Oracle AS Cluster ( Identity Management )-> Active – Active

Identity Management is Infrastructure component of Application server in Fusion Middleware Family.

Oracle’s Identity Management Components include –
SSO – Oracle Single Sign-On Server
OID – Oracle Internet Directory
DAS – Delegated Administrative Services
DIP – Directory Integration & Provisioning Services
OCA – Oracle Certifying authority (Optional)

I am going to cover them in detail in my future posts, These Services & Component are quite important for Apps DBA as IM (Identity Management) is part of Oracle Apps Release 12.

This post covers overview & important notes w.r.t. to Identity Management Cluster where IM component are in Active Active scenario, which means IM components (OID, SSO, DAS) are available on both nodes for High Availability .

For IM underlying database can be single Instance database or Two or Multiple Instance RAC (Preferably atleast Two Node)

Distributed / Non Distributed IM
Distributed IM means IM components (SSO, DAS, OID) are distributed on more than one machine (SSO & DAS on one machine & OID on second machine).
Non Distributed IM means all IM components are on same machine.
You can cluster both Distributed or Non Distributed Identity Management

Here are few Notes/Checks which I learnt from my various Implementations

Things you should know before starting Installation
– Check if you want Distributed or Non-distributed IM Cluster
– Virtual Name of HTTP Server (Infra for SSO & OIDDAS) and protocol (http or https)
– Virtual Name of OID including port (SSL & NON-SSL, you need both. Default is 389 & 636 resp)
– Communication protocol requirement (HTTP or HTTPS) between
CLIENT -> Load Balancer -> HTTP Server

things you must do before Installing Oracle AS Identity Management Cluster
– synchronize system clock on all server (which are part of cluster) with in 250 second
– set cookie persistence at load balancer specifically for URI /oiddas/ , If your browser doesn’t support persistence setting at URI level then set for all HTTP Traffic (Set cookie to expire when browser session expires)
– Before Installing firt OID Node make sure TCP monitoring is not enabled on Load Balancer on first node
– Configure load balancer to return immediately to calling clients

Things/Tips which will be handy for AS Cluster (IM Type)
– For first OID Node Installation, make sure MR is not registered with any OID else it will fail. Installer checks that & if it finds that MR is already registered it assumes first node & asks for first OID node information to make it part of OID cluster
Choose similar component on other node of cluster (i.e. If node first Node you have OID & DAS then on other Cluster node also Install OID & DAS)
– To access OID on any OID node in cluster , you have to use Password for ias_admin on first installation and not ias_admin password used second , third or further installation of Instance in cluster (oiddas, orasso, oidmon)
– For IM Cluster you always select IM and not IM+MR (This is during Installation Screen)
– For IM content database should already be loaded with Metadata Repository using Repca or MRCA (Repository Creation Assistance or Metadata Repository Creation Assistance)
– Installation steps for first OID Node is different than subsequent Node
– For IM Cluster , never select IM+MR during Installation screen , always select IM only.
– You have to select HA (High Availability) during Installation Options.

More on Indentity Management Cluster Installation..
Enable Apex Applications for SSO authentication ..
Coming soon ….

Now register for E-mail notification via “Email Subsciption” on your right Menu Bar

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

fhasweh says November 20, 2006

hi atul, you promised to give us a post about changing hostname/domian name on apps, can we have this soon.

Atul Kumar says November 20, 2006

Apologies Fadi,

I missed it completely. I will do it in post next to the one I am posting tomorrow (This one I have already prepared only final bits left so..)

You should see this by thursday.


Anonymous says November 29, 2006


Have you ever worked with passing certificates to OID? Have HTTPS traffic to load balancer and grabbing certificate. Want to pass that certificate to OID behind the load balancer.


Atul Kumar says November 29, 2006

Do you mean storing SSL Certificates into OID (LDAP Server) instead of Oracle Wallets (OWM) , if this Yes you can use ldap commands or OWM to upload certificates to OID .

If you are looking for somthing else could you elaborate on that ..


Anonymous says December 5, 2006

Looking to have client (user) certificates stored in OID so that they map to user/password/resource. We have done that part. Challenge it to configure so that the cert is passed thru a load balancer. We can login with the cert when the load balancer is not used.

The load balancer requires the client cert and then places it in the HTML header to be passed to the SSO server. All of this traffic is encrypted so I can not get info from watching the network traffic. The Oracle DBA has put SSLVerifyClient require in the httpd.conf file. Before SSLVerifyClient require was put in the httpd.conf file, we were successfully logging in to the SSO server using userid/passwd thru the load balancer. After the variable is set to require, we get ‘page not displayed’.

Thanks for any suggestions.


Atul Kumar says December 5, 2006

If I understood your issue properly , You want users to verify their certificates (To make sure they are authentic users)

Your client user certificates are stored in OID (Could you confirm if this is client certificates or server certificates ?? ) If this is client certificate in which attribute you are storing Client passwd ?

When you set client to verify for SSL its not working (Is it not working via loadbalancer only or its not working even without loadbalancer ?)


Anonymous says December 7, 2006


Thanks for following up.

We are storing client cert and authenicating the user with the client cert (or hope to be with this new config which includes the load balancer). Working with Oracle we have determined that we do not have to have SSLVerifyClient require set, and we can pass the traffic unencrypted behind the load balancer.

Working with a web page to display variables we have verified that the Oracle sever does not have a value in the SSL_CLIENT_CERT field. The load balancer is putting the client certificate in the HTML header with that title, I can see that in the network traffic. Seems like we are missing a setting to tell Oracle to populate that field.

We have the following lines at the end of the httpd.conf file. As we understand it, once we get SSL_CLIENT_CERT populated, Oracle should be ready to use it.

SimulateHttps on

Again, I appreciate any suggestions.


Atul Kumar says December 8, 2006

I don’t have idea on this at this minute but I’ll check on this & will get back to you in weeks time .

Your doubt is in my to be sorted list …


joshuasingham says April 12, 2007

in the blog you said oracle OCA component can be install on
Oracle AS Cluster ( Identity Management )-> Active – Active but the oracle notes says otherwise can you please update me on this

Atul Kumar says April 12, 2007

Yes You are right OCA is not certified on Active- Active Cluster

Though figure below shows

OCA but a line after that says that it is not supported

joshuasingham says May 16, 2007


just like to know if i want to connect my active directory to oid
do when i have 2 domain controllers to i have to run dipassistant on both my server if the configuration is active – active another this is will there be a single map file or multiple map files and how can i use the plugins provided by oracle is this scenario


Atul Kumar says May 17, 2007

To be frank, I am not personally integrated multi domain AD controller so give me this weekend and I’ll respoond you by this weekend with refernces and if you don’t see my messages (for some reason) request you to ping/msg me.

Add Your Reply