-x86_64; found glibc-2.5-58.el5_6.3-x86_64. Passed
Checking for glibc-2.5-12-i686; found glibc-2.5-58.el5_6.3-i686. Passed
Checking for glibc-common-2.5; found glibc-common-2.5-58.el5_6.3-x86_64. Passed
Checking for glibc-devel-2.5-x86_64; found glibc-devel-2.5-58.el5_6.3-x86_64. Passed
Checking for glibc-devel-2.5-12-i386; found glibc-devel-2.5-58.el5_6.3-i386. Passed
Checking for libaio-0.3.106-x86_64; found libaio-0.3.106-5-x86_64. Passed
Checking for libaio-0.3.106-i386; found libaio-0.3.106-5-i386. Passed
Checking for libaio-devel-0.3.106; found libaio-devel-0.3.106-5-i386. Passed
Checking for libgcc-4.1.1-x86_64; found libgcc-4.1.2-50.el5-x86_64. Passed
Checking for libgcc-4.1.1-i386; found libgcc-4.1.2-50.el5-i386. Passed
Checking for libstdc++-4.1.1-x86_64; found libstdc++-4.1.2-50.el5-x86_64. Passed
Checking for libstdc++-4.1.1-i386; found libstdc++-4.1.2-50.el5-i386. Passed
Checking for libstdc++-devel-4.1.1; found libstdc++-devel-4.1.2-50.el5-x86_64. Passed
Checking for make-3.81; found make-1:3.81-3.el5-x86_64. Passed
Checking for sysstat-7.0.0; found sysstat-7.0.2-3.el5_5.1-x86_64. Passed
Check complete. The overall result of this check is: Passed
Packages Check: Success.
Checking for VERSION=2.6.18; found VERSION=2.6.18-238.12.1.el5. Passed
Checking for hardnofiles=4096; found hardnofiles=131072. Passed
Checking for softnofiles=4096; found softnofiles=131072. Passed
Check complete. The overall result of this check is: Passed
Kernel Check: Success.
Expected result: ATLEAST=2.5-12
Actual Result: 2.5-58.el5_6.3
Check complete. The overall result of this check is: Passed
GLIBC Check: Success.
Expected result: 1024MB
Actual Result: 3948MB
Check complete. The overall result of this check is: Passed
TotalMemory Check: Success.
Expected result: LD_ASSUME_KERNEL environment variable should not be set in the environment.
Actual Result: Variable Not set.
Check complete. The overall result of this check is: Passed
Check Env Variable Check: Success.
Verifying data......
Copying Files...
-----------20%----------40%----------60%----------80%--------100%


Applying Oneoff Patch...
The installation of Oracle AS Common Toplevel Component, Oracle Identity Management 11g completed successfully.

Patching 11.1.1.2.0 to 11.1.1.5.0

1. Edit your response file for silent patching. It's not much different from the installation, the items of interest are highlighted as shown below:


[ENGINE]



#DO NOT CHANGE THIS.
Response File Version=1.0.0.0.0


[GENERIC]


#Provide the Oracle Home location. The location has to be the immediate child under the specified Middleware Home location. The Oracle Home directory name may only contain alphanumeric , hyphen (-) , dot (.) and underscore (_) characters, and it must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. The location has to be an empty directory or a valid IDM Oracle Home.
ORACLE_HOME=/oracle/app/fmw/Oracle_IDM1


#Provide existing Middleware Home location.
MIDDLEWARE_HOME=/oracle/app/fmw


#Provide the My Oracle Support Username. If you wish to ignore Oracle Configuration Manager configuration provide empty string for user name.
MYORACLESUPPORT_USERNAME=


#Provide the My Oracle Support Password
MYORACLESUPPORT_PASSWORD=


#Set this to true if you wish to decline the security updates. Setting this to true and providing empty string for My Oracle Support username will ignore the Oracle Configuration Manager configuration
DECLINE_SECURITY_UPDATES=true


#Set this to true if My Oracle Support Password is specified
SECURITY_UPDATES_VIA_MYORACLESUPPORT=false


#Provide the Proxy Host
PROXY_HOST=


#Provide the Proxy Port
PROXY_PORT=


#Provide the Proxy Username
PROXY_USER=


#Provide the Proxy Password
PROXY_PWD=


#Type String (URL format) Indicates the OCM Repeater URL which should be of the format [scheme[Http/Https]]://[repeater host]:[repeater port]
COLLECTOR_SUPPORTHUB_URL=


#
CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0


[SYSTEM]


[APPLICATIONS]


[RELATIONSHIPS]


2. Run the patch application using OUI for OID 11.1.1.5.0, as the oracle user:


./runInstaller -silent -response /oracle/stage/rsp/oid11g-patch.rsp

Below is a sample execution run:

Starting Oracle Universal Installer...



