OAM 11g / OIM 11g High Availability (Active / Active) Architecture Documentation

 

.

If you are planning to deploy Oracle Access Manager (OAM) 11g and Oracle Identity Manager (OIM) 11g in High Availability (Active – Active Cluster) then you can follow Oracle’s Enterprise Deployment Guide for Identity Management here and High Availability Guide for Oracle Fusion Middleware here

Confused or any doubts (leave comments and I’ll to answer ) !!!!! 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

57 comments
fthomas says December 28, 2010

Dear Atul,

Thank you very much for the diagram and the links.

I’m very interested in 2 deployments (OAM 11g only, and OAM 11g together with OIM 11g, see topologies 1 and 3) that show Oracle Access Manager using Oracle Internet Directory (or Oracle Virtual Directory) as the only LDAP repository for policy and configuration data (see also http://download.oracle.com/docs/cd/E14571_01/core.1111/e12035/oam_11g.htm#BHCHCEEA).

I thought that this deployment was used by OAM 10g where configurations are stored in LDAP servers, but NOT with OAM 11g where configurations are stored in XML file (i.e., $DOMAIN_HOME/config/fmwconfig/oam-config.xml).
The same remark with the policies: in OAM 10g policies are stored in LDAP server where as in OAM 11g we have option to store them either in XML file or in Database.

If this is true, can we remove all connections from IDMHOST1/IDMHOST2/OIMHOST1/OIMHOST2 towards OID/OVD (+ all components for OID/OVD/OIDDBHOST1/OIDDBHOST2/etc.), and only keep the connections towards the Oracle IDAM Database (1521)?

The only LDAP repository that I could see for such deployments is the LDAP user identity store that OAM uses for authentication and authorization (i.e., only user and group identity data are stored in the centralized LDAP store, and not the policy and configuration data).
If we don’t have OID/OVD for storing policy and configuration data, can we also remove both WLS_ODS1 and WLS_ODS2 Managed Servers (they store Oracle DIP and Oracle Directory Services Manager) as well?

I do not see any reference to the Oracle Identity Protocol (OIP). Could you please confirm that this one is no longer used with OAM 11g?
The deployments use 2 hosts for OAM (IDMHOST1 and IDMHOST2). What are you recommendations for the geographical location of those hosts? Do you think it’s better to have them near each other?

Thank you very much in advance.

Kind Regards,

Reply
Atul Kumar says December 28, 2010

@ fthomas,
Yes you are right, Document seems incorrect at http://download.oracle.com/docs/cd/E14571_01/core.1111/e12035/oam_11g.htm#BHCHCEEA . In OAM 11g Policy and Configuration data can either be stored in XML file or database (but never in LDAP) – This used to be case in OAM 10g (Policy & Config data in LDAP server)

Q: If this is true, can we remove all connections from IDMHOST1/IDMHOST2/OIMHOST1/OIMHOST2 towards OID/OVD (+ all components for OID/OVD/OIDDBHOST1/OIDDBHOST2/etc.), and only keep the connections towards the Oracle IDAM Database (1521)?

I still think you should use OID/OVD as user store for OAM (topology 1) though you can keep users in default store i.e. weblogic’d embedded LDAP server.

If you are going for topolocy 3 (OIM 11g & OAM 11g) then OID/OVD is mandatory as OIM users should be in synch with OAM users which is achieved by OVD/OID .

Q; I do not see any reference to the Oracle Identity Protocol (OIP). Could you please confirm that this one is no longer used with OAM 11g?

Yes that is true , check this post http://onlineappsdba.com/index.php/2010/09/01/changes-in-oracle-access-manager-11g-r1-11113/

Q: The deployments use 2 hosts for OAM (IDMHOST1 and IDMHOST2). What are you recommendations for the geographical location of those hosts? Do you think it’s better to have them near each other?

