Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

To start the installation program, perform the following steps.

When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.

To check the directory structure:

Make sure you have installed and configured a certified database, and that the database is up and running.

For more information, see the following resources:

• Preparing the Database for an Enterprise Deployment, which includes information about creating database services, using SecureFiles for Large Objects (LOBs), and other topics important in an enterprise deployment.

• Understanding Database Requirements for an Oracle Fusion Middleware Installation in Planning an Installation of Oracle Fusion Middleware.

To start the Repository Creation Utility (RCU):

Follow the instructions in this section to create the schemas for the Oracle Analytics Server domain.

Task 1   Introducing RCU

Review the Welcome screen and verify the version number for RCU. Click Next to begin.

Task 2   Selecting a Method of Schema Creation

If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges.

If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates an SQL script that you can provide to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility.

Tip:

For more information about the options on this screen, see Create Repository in Creating Schemas with the Repository Creation Utility.

Task 3   Providing Database Credentials

On the Database Connection Details screen, provide the database connection details for RCU to connect to your database.

In the Host Name field, enter the SCAN address of the Oracle RAC Database.

Click Next to proceed, then click OK on the dialog window confirming that connection to the database was successful.

Tip:

For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.

Task 4   Specifying a Custom Prefix and Selecting Schemas

1. Specify the custom prefix you want to use to identify the Oracle Fusion Middleware schemas.

   The custom prefix is used to logically group these schemas together for use in this domain. For the purposes of this guide, use the prefix FMW1221.

   Tip:

   Make a note of the custom prefix you choose to enter here; you need them later during the domain creation process.

2. Select AS Common Schemas.

   When you select AS Common Schemas, all of the schemas in this section are automatically selected.

   A schema called Common Infrastructure Services is also automatically created; this schema is grayed out and cannot be selected or deselected. This schema (the STB schema) enables you to retrieve information from RCU during domain configuration. For more information, see Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

3. Select Business Intelligence Platform.

Tip:

For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility.

For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility.

Click Next to proceed, then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Task 5   Specifying Schema Passwords

Specify how you want to set the schema passwords on your database, then specify and confirm your passwords.

Tip:

Make a note of the passwords you set on this screen; you need them later during the domain creation process.

Task 6   Completing Schema Creation

Navigate through the remainder of the RCU screens to complete schema creation.

For the purposes of this guide, you can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas.

See About the Repository Creation Utility in Oracle Fusion Middleware Creating Schemas with the Repository Creation Utility.

When you reach the Completion Summary screen, click Close to close the RCU.

To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home on BIHOST1.

ORACLE_HOME/oracle_common/common/bin/config.sh

Task 1   Selecting the Domain Type and Domain Home Location

On the Configuration Type screen, select Create a new domain.

In the Domain Location field, specify the value of the ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide.

Tip:

More information about the other options on this screen can be found in Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Task 2   Selecting the Configuration Templates

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates:

• Oracle BIEE Suite – [bi]

  Selecting this template automatically selects the following dependencies:

  • Oracle MapViewer – [oracle_common]

  • Oracle Enterprise Manager – [em]

  • Oracle WSM Policy Manager – [oracle_common]

  • Oracle JRF - [oracle_common]

  • WebLogic Coherence Cluster Extension - [wlserver]

  • Oracle BI SLCM Defaults [bi]

• Oracle BI Publisher Suite – [bi]

In addition, the Basic WebLogic Server Domain – [wlserver] template should already be selected and grayed out.

Tip:

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Task 3   Selecting High Availability Options

Use the High Availability Options screen to configure service migration and persistence settings that affect high availability.

The Enable Automatic Service Migration option allows pinned services to migrate automatically to a healthy Managed Server for failover. However, Oracle Analytics Server does not support Automatic Service Migration. Ensure that the Enable Automatic Service Migration option is not selected.

The JTA Transaction Log Persistence section has two options: Default Persistent Store and JDBC TLog Store. Oracle recommends that you select JDBC TLog Store. You use this option to configure a component to use JDBC stores for all its JMS servers. When you complete the configuration, you have a cluster and JDBC persistent stores are set up for Transaction logs.

For more details on persistent and TLOG stores, see:

• Using the Default Persistent Store

• Using a JDBC TLOG Store

Set JMS Server Persistence to JMS File Store.

A persistent JMS store is a physical repository for storing persistent message data and durable subscribers. It can be either a disk-based file store or a JDBC-accessible database. You can use a JMS file store for paging of messages to disk when memory is exhausted.

• JMS File Store — Configures a component to use JMS File Stores.

