Fusion Applications bare metal provisioning series Part III: Provisioning Identity and Access Management

This is my favourite part of the process, because from hardest one it has now became the easiest. While it was a huge struggle and the most important stage of Fusion Applications provisioning in earlier versions, with release of 11.1.7 Oracle developers did a great job to automate the whole burden of Identity and Access management components manual setup. Frankly speaking it was very easy to misinterpret some parts of documentation when doing it all manually and therefore make a mistake in crucial setup parts which then lead to unexpected errors during Fusion Apps provisioning. Now it all gone! As a result you get a fully working and integrated Identity and Access Management environment which is ready for Fusion Applications.Oracle has come up with a new automatisation tool called Oracle Identity Management Lifecycle Tools (idmlcm) so in order to proceed with Identity and Access Management provisioning we need to install the tool first. As usual, we locate the installer in our staging area. Please note that the server we are using this time for provisioning is IdM application server (and it must be prepared for oracle software installation):

[oracle@faidm]$ mkdir -p /u01/provisioning/tools
[oracle@faidm]$ cd /fusion_media/installers/idmlcm/idmlcm/Disk1
[oracle@faidm]$ export DISPLAY=:01
[oracle@faidm]$ ./runInstaller -jreLoc /fusion_media/jdk6

You should see the installer and follow the steps as in screenshots below.

Screen Shot 2013-11-05 at 12.51.15 PM Screen Shot 2013-11-05 at 12.51.42 PM Screen Shot 2013-11-05 at 12.56.48 PM Screen Shot 2013-11-05 at 12.57.05 PM Once the installation is complete, we can use the tool to create a response file for Identity and Access Management provisioning.

[oracle@faidm]$ cd /u01/provisioning/tools/idmlcm/provisioning/bin
[oracle@faidm]$ export JAVA_HOME=/fusion_media/jdk6
[oracle@faidm]$ ./idmProvisioningWizard.sh

Screen Shot 2013-11-05 at 13.04.12 PM Screen Shot 2013-11-05 at 13.04.49 PM Screen Shot 2013-11-05 at 13.08.03 PM

Please note that in current version of Fusion Applications it is not possible to choose the components for Identity and Access Management provisioning and leave the optional components unchecked (such as Oracle Virtual Directory and Oracle Identity Federation, for instance).

Screen Shot 2013-11-05 at 13.08.22 PM Screen Shot 2013-11-05 at 14.55.03 PM Screen Shot 2013-11-05 at 14.55.35 PM

We are using a Single Host topology as it was mentioned in the beginning of the series. However, make sure you don’t use it real Production scenario as Identity and Access Management components are vital for Fusion Applications and therefore needs to be highly available.

Screen Shot 2013-11-05 at 14.56.08 PM Screen Shot 2013-11-05 at 14.56.34 PM

The common IDM password will be used everywhere across IdM configuration. For example, user passwords such as weblogic, oamadmin, xelsysadm, etc.

Screen Shot 2013-11-05 at 14.57.27 PM Screen Shot 2013-11-05 at 14.58.35 PM

Continue with default port numbers (or change them if required) for other IdM components until you reach Database configuration page and supply the details for Database we’ve created in previous post.

Screen Shot 2013-11-05 at 15.01.56 PM

Our provisioning plan is now ready, however there are some user names that needs to be changed in provisioning plan in order to be the same as in previous versions (otherwise, there might be some confusion):

[oracle@faidm]$ cd /u01/provisioning/tools/idmlcm
[oracle@faidm]$ sed -i 's/oamAdminUser/oamadmin/g' provisioning.rsp
[oracle@faidm]$ sed -i 's/oamSoftwareUser/oamLDAP/g' provisioning.rsp
[oracle@faidm]$ sed -i 's/oimAdminUser/oimLDAP/g' provisioning.rsp

Once this is completed proceed with IdM provisioning as follows:

[oracle@faidm]$ export ANT_HOME=/fusion_media/installers/apache-ant-1.9.2
[oracle@faidm]$ export JAVA_HOME=/fusion_media/jdk6
[oracle@faidm]$ export IDMLCM_HOME=/u01/provisioning/tools/idmlcm
[oracle@faidm]$ cd $IDMLCM_HOME/provisioning/bin

Note: The Apache ANT is required to run the provisioning, but I did not find it by default in installation staging area. You can download it from http://ant.apache.org/bindownload.cgi and place it there manually.

There are eight stages to provisioning. These stages are:
1. preverify – This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured.
2. install – This installs all of the software required by the installation.
3. preconfigure – This does the following:

  • Creates OID and seeds it with Users/Groups.
  • Creates OVD
  • Configures ODSM
  • Creates the WebLogic Domain
  • Creates OHS instance

4. configure – This does the following:

  • Associates the Policy Store to OID
  • Starts managed servers as necessary
  • Associates OAM with OID
  • Configure OIM

5. configure-secondary – This does the following:

  • Integrates Weblogic Domain with Webtier
  • Register webtier with domain
  • Integrate OAM and OIM

6. postconfigure – This does the following:

  • Register OID with Weblogic Domain
  • SSL Enable OID and OVD
  • Tune OID
  • Run OIM Reconciliation
  • Configure UMS Mail Server
  • Generate OAM Keystore
  • Configure OIF
  • Configure Webgates

7. startup – This starts up all components in the topology
8. validate – This performs a number of checks on the built topology to ensure that
everything is working as it should be.