Yes my recommendation is to keep them close (check more from WebLogic Cluster document). Session uses Distributed in memory cache using coherence – Check http://onlineappsdba.com/index.php/2010/09/23/session-management-in-oam-11g-sme-idle-timeout-session-lifetime/

Reply
Atul Kumar says December 29, 2010

@ fthomas,
I may be wrong in my above comment regarding Policy and Configuration data stored only in Database or XML . The reason why I am saying this is that if you see $ORACLE_HOME/oam/server/oim-intg/schema you will see ldif which are extending OID schema (this could be limited to user management / password policy).

Let me integrate OIM with OAM before saying anything regarding Policy & Configuration store for OAM.

Reply
fthomas says January 7, 2011

Thanks a lot Atul.

Regards,
-Franck

Reply
dbeck says March 2, 2011

Thanks Atul, I have used your steps and actually have a new paper Oracle created for us with their version of steps to install OIM 11g. The fun parts are clustering (though I have that running now as well) and using Iplanet Web server as a proxy server for OIM. I haven’t seen any documents here on doing a web-server proxy, and ideas?

Reply
Atul Kumar says March 3, 2011

@ dbeck,

—actually have a new paper Oracle created for us with their version of steps to install OIM 11g.

Could you please share link to this doc you mentioned .

Q: I haven’t seen any documents here on doing a web-server proxy, and ideas?

A: You can use OHS (Oracle HTTP Server) as revery proxy in front of OIM 11g.

To configure OHS with weblogic as reverse proxy for OIM , check http://onlineappsdba.com/index.php/2009/09/23/configure-oracle-http-server-infront-of-oracle-weblogic-server-mod_wl_ohs/

Reply
Ellyanna says April 11, 2011

That’s really thinking out of the box. Thkasn!

Reply
vamsi56 says May 17, 2011

your document was really helpful and easy as well. But, there is a problem with the installation process during the Part VI: Configuring Identity manager.
I have created, installed and configured till Part V and everything was successful.
While configuring the database at Step 3 of 9, it threw me an exception: INST-6177 OIM Schema version is lower than expected value.
Create OIM 11g schema using repository creation utility and proceed with configuration.
Now, Please help me…

Thanks,
Krish.

Reply
Atul Kumar says May 18, 2011

@ vamsi56,
Which version of RCU you used to create OIM schema ?

Update output of below command (connect as user sys to database)

select owner, mr_type , version from schema_version_registry where owner like ‘%OIM%’;

Reply
vamsi56 says May 18, 2011

It shows :

OWNER MR_TYPE VERSION
DEV_OIM OIM 11.1.1.3.0

Reply
Atul Kumar says May 18, 2011

@ vamsi56,
Version looks OK to me (though I used 11.1.1.3.2 in my system)

Check installation log (under oraInventory/log) to find out what version of schema OIM configuration is expecting .

Reply
vamsi56 says May 18, 2011

can you share me the link you installed in your system…might be I have 11.1.1.3.0 as my OIM version and RCU as 11.1.1.3.2. Could be a problem.

Reply
vamsi56 says May 19, 2011

Logs shows that :

“Could not fetch the schema version from database”

Inventory logs shows this:

0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
[OIM_CONFIG_INTERVIEW] Checking whether the OIM schema is encrypted. If schema is encrypted this will be considered as upgrade flow
]]
[2011-05-19T14:29:10.511+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
[OIM_CONFIG_INTERVIEW] MDS Schema Version is correct
]]
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] Exiting method executeHandler
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
[OIM_CONFIG_INTERVIEW] Database is not encryped. This is not an upgrade flow.
]]
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] Could not fetch the schema version from the database
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
ERROR ====>>>>:INST-6177
]]
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
Cause:OIM Schema version is lower than the expected value
]]
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
Action:Create OIM 11g schema using Repository Creation Utility and proceed with configuration.
]]
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] [[
[OIM_CONFIG_INTERVIEW] Retrieving default locale set in the machine.
]]
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation.oracle.as.install.engine.modules.validation.handler.oimQueriesHandler.checkForUpgrade] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] Exiting method executeHandler
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] Handler launch end: oimQueriesHandler.checkForUpgrade
[2011-05-19T14:29:10.527+01:00] [as] [NOTIFICATION] [] [oracle.as.install.engine.modules.validation] [tid: 11] [ecid: 0000J08SN_J6UOYFLrvH8A1DpHfc000002,0] Handler returned status: FAILED