• JMS JDBC Store — Configures a component to use JDBC stores for all its JMS servers. When you complete the configuration, you have a cluster and JDBC persistent stores are configured for the JMS servers.

Select the File Store Modify Settings option in the Advanced Configuration screen to change settings. In the File Stores screen, you can set file store names, directories and synchronous write policies.

Task 4   Selecting the Application Home Location

On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide.

Tip:

More information about the options on this screen can be found in Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Task 5   Configuring the Administrator Account

On the Administrator Account screen, specify the user name and password for the default WebLogic Administrator account for the domain.

Make a note of the user name and password specified on this screen; you will need these credentials later to boot and connect to the domain's Administration Server.

Task 6   Specifying the Domain Mode and JDK

On the Domain Mode and JDK screen:

• Select Production in the Domain Mode field.

• Select the Oracle Hotspot JDK in the JDK field.

Selecting Production Mode on this screen gives your environment a higher degree of security, requiring a user name and password to deploy applications and to start the Administration Server.

Tip:

More information about the options on this screen, including the differences between development mode and production mode, can be found in Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.

In production mode, a boot identity file can be created to bypass the need to provide a user name and password when starting the Administration Server. See Creating the boot.properties File.

Task 7   Specifying the Database Configuration Type

Select RCU Data to activate the fields on this screen.

The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain.

Note:

If you choose to select Manual Configuration on this screen, you will have to manually fill in the parameters for your schema on the JDBC Component Schema screen.

After selecting RCU Data, fill in the fields as shown in the following table:

Field	Description
DBMS/Service	Enter the service name for the Oracle RAC database where you will install the product schemas. For example: orcl.example.com Be sure this is the common service name that is used to identify all the instances in the Oracle RAC database; do not use the host-specific service name. See Preparing the Database for an Enterprise Deployment.
Host Name	Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook.
Port	Enter the port number on which the database listens. For example, 1521.
Schema Owner Schema Password	Enter the user name and password for connecting to the database's Service Table schema. This is the schema user name and password that was specified for the Service Table component on the Schema Passwords screen in RCU. The default user name is prefix_STB, where prefix is the custom prefix that you defined in RCU.

Click Get RCU Configuration when you are finished specifying the database connection information. The following output in the Connection Result Log indicates that the operation succeeded:

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

Click Next if the connection to the database is successful.

Tip:

More information about the RCU Data option can be found in Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

More information about the other options on this screen can be found in Datasource Defaults in Creating WebLogic Domains Using the Configuration Wizard

Task 8   Specifying JDBC Component Schema Information

Verify that the values on the JDBC Component Schema screen are correct for all schemas.

The schema table should be populated because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain.

At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment.

In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in the High Availability Guide.

To convert the data sources to GridLink:

1. Select all the schemas by selecting the check box in the first header row of the schema table.

2. Click Convert to GridLink and click Next.

Task 9   Providing the GridLink Oracle RAC Database Connection Details

On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown in Table 10-4.

Table 10-4 Recommended Values for Selected Fields on the GridLink Oracle RAC Component Schema Screen

Element	Description and Recommended Value
SCAN, Host Name, and Port	Select the SCAN check box. In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database. In the Port field, enter the SCAN listening port for the database (for example, 1521)
ONS Host and Port	In the ONS Host field, enter the SCAN address for the Oracle RAC database. In the Port field, enter the ONS Remote port (typically, 6200). For Database 11g, to obtain the ONS information on the GridLink with Oracle RAC Database, check the ons.config file on either nodes of the RAC machine. The ons.config file is present at the following location: GRID_HOME/opmn/conf/ons.config. For example, /u01/app/12.2.1.x/grid/opmn/conf/ons.config. For Database 12c or higher, the ONS list is automatically provided from the database to the driver and should be left blank.
Enable Fan	Select the Enable Fan check box to receive and process FAN events,

For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in High Availability Guide.

You can also click Help to display a brief description of each field on the screen.

Task 10   Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections you have just configured.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.

Tip:

More information about the other options on this screen can be found in Test Component Schema in Creating WebLogic Domains Using the Configuration Wizard

Task 11   Specifying Credentials

Enter a unique user name and password for the Oracle Analytics Server system.user account. Note that the system.user account is not an actual user. It is used for internal authentication between the different Oracle Analytics Server components. You must provide a unique, random user name and password that are not used by an actual system user to log in and use Oracle Analytics Server applications with.

Enter a user name and password for the jms.queue.auth user account. This user must be a user in the WebLogic Administrator group.

Note:

The jms.queue.auth user must be created with default authenticator after starting the Administration Server and before starting the Managed Server/system components. For more information, see Creating the User for jms.queue.auth.