Oracle documentation suggests to apply a patch 16708003 after the install phase is completed, however, I’ve confirmed that are is no error even if the patch is not applied. So if you face any issue during IdM provisioning, you can try to apply the patch and see if it helps. In my case it was all successful. Each of the phases can be run from the command line as below:

[oracle@faidm]$ ./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target preverify
2013-11-05 16:46:42.068 TRACE
Total time: 46 seconds

Successfully finished preverify.
Proceed with install.

As you see it also suggests the next stage you need to run, so it is really easy to follow up. The output of all the remaining stages is provided below. It can give you the overall idea of how much time is required for each phase.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target install

2013-11-05 20:11:32.708 NOTIFICATION [echoNested] Completed the install of Identity Management Suite

2013-11-05 20:11:32.767 NOTIFICATION [logTimeSpan] Total time: 3 hour(s) 20 minute(s) 27 second(s)

2013-11-05 20:11:32.776 TRACE
Total time: 200 minutes 42 seconds

Successfully finished install.
Proceed with preconfigure.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target preconfigure

2013-11-06 07:58:02.134 NOTIFICATION [echoNested] Completed the preconfigure of Identity Management Suite

2013-11-06 07:58:02.197 NOTIFICATION [logTimeSpan] Total time: 52 minute(s) 16 second(s)

2013-11-06 07:58:02.209 TRACE
Total time: 52 minutes 28 seconds

Successfully finished preconfigure.
Proceed with configure.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target configure

2013-11-06 09:32:49.086 NOTIFICATION [echoNested] Completed the configure of Identity Management Suite

2013-11-06 09:32:49.142 NOTIFICATION [logTimeSpan] Total time: 34 minute(s) 7 second(s)

2013-11-06 09:32:49.155 TRACE
Total time: 34 minutes 19 seconds

Successfully finished configure.
Proceed with configure-secondary.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target configure-secondary

2013-11-06 09:46:59.796 NOTIFICATION [echoNested] Completed the configure-secondary of Identity Management Suite

2013-11-06 09:46:59.848 NOTIFICATION [logTimeSpan] Total time: 6 minute(s) 48 second(s)

2013-11-06 09:46:59.860 TRACE
Total time: 7 minutes 0 seconds

Successfully finished configure-secondary.
Proceed with postconfigure.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target postconfigure

2013-11-06 10:33:49.028 NOTIFICATION [echoNested] Completed the postconfigure of Identity Management Suite

2013-11-06 10:33:49.091 NOTIFICATION [logTimeSpan] Total time: 41 minute(s) 1 second(s)

2013-11-06 10:33:49.102 TRACE
Total time: 41 minutes 13 seconds

Successfully finished postconfigure.
Proceed with startup.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target startup

2013-11-06 11:17:09.174 NOTIFICATION [echoNested] Completed the startup of Identity Management Suite

2013-11-06 11:17:09.228 NOTIFICATION [logTimeSpan] Total time: 30 minute(s) 34 second(s)

2013-11-06 11:17:09.241 TRACE
Total time: 30 minutes 47 seconds

Successfully finished startup.
Proceed with validate.

./runIDMProvisioning.sh -responseFile $IDMLCM_HOME/provisioning.rsp -target validate

2013-11-06 11:23:31.287 NOTIFICATION [echoNested] Completed the validation of Identity Management Suite

2013-11-06 11:23:31.310 NOTIFICATION [logTimeSpan] Total time: 2 minute(s) 24 second(s)

2013-11-06 11:23:31.318 TRACE
Total time: 2 minutes 37 seconds

Successfully finished validate.

The provisioning wizard for IdM is now finished. Another great enhancement of 11.1.7 version is that Oracle has provided the out of the box scripts for starting and stopping all the IdM components. Depending on your directory structure these will be located in $ORACLE_BASE/config/scripts. In my case it is here:

[oracle@faidm]$ cd /u01/app/oracle/config/scripts/
ls -l st*
-rwxr-xr-x 1 oracle oinstall 2282 Nov 5 17:49 startall.sh
-rwxr-xr-x 1 oracle oinstall 2257 Nov 5 17:49 stopall.sh

This means you don’t have to think about how to automatically start your components (including nodemanager, AdminServer, etc) or even create your custom scripts for that purpose. I have tested both scripts and these are working perfectly fine. There are couple of post configuration steps required for IdM though, but those I will cover in next blog post.


5 thoughts on “Fusion Applications bare metal provisioning series Part III: Provisioning Identity and Access Management

  1. Doees your blog have a contact page? I’m having a tough time locating it but, I’d like too
    shoot you an e-mail. I’ve got some creative ideas for your blog you might bee interested in hearing.
    Either way, great website and I look forward to seeing it grow over time.

  2. Hmm it seems like your site ate my first comment (it was super long) so I guess I’ll just sum it
    up what I submitted and say, I’m thoroughly enjoying your blog.

    I as well am an aspiring blog writer but
    I’m still new to the whole thing. Do you have any helpful hints for inexperienced blog writers?
    I’d really appreciate it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s