Reply
vamsi56 says May 19, 2011

One more observation is that :

Inputs passed to the handler: [ ORACLE_DB ( databaseType ) = “Oracle” ], [ MDS_SCHEMA_VERSION ( *mdsSchemaVersion* ) = “*11.1.1.2.0*” ], [ SILENT_INSTALL ( isSilentInstall ) = “false” ], [ MDS_USER_NAME ( mdsUserName ) = “DEV2_MDS” ], [ OIM_SCHEMA_USER_NAME ( userName ) = “SYS” ], [ OIM_DATABASE_CONNECTSTRING ( connectionString ) = “192.168.140.132:1521:orcl.168.140.132” ], [ OIM_SCHEMA_VERSION ( *oimSchemaVersion* ) = “*11.1.1.3.0*” ], [ IS_SERVICE_ID_USED_IN_SPECIFYODSPASSWORDPAGE ( isServiceIdUsed ) = “false” ], [ MDS_PASSWORD ( mdsPassword ) = “” ], [ OIM_SCHEMA_USER_PASSWORD ( password ) = “” ]

this means..MDS and OIM are not with the same version…right?…

If yes, my question will be : MDS and OIM have come with same suite of product….i did not install them separately, how can they be in different versions?….

Reply
Atul Kumar says May 20, 2011

@ vamsi56,
On my servers also OIM schema version is 11.1.1.3.0 and MDS schema is 11.1.1.2.0 so schema version in database is not an issue.

While configurion OIM middleware is unable to contact database schema (did this configuration fail in past ?)

My suggestion would be to start fresh (including database, weblogic and OIM software)

There are hidden files stored under $DOMAIN_HOME/config/fmwconfig by name
.xldatabasekey (This file could be corrupt)

Reply
Gupta says May 23, 2011

Hi,
I am trying to configure OIM11g in high availability mode but i am getting the error while Update the DeploymentMode for Oracle Identity Manager.

I set metadata_to_location=/apps/oracle/Oracle/oim_export

while running weblogicExportMetaData.sh i got the error that

“Problem invoking WLST – Traceback (innermost last):
File “/apps/oracle/Oracle/Middleware/Oracle_IDM1/server/bin/weblogicExportMetadata.py”, line 22, in ?
File “/apps/oracle/Oracle/Middleware/oracle_common/common/wlst/mdsWLSTCommands.py”, line 134, in exportMetadata
File “/apps/oracle/Oracle/Middleware/oracle_common/common/wlst/mdsWLSTCommands.py”, line 568, in executeAppRuntimeMBeanOperation
File “/apps/oracle/Oracle/Middleware/oracle_common/common/wlst/mdsWLSTCommands.py”, line 538, in getMDSAppRuntimeMBean
UserWarning: MDS-91002: MDS Application runtime MBean for “oim” is not available. “exportMetadata” operation failure.”

Reply
Atul Kumar says May 24, 2011

@ Gupta ,
What is value of
wls_servername & application_name in weblogic.properties ?

Did you try with application_name=OIMMetadata ?