Task 12   Selecting Advanced Configuration

To complete domain configuration for the topology, select the following options on the Advanced Configuration screen:

• Administration Server

  This is required to properly configure the listen address of the Administration Server.

• Node Manager

  This is required to configure Node Manager.

• Topology

  This is required to configure the Managed Server and cluster, and also for configuring the machine and targeting the Managed Server to the machine.

• File Store

  This is required to configure the appropriate shared storage for JMS persistent stores.

  Do not select this option if you have selected JDBC persistent store.

Note:

When using the Advanced Configuration screen in the Configuration Wizard:

• If any of the above options are not available on the screen, then return to the Templates screen, and be sure you selected the required templates for this topology.

• Do not select the Domain Frontend Host Capture advanced configuration option.

Task 13   Configuring the Administration Server Listen Address

On the Administration Server screen:

1. In the Server Name field, retain the default value - AdminServer.

2. In the Listen Address field, enter the virtual host name that corresponds to the VIP of the ADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment.

   For more information on the reasons for using the ADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment.

3. Leave the other fields at their default values.

   In particular, be sure that no server groups are assigned to the Administration Server.

Task 14   Configuring Node Manager

Select Per Domain Default Location as the Node Manager type.

Under Node Manager Credentials, specify the username and the password same as that of the admin user.

Tip:

For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment.

For additional information, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.

Task 15   Configuring the Managed Server

On the Managed Servers screen, a new Managed Server for Oracle Analytics Server appears in the list of servers. This server was created automatically by the Oracle BIEE Suite configuration template you selected on the Templates screen. Perform the following tasks to modify the default Oracle Analytics Server Managed Server (bi_server1).

1. Rename the default Managed Server to WLS_BI1.

   Tip:

   The server name recommended here will be used throughout this document; if you choose a different name, be sure to replace it as needed.

2. Use the information in the following table to fill in the rest of the columns for the Oracle Analytics Server Managed Server.

Tip:

More information about the options on the Managed Server screen can be found in Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.

Table 10-5 Values Required for Oracle Analytics Server Managed Server

Server Name	Listen Address	Listen Port	Enable SSL	SSL Listen Port	Server Groups
WLS_BI1	BIHOST1VHN	7003	No	Disabled	BISUITE-MAN-SVR

Task 16   Configuring a Cluster

In this task, you create a cluster to which you can target the Oracle Analytics Server software.

On the Clusters screen, a new cluster (bi_cluster) for Oracle Analytics Server appears in the list of clusters. Do not change the default cluster name (bi_cluster). Click Next to continue.

Note:

The WebLogic Frontend Host, Frontend HTTP Port, and Frontend HTTPS Port configurations are no longer required with Oracle Analytics Server. Configuring these settings may result in some functionality not working as expected.

Task 17   Assigning Server Templates

Click Next to continue.

Task 18   Configuring Dynamic Servers

Verify that all dynamic server options are disabled for clusters that are to remain as static clusters.

1. Confirm that the Dynamic Cluster, Calculated Listen Port, and Calculated Machine Names checkboxes on this screen are unchecked.

2. Confirm the Server Template selection is Unspecified.

3. Click Next.

Task 19   Assigning the Managed Server to the Cluster

Use the Assign Servers to Clusters screen to assign WLS_BI1 to the new cluster bi_cluster:

Note:

The Managed Server is assigned to the cluster by default. However, if the managed server is not assigned to the cluster, perform the following steps:

1. In the Clusters pane, select the cluster to which you want to assign the servers; in this case, bi_cluster.

2. In the Servers pane, assign WLS_BI1 to bi_cluster by doing one of the following:

   • Click once on WLS_BI1 Managed Server to select it, then click on the right arrow to move it beneath the selected cluster in the Clusters pane.

   • Double-click on WLS_BI1 to move it beneath the selected cluster in the clusters pane.

Tip:

More information about the options on this screen can be found in Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Task 20   Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain.

In the Cluster Listen Port, enter 9991.

Note:

For Coherence licensing information, see Oracle Coherence Products in Oracle Fusion Middleware Licensing Information.

Task 21   Creating Machines

Use the Machines screen to create a new machine in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers.

1. Select the Unix Machine tab.

2. Click the Add button to create the new UNIX machine.

   Specify the values listed in the following table to define the Name and Node Manager Listen Address of each machine.

   Note:

   Do not specify localhost in the Node Manager Listen Address field.

3. Verify the port in the Node Manager Listen Port field.

   The port number 5556, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number as needed.