Checking Temp space: must be greater than 80 MB. Actual 18983 MB Passed
Checking swap space: must be greater than 512 MB. Actual 7406 MB Passed
Preparing to launch Oracle Universal Installer from /tmp/OraInstall2012-01-24_04-27-11PM. Please wait ...[oracle@orads02 Disk1]$ Log: /u01/app/oraInventory/logs/install2012-01-24_04-27-11PM.log
Copyright (c) 1982, 2011, Oracle and/or its affiliates. All rights reserved.
Reading response file..
Verifying data......
Copying Files...
-----------20%----------40%----------60%----------80%--------100%


Applying Oneoff Patch...
The installation of Oracle AS Common Toplevel Component on Oracle AS Common Toplevel Component home ,Oracle Identity Management 11g Patchset on Oracle Identity Management 11g home completed successfully.

 

Configuring OID with ODIP, ODSM and Fusion Middleware Control in a new WebLogic Domain

At this point you now need to configure your installation of OID11g. I went with the option of configuring OID with ODIP, ODSM and Fusion Middleware Control in a new WebLogic Domain. I wanted ODIP as an option to connect and synchronize to AD, ODSM and Fusion Middleware Control (FMC) for the GUI management and monitoring, and a new WebLogic Domain (for ODSM and FMC) since I don't have one that I would like to use currently. Please check the documentation for configuration using other options.

The steps to conduct the configuration are below. Note that I've not had any success doing a silent command line installation and as such the GUI method is what is shown. I suspect this is the only option thus far unless I am missing something (not unlikely) though I have attempted many options.

1. Start the configuration as the oracle user by running '$ORACLE_HOME/bin/config.sh':



Click 'Next' to continue to the next screen...

2. Enter the credentials for the new domain's user, along with the domain name. Click on 'Next' to continue.



3. Confirm and/or correct the locations for the WebLogic Server and Oracle Instance directories as well as specify an Oracle Instance Name. When completed click 'Next' to continue.



4. The next screen concerns the usual security notifications. I do not care for security updates so I simply continued.



5. Select Oracle Internet Directory and Oracle Directory Integration Platform. The Oracle Directory Services Manager and Fusion Middleware Control management components are automatically selected for this installation. Ensure no other components are selected and click 'Next' when completed to continue.



6. Select Auto Port Configuration to allow the installer to configure ports from a predetermined range. Click 'Next' when completed to continue.



7. We already used RCU to create and configure the OID schema so here we just need to select 'Use Existing Schema', enter the connection details to the repository database in the form '::' and enter the ODS schema password. Click 'Next' when completed to continue.



8. Next up is the OID information, i.e. the realm and administrator ('orcladmin') credentials. Click 'Next' to continue to the installation summary when completed.



9. Following the installation summary you will see the configuration progress screen.





10. If all goes well you will see the Installation Completion screen

Installation Verification

To verify a successful installation you should run the following commands:

1. Execute '$ORACLE_INSTANCE/bin/opmnctl status -l'

Processes in Instance: asinst_1

---------------------------------+--------------------+---------+----------+------------+----------+-----------+------

ias-component                    | process-type       |     pid | status   |        uid |  memused |    uptime | ports

---------------------------------+--------------------+---------+----------+------------+----------+-----------+------

oid1                             | oidldapd           |    8245 | Alive    | 1068702846 |   375296 |  67:57:58 | N/A

oid1                             | oidldapd           |    8229 | Alive    | 1068702845 |    95868 |  67:57:58 | N/A

oid1                             | oidmon             |    8214 | Alive    | 1068702844 |    83744 |  67:57:58 | LDAPS:3131,LDAP:3060

EMAGENT                          | EMAGENT            |    7402 | Alive    | 1068702843 |    63908 |  68:01:31 | N/A

2. Execute the '$ORACLE_HOME/bin/ldapbind' command on the Oracle Internet Directory for non-SSL and SSL ports. Note that ORACLE_HOME must be set correctly (i.e. not the DB_HOME).

On Non-SSL ports:

$ORACLE_HOME/bin/ldapbind -h -p -D cn=orcladmin -w

On SSL ports:

$ORACLE_HOME/bin/ldapbind -h -p -D cn=orcladmin -w -U 1

Enabling WebLogic Startup

Every time an Administrator wants to run the WebLogic startup script, he/she is prompted with username and password. If the administrator wants to be configure weblogic to startup on bootup or reboot, then they will need the username and password to be automatically recognized. To enable WLS startup without password prompting create $DOMAIN_HOME/servers/AdminServer/security/boot.properties and $DOMAIN_HOME/servers/wls_ods1/security/boot.properties files with entries:

username=weblogic
password=wlsP#ssw0rd

After the initial startup, the password will be encrypted.