Also make sure that this MBEAN if available , check in Admin & OIM Managed Server log file and see if you see any errors related to this mbean during start up

Reply
Gupta says May 24, 2011

Thank you for you reply,

wls_servername is oim_server1 and application_name is OIMMetadata.

yes there are some mbean errors in the oim log file while start up those are “avax.management.RuntimeMBeanException: javax.management.RuntimeMBeanException: MDSConfigurationException encountered in parseADFConfiguration.
javax.management.RuntimeMBeanException: javax.management.RuntimeMBeanException: MDSConfigurationException encountered in parseADFConfiguration
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.rethrow(DefaultMBeanServerInterceptor.java:856)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.rethrowMaybeMBeanException(DefaultMBeanServerInterceptor.java:869)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:838)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:268)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:590)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:478)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:119)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Caused By: javax.management.RuntimeMBeanException: MDSConfigurationException encountered in parseADFConfiguration
at oracle.as.jmx.framework.standardmbeans.spi.OracleStandardEmitterMBean.doInvoke(OracleStandardEmitterMBean.java:897)
at oracle.as.jmx.framework.generic.spi.interceptors.ContextClassLoaderMBeanInterceptor.internalInvoke(ContextClassLoaderMBeanInterceptor.java:94)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:245)
at oracle.as.jmx.framework.generic.spi.interceptors.MBeanRestartInterceptor.internalInvoke(MBeanRestartInterceptor.java:116)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:245)
at oracle.as.jmx.framework.generic.spi.security.AbstractMBeanSecurityInterceptor.internalInvoke(AbstractMBeanSecurityInterceptor.java:174)
at oracle.as.jmx.framework.generic.spi.interceptors.AbstractMBeanInterceptor.doInvoke(AbstractMBeanInterceptor.java:245)
at oracle.as.jmx.framework.standardmbeans.spi.OracleStandardEmitterMBean.invoke(OracleStandardEmitterMBean.java:803)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:268)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:590)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:478)

Thanks & Regards,
Gupta Katakam.

Reply
Kumar says May 25, 2011

Hi Atul,

I am deploying the OIM 11g in High Availability Mode. I am confused at the point where we need to start the OIM2 and SOA2 in the second weblogic server WLS2. When I try to start them from weblogic admin console of WLS1 I am getting the error saying your are not authorized to do this or unable to connect to node manager. I verified that node manager is up and running. But when try to start the OIM2 and SOA2 mannualy using command, there is no oim_server2 ans soa_server2 manger serves in WLS2. My question is when we do pack.sh and unapack.sh it wont create a manager servers in WLS2? DO we need to extend the domain again in WLS2 which didn’t give in document?

I am following the link that in your post.

Thanks & Regards,

Kuamr

Reply
Gupta says June 1, 2011

Hi Atul,

I got some confusion when we have to do pack.sh and unpack.sh while doing OIM 11g in high availability mode and after unpacking the jar I am unable to start my weblogic server in host2.

When I am trying to start weblogic server then it shows me an error that “cannot find config.xml” then i copied that config.xml from oim_doamin.jar then again when i restart my weblogic server then it shows me an error that “<Server sub system failed…”

please send me answer to fix this problem.

Thanks & Regards,
Gupta katakam

Reply
Atul Kumar says June 1, 2011

@ Gupta,
This is explained in my book (Chapter 2) at https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

under high availability deployment section.

Extend domain first to configure OIM2 on node2 and then use pack on node1 and unpack on node2.

Reply
Gupta says June 9, 2011

Hi Atul,

Thanks for your reply it was worked for me…

Now I am doing Configuring Server Migration for the OIM and SOA Managed Servers..

After servers migration I am unable to start managed weblogic servers…

when I am trying to start the managed servers then i got an error that ”

‘/DOMAIN_HOME/bin/server_migration/wlsifconfig.sh -addif eth0 192.168.0.118 255.255.255.0 ‘ returned an unsuccessful exit code ‘1’. Check NM logs for script output.”

here 192.168.0.118 is my IP and 255.255.255.0 is subnet mask…

Please send me solution for this…

Thanks & Regards,
Gupta Katakam.

Reply
Atul Kumar says June 9, 2011

@ Gupta,
As mentioned in my previous update these things are covered in my book at https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

Did you configure SOA & OIM server or virtual host (and IP) for server migration.