Table 10-6 Values to Use When Creating UNIX Machines

Name	Node Manager Listen Address	Node Manager Listen Port
BIHOST1	The value of the BIHOST1 host name variable. For example, BIHOST1.example.com.	The port number 5556, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number as needed. For the BIHOST1 use the port 5556. Note: If BIHOST1 and ADMINHOST are running on the same server, then each of their node managers must run on different ports, that is, port 5556 for BIHOST1 and port 5557 for ADMINHOST.
ADMINHOST	Enter the value of the ADMINVHN variable.	5556

Tip:

More information about the options on this screen can be found in Machines in Creating WebLogic Domains Using the Configuration Wizard.

Task 22   Assigning Servers to Machines

Use the Assign Servers to Machines screen to assign the Administration Server and the Oracle Analytics Server Managed Server to the appropriate machine.

The Assign Servers to Machines screen is similar to the Assign Managed Servers to Clusters screen. Select the target machine in the Machines column, select the Managed Server in the left column, and click the right arrow to assign the server to the appropriate machine.

Assign the servers as follows:

• Assign the AdminServer to the ADMINHOST machine.

• Assign the WLS_BI1 Managed Server to the BIHOST1 machine.

Tip:

More information about the options on this screen can be found in Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Task 23   Creating Virtual Targets

Click Next to proceed to the next screen.

Task 24   Creating Partitions

Click Next to proceed to the next screen.

Task 25   Configuring the JMS File Store

Note:

The Configuring the JMS File Store screen does not appear if you have selected the JDBC for the JMS File Store.

When you configure a domain using the Oracle Analytics Server configuration template, you should select the proper location of the Metadata Services (MDS) JMS File Store, especially when you are configuring an enterprise deployment.

On the JMS File Stores screen, assign the following directory for each of the Oracle Analytics Server Persistence stores, with the exception of the store named mds-owsm:

ORACLE_RUNTIME/bi_domain/jms

In this example, replace ORACLE_RUNTIME with the actual value of the ORACLE_RUNTIME variable, as defined in File System and Directory Variables Used in This Guide. Replace bi_domain with the name you assigned to the Oracle Analytics Server domain.

Set the Synchronous Write Policy as Direct-Write for all stores, with the exception of the store named mds-owsm.

Task 26   Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen contains the detailed configuration information for the domain you are about to create. Review the details of each item on the screen and verify that the information is correct.

You can go back to any previous screen if you need to make any changes, either by using the Back button or by selecting the screen in the navigation pane.

Domain creation will not begin until you click Create.

Tip:

More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Task 27   Writing Down Your Domain Home and Administration Server URL

The Configuration Success screen will show the following items about the domain you just configured:

• Domain Location

• Administration Server URL

You must make a note of both items as you will need them later; the domain location is needed to access the scripts used to start the Node Manager and Administration Server, and the URL is needed to access the Administration Server.

Click Finish to close the Configuration Wizard.

To create a boot.properties file for the Administration Server:

To navigate to Fusion Middleware Control, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:

ADMINVHN:7001/em

To navigate to the Oracle WebLogic Server Administration Console, enter the following URL, and log in with the same administration credentials:

ADMINVHN:7001/console

Placing the MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead caused by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that the Managed Servers use from the domain directory is processed quicker.

As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the MSERVER_HOME variable.

To create the Managed Server domain directory:

After you create the Managed Server domain directory, there are two domain home directories and two corresponding Node Manager instances on BIHOST1. You use one Node Manager to control the Administration Server, running from Administration Server domain home, and you use the other Node Manager to control the Managed Servers, running from the Managed Server domain home.

You must start the two Node Managers independently.

Follow these steps to update and start the Node Manager from the Managed Server home:

For information about additional Node Manager configuration options, see Administering Node Manager for Oracle WebLogic Server.

Fusion Middleware Control is available because you already started the Node Manager and Administration Server in a previous step:

Complete the prerequisites required to create an authentication provider and provision users and groups. Backup the relevant backup files and then enable authentication provider.

This example shows how to create a user called biLDAP in the central LDAP directory.