Summary

So now you have your first OID instance up and functional. All that is left is some configuration and tuning after some period of being operational. I will end the series on OID11g here but will try and follow-up with some further entries on setting up LDAP multi-master replication (MMR), backup/recovery and migration from 10g. I would like to point out that you should enable  anonymous binds which are disabled by default. Otherwise, you will receive the error:

"Configuration exception: Could not check for the Oracle Schema:

oracle.net.config.ConfigException: TNS-04409: Directory Service Error"

When attempting to use DBCA to add your database to OID. This can be done in two ways:

Using OEM11g Fusion Middleware Control

a. Navigate to "Identity and Access' -> oid1

b. Click on 'Oracle Internet Directory' and select 'Administration' -> 'Server Properties'

c. Switch 'Anonymous Bind' from 'Disallow except for Read Access on the root DSE' to 'Allows'

d. Click 'Apply'

Using Command-line

ldapmodify -D cn=orcladmin -q -p 3060 -h orads01.na.ds.g240.lab -f [ldifFile]

LDIF File:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry

changetype: modify

replace: orclAnonymousBindsFlag

orclAnonymousBindsFlag: 1

Oracle Internet Directory (OID) 11g: Part I - Which License?

Well, it has been quite some time since I last posted but I've been kept busy doing a lot of different things at work and of course family life. One such thing that has kept me occupied at work is getting up to speed on Oracle Internet Directory (OID) 11g. My previous experiences with OID were to do with merely using it much like most other people. Yes, I knew how it worked at the high level and of course what it was for, but not the internals such as how to do an installation, configuration, migrations, upgrades, patching, maintenance, backup/recovery, and other fine grained details. To be honest I still don't know a LOT of this stuff as the more I get to know OID the more I realize how much I did not know about directories and their internals and how much I appreciate the need for a separate Identity Management (IDM) Administrator. There is simple a lot to know and do, much like a normal DBA.

Anyways, the point of this series of blogs is to try and help others by exposing a lot of the simple things which I now know. Things such as installation and requirements, backup/recovery, configuration, a few notes on designs and usage, and some license assistance. By far the trickiest thing for me was the licensing which is the focus of this first blog.

How do I get OID?
At first glance this might seem like a simple topic and is exactly what I though. However, OID is bundled, and can be purchased as well, with a variety of software suites such Internet Application Server or iAS, Identity Manager, and Directory Services Plus as examples. You will need to purchase the correct suite, which depends on your actual need or usage, otherwise you may end up buying software and licenses you don't need and spend excessive capital funds as the cost depends on the suite and can be quite a large difference. Case in point:

• Directory Services Plus: $50,000 per processor (+$11,000 for maintenance)
• Internet Application Server (EE): $35,000 per processor (+$7,700 for maintenance)
• Internet Application Server (SEO): $11,500 per processor (+$2,530 for maintenance)
• Internet Application Server (SE): $5,800 per processor (+$1,276 for maintenance)

This listing does not include the other suites in which you can obtain OID, they are just examples as to the varying prices (and options). Of course, each suite also has different pieces, and restricted use licenses for varying included components. The latest pricing information can be obtained here, with FMW11g license information here. I know what some may be thinking that this is just Fusion Middleware. Yes, but Fusion Middleware is the broad software suite name, out of which you purchase individual application suites (such as those I've mentioned). Going through the various options and such is too much for a simple blog posting so I'll just say my current employ licensed OID via iAS as at the time that was the best option. Now it seems the best option, based on our current and future usage, is Directory Services Plus. This means new licenses, or does it?

OID for free!
Apparently, and I say this because regardless of going through 2 months of discussions via email and phone with Oracle sales representatives and product specialists I'm still a little confused, if you are only using OID for Directory Naming, then there is no license to be purchased. Below is the key statements taken from the "Oracle Database License Information 11g Release 2 (11.2)" manual which brought about this conclusion:

"The following restricted-use licenses are included with Oracle Database 11g in the editions indicated:

• A restricted-use license for Oracle Internet Directory (OID) is included with all editions (except for Oracle Database Express Edition) if users use the Directory Naming feature to configure Oracle Net Services. OID may not be used or deployed for other uses. Please contact your Oracle sales representative for additional information on Oracle Internet Directory (OID)."

A colleague of mine was of the opinion this meant either you can license the Oracle DB EE as the repository and use the OID mid-tier piece without cost based on this statement, or license the OID mid-tier and not the repository database (since OID also comes with a restricted use license for using the Oracle database). I though (or more hoped) this meant a license similar to OEM where the OID mid-tier does not need a license (and neither does its restricted use database repository) so long as each remote client database is only using it for Directory Naming. Turns out Oracle was of the same thinking as myself. But the problem is the license seems like such an interpretation. In any case, until we expand usage from Directory Naming into identity management we can save on some capital expenditure (CAPEX) for this financial year.

Conclusion
OID is bundled with many different software suites which all fall under the Fusion Middleware umbrella. Choosing the correct suite is important in getting the best deal, but if you only need the Directory Naming functionality it is already included in your database license purchase (so there is no cost). I would strongly recommend you check this out with your own Oracle sales representatives and if you are given a different response please do let me know! It has been my experience that licenses are different based on who you ask within Oracle and what type of relationship you have with Oracle (i.e. how big or important of a customer you are). You may disagree with this statement but that has been my experience.

In my next piece I will explore the requirements and installation of some required components for OID11g.