Reply
MaduK says September 22, 2011

Hi Atul,

I want to know the procedure to setup the Weblogic Admin server in active-passive fashion as described in the “Enterprise Deployment Guide for Oracle Identity Management”.

My Aim is to setup all the Identity Management,Identity and Access Management components logically in a single weblogic domain though the components will reside on multiple machines. This helps me to manage my whole POC topology using a single WL Admin and EM consoles.Is this setup possible??

Thanks,
Madhu

Reply
Atul Kumar says September 22, 2011

@ MaduK,
Yes this is possible and quite common use case. This is also covered in chapter 2 of my book https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

Reply
MadhuK says September 23, 2011

Atul,

Thanks for the quick reply.

Does your book OIDAM for administrators available as a hardcopy @book stores? I couldn’t get it with the book sellers nearby in bangalore.

Thanks,
Madhu

Reply
MaduK says September 23, 2011

Hi Atul,

Thanks for the quick reply.

Does your book IDAM 4 Administrators is available in book stores? I couldn’t get it with the book stores nearby in Bangalore

The packtpub site says still few chapters are in progress is it true?

Thanks,
Madhu

Reply
Atul Kumar says September 23, 2011

@ MaduK,
No, not yet. This book is currently in print and should hit stores in UK & USA by Sep end or early Oct. I am sure about launch date in India. You should be able to order soft copy online.

Reply
taness says October 10, 2011

Hi Atul,

For complex high availability architecture like having managed server clusters, one domain and one admin server, with several clusters containing only managed servers, what will be the approach? You cannot pack/unpack Admin Server domain for each cluster by extending every time the domain. How will this be achieved? I looked into your book but there were explained the setup involving one Admin Server per cluster, not multi cluster domain with one Admin Server.

Regards,

Many thanks!

Reply
Atul Kumar says October 10, 2011

@ Taness,
WebLogic Domain consists of 1 Admin Server and 0-N cluster and 0-N managed server. For OIM and OAM you should create 2 clusters, one for OIM and second for OAM and one Admin Sever for both.

Please go through my comments and let me know if you still have any doubt.

Reply
taness says October 10, 2011

Hi Atul,

Thank you for your quick response.
Without having an admin server on any of the managed servers inside Cluster_OIM and Cluster_OAM, how pack/unpack command will apply? Extending domain first with OIM/SOA and unpack in Cluster_OIM managed servers and then extend once more with OAM and perform same for Cluster_OAM?

The steps are at this moment somehow unclear on how to propagate domain info on managed servers in each cluster.

Can you help me solve this doubt?

Regards,
Taness

Reply
Atul Kumar says October 10, 2011

@taness,

This is what you will do

1. Install OAM/OIM
2. Run config.sh to configure Domain with Admin Server
3. Extend domain to include OIM/OAM and during this stage only create four managed server – oim_server1 on machine1 , oim_server2 on machine2 , oam_server1 on machine1, and oam_server2 on machine2. Create 2 clusters, oam_cluster and oim_cluster. Put oam_server1 and oam_server2 in oam_cluster and oim_server1 and oim_server2 in oim_cluster
4. Run pack with managed server option true on machine1
5. Run unpack on machine2

Start admin server, oam_server1 and oim_server1 on machine1

Start oam_server2 and oim_server2 on machine2.

Do it once please and then ask doubts.

Reply
taness says October 10, 2011

Hi Atul,

Please excuse me not adding all the info. This is the configuration we could not find.

1 Admin Server A outside the clusters C1 … Cn
n clusters within same domain D
p managed servers Mp…Mp within each cluster

Having one Admin Server per domain, with several clusters, each having multiple managed servers for HA without any admin server, how pack/unpack will solve it?

Can Admin Server domain D be fully extended and then unpack to each of the managed servers in all the clusters? Can it granular work having say packing domain with the option for only 1 managed server?

Many thanks,

Reply
j2eedevelper says November 13, 2011

HI Atul,
We have done clustered deployment of oim 11.1.1.5 in weblogic 10.3.5 using enterprise deployment guide(for domain configuration).Follwoing are the steps we followed..
1.Our environment is wls 10.3.5
2.Installed SOA 11.1.1.5 in middleware home
3.Installed OIM 11.1.1.5 in middleware home
4.Configured oim domain (as per the enterprise deployment guide)
5.Extend the domain with oracle identity manager(as per the enterprise deployment guide)
6.Applied BP01 on oim only..
seems that all the managed servers are working fine….
my question is
do we need to Update the DeploymentMode for Oracle Identity Manager to cluster in version 11.1.1.5

Reply
Atul Kumar says November 13, 2011

@ j2eedevelper,
I am not clear what do you mean by deploymentMode , is this in web.xml ? Please elaborate .

Reply
j2eedevelper says November 13, 2011

Hi Atul
please see the following

Section 8.9.3.5.2 Update the DeploymentMode for Oracle Identity Manager

http://download.oracle.com/docs/cd/E14571_01/core.1111/e10106/imha.htm#CHDJFDEC

Reply
Tom says December 21, 2011

We have been using the steps in your book to configure/setup/create clusters…

We are installing IDAM 11.1.1.5 with WLS 10.3.5 and Oracle DB 11.2.0.1. We are creating a clustered environment and have installed everything on both servers up to executing the config.sh to create and/or extend the domain.

We created/setup the components, clusters, machines, etc during the config and then pressed “Extend”. At 85% complete, we got an error “Domain Extension Application Failed”. The reason was that the file startscript-unsub.xml had a permissions issue. For some reason, this file was owned by root. Once that was corrected and we pressed OK — the only thing we had to press.

Rather than retrying or at least continuing from that point… the Extend ended in failure.

Is it possible to re-execute the “Extend” process? We cannot restart the config.sh to go through our create/setup steps again to recreate the clusters, etc — we cannot get passed the “Select Extension Source” screen since all the components we want to include are already selected and grayed out.

We are stuck at this point. We have created the clustered system already but need to make sure of our steps and would rather not have to begin again….

Thank you in advance….

Reply
Atul Kumar says December 21, 2011

@ Tom,
I am assuming that this is just for OIM/OAM (and does not include OID/OVD). Second assumption is that OIM is not yet configured by running config.sh from $ORACLE_HOME/bin

If this is the case then move existing domain directory to backup location and create domain again.

Reply
Tom says December 21, 2011

Thanks for the quick response…

We created the domain when we installed OID, OVD, etc and are extending the domain when we run config.sh… Is it possible to revert to the “extend” rather than the “create” step?

Reply
Tom says December 21, 2011

On this same question… when I configured the OAM Cluster, I packed and unpacked the domain. Is it possible to unpack the domain on the server it was created on to revert it back to where it was prior to the creation of the OIM and SOA clusters?

Reply
Atul Kumar says December 21, 2011

@ Tom,
If you extended just OIM/OAM (and did not configure OIM) then you can restore domain files from backup. If you have also configured OIM after backup then you must also restore database from backup.

Q: Is it possible to unpack the domain on the server it was created on to revert it back to where it was prior to the creation of the OIM and SOA clusters?

Yes , though I have not tried myself but technically it should work.

Reply
Luke says February 4, 2012

Atul,
For experiment I am thinking off doing IDM high availabilty by utilizing Virtual Box. Could the HA be done on VB?
Thanks
Luke

Reply
Atul Kumar says February 5, 2012

@ Luke,
I have not worked with Virtual Box but yes this can be done with vmware.

For HA to IDM shared disk is required for TLOGS and JMS (for OIM/SOA) and for that you need to change some parameter in vmware disk so that it can be mounted on two servers at same time.

Other option is to configure OIM in HA in vertical cluster (instead of horizontal cluster) so two servers are on same machine.

Reply
Tom Carlson says March 1, 2012

As we have gone through the clustering process… one thing we did not do is cluster oid, ovd, and dip. Is it possible to (after the fact) configure oid, ovd, and dip as clustered or must we begin the process all over again for this to work?

We have OAM, OIM, OAAM, SOA, and wls_ods clustered….

Reply
Atul Kumar says March 2, 2012

@ Tom, It is better to re-install OID/OVD, DIP and select cluster (for DIP /ODSM component) during installation.

There is no documented way to migrate OID/OVD/DIP from single node to cluster and chances are that it will take more time to migrate from single node to cluster than re-installing OID/OVD with cluster from start .

Reply
0gravity says June 19, 2012

Hi,
We are not sure whether OIM supports the high availabilty by distributing the load for truested reconcilation process followed provisioning operations. When we tested, it looks like, the scheduler started host involves mainly in the recon and prov process.

Reply
Pratima says April 22, 2013

Hi,

We have installed OAM/OAAM on a shared MW_HOME with domain configuration under local directories. On one of the servers in the mount, we are unable to launch wlst and configuration wizard. It just hangs at “Initializing Weblogic Scripting Tool(WLST)…” on one of the servers while the other servers in the same mount have no trouble in doing so. We have only reached the point of installing Weblogic and Oracle IAM suite and are unable to run config.sh on Admin server due to this issue.

Has anyone seen this before? We thought it was a NAS(NFS) issue but we also brought down the server where it works and tried to launch from the non working server.

Reply
egokhman says July 5, 2013

Atul,

Thank you for your informative postings.

I am very interested in high-availability infrastructure and network architecture for Oracle Federated Portal aggregating multiple high-availability applications utilizing UCM. Could you point me to any materials describing and diagramming this?

Thanks,
Ed

Reply
acnu says January 3, 2014

Hi

I followed above your instructions to install OIM but got error ‘OIM Schema version is lower than the expected value’. OIM version is: 11.1.2.0.0.

Can you advise me please.

Regards
acnu

Reply
    Atul Kumar says January 3, 2014

    @acnu
    What version of OIM you are installing and what version of RCU did you use to create schema.

    Reply
acnu says January 3, 2014

Thanks Atul.

I have installed OIM ver: 11.1.2.0.0 and RCU 11.1.2.0.0.

Installed successfully but I tried to config then I got this error.

Regards
acnu

Reply
Atul Kumar says January 3, 2014

Acnu,
Login to database and query oiM schema version.

Do let me know if you can’t find table name that contains schema version.

Reply
acnu says January 3, 2014

Hi Atul

It is ‘DEV_OIM OIM 11.1.2.0.0’

Regards
acnu

Reply
Atul Kumar says January 3, 2014

Now run the optach lsinventory on OIM oracle home and update version of OiM on file system.

Please update content of log file generated on running config.sh

Reply
Architecture Of Oim 11g | Great Architecture Fan says April 5, 2016

[…] OAM 11g / OIM 11g High Availability (Active / Active … – If you are planning to deploy Oracle Access Manager (OAM) 11g and Oracle Identity Manager (OIM) 11g in High Availability (Active – Active Cluster) then you can … […]

Reply
Hafeez says October 28, 2016

We are in the process of installing and configuring OIM Cluster. During the OIM configuration we have to provide “OIM HTTP URL”.

Documentation says:
OIM HTTP URL
■ The OIM HTTP URL is of the format: http(s)://host:port. For example,
https://localhost:7002.

■ For cluster deployments, provide the load balancer URL that front-ends the Oracle Identity Manager cluster.

The question is that if load balancer URL is “dev-oim.example.com” which resolves to “oimhost1 & oimhost2”, then what port number we should provide here… should it be 443(i think it is default https port ) or 14000 (oim port)?

Just want to mention specifically. We do not want to use SSL for internal OIM to SOA communication. So if we put this load balancer “dev-oim.example.com:443” entry for OIM HTTP URL, not sure how it will behave for internal OIM and SOA communication because 443 port is ssl.

Reply
Add Your Reply

Not found