To provision the user in the LDAP provider:

1. Create an LDIF file named domain_user.ldif with the following contents and then save the file:

   dn: cn=biLDAP,cn=systemids,dc=example,dc=com
   changetype: add
   orclsamaccountname: biLDAP
   userpassword: password
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   mail: biLDAP@example.com
   givenname: biLDAP
   sn: biLDAP
   cn: biLDAP
   uid: biLDAP

   Note:

   If you use Oracle Unified Directory, then add the following four group memberships to the end of the LDIF file to grant the appropriate read/write privileges:

   dn:
   cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com
   changetype: modify
   add: uniquemember
   uniquemember: cn=biLDAP,cn=systemids,dc=example,dc=com
   
   dn: cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com
   changetype: modify
   add: uniquemember
   uniquemember: cn=biLDAP,cn=systemids,dc=example,dc=com
   
   dn: cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com
   changetype: modify
   add: uniquemember
   uniquemember: cn=biLDAP,cn=systemids,dc=example,dc=com
   
   dn: cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com
   changetype: modify
   add: uniquemember
   uniquemember: cn=biLDAP,cn=systemids,dc=example,dc=com

2. Provision the user in the LDAP directory.

   For example, for an Oracle Unified Directory LDAP provider:

   OUD_INSTANCE_HOME/bin/ldapmodify -a \
                                    -h idstore.example.com
                                    -D "cn=oudadmin" \
                                    -w password \
                                    -p 1389 \
                                    -f domain_user.ldif

   For Oracle Internet Directory:

   OID_ORACLE_HOME/bin/ldapadd -h idstore.example.com \
                                -p 3060 \
                                -D cn="orcladmin" \
                                -w password \
                                -c \
                                -v \
                                -f domain_user.ldif
   

To configure a new LDAP-based authentication provider:

1. Log in to the WebLogic Server Administration Console.

2. Click Security Realms in the left navigational bar.

3. Click the myrealm default realm entry.

4. Click the Providers tab.

   Note that there is a DefaultAuthenticator provider configured for the realm. This is the default WebLogic Server authentication provider.

   Figure 10-1 List of Available Authentication Providers

   
   Description of "Figure 10-1 List of Available Authentication Providers"

5. Click Lock & Edit in the Change Center.

6. Click the New button below the Authentication Providers table.

7. Enter a name for the provider.

   Use one of the following names, based on the LDAP directory service you are planning to use as your credential store:

   • OUDAuthenticator for Oracle Unified Directory

   • OIDAuthenticator for Oracle Internet Directory

   • OVDAuthenticator for Oracle Virtual Directory

8. Select the authenticator type from the Type drop-down list.

   Select one of the following types, based on the LDAP directory service you are planning to use as your credential store:

   • OracleUnifiedDirectoryAuthenticator for Oracle Unified Directory

   • OracleInternetDirectoryAuthenticator for Oracle Internet Directory

   • OracleVirtualDirectoryAuthenticator for Oracle Virtual Directory

9. Click OK to return to the Providers screen.

10. On the Providers screen, click the newly created authenticator in the table.

11. Select SUFFICIENT from the Control Flag drop-down menu.

    Setting the control flag to SUFFICIENT indicates that if the authenticator can successfully authenticate a user, then the authenticator should accept that authentication and should not continue to invoke any additional authenticators.

    If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flags set to SUFFICIENT; in particular, check the DefaultAuthenticator and make sure that its control flag is set to SUFFICIENT.

12. Click Save to persist the change of the control flag setting.

13. Click the Provider Specific tab and enter the details specific to your LDAP server, as shown in the following table.

    Note that only the required fields are discussed in this procedure. For information about all the fields on this page, consider the following resources:

    • To display a description of each field, click Help on the Provider Specific tab.

    • For more information on setting the User Base DN, User From Name Filter, and User Attribute fields, see Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers in Administering Security for Oracle WebLogic Server.

    Parameter	Sample Value	Value Description
    Host	For example: idstore.example.com	The LDAP server's server ID.
    Port	For example: 1389	The LDAP server's port number.
    Principal	For example: cn=biLDAP, cn=systemids,dc=example,dc=com	The LDAP user DN used to connect to the LDAP server.
    Credential	Enter LDAP password.	The password used to connect to the LDAP server.
    SSL Enabled	Unchecked (clear)	Specifies whether SSL protocol is used when connecting to the LDAP server.
    User Base DN	For example: cn=users,dc=example,dc=com	Specify the DN under which your users start.
    All Users Filter	(&(uid=*)(objectclass=person))	Instead of a default search criteria for All Users Filter, search all users based on the uid value. If the User Name Attribute for the user object class in the LDAP directory structure is a type other than uid, then change that type in the User From Name Filter field. For example, if the User Name Attribute type is cn, then this field should be set to: (&(cn=*)(objectclass=person)))
    User From Name Filter	For example: (&(uid=%u)(objectclass=person))	If the User Name Attribute for the user object class in the LDAP directory structure is a type other than uid, then change that type in the settings for the User From Name Filter. For example, if the User Name Attribute type is cn, then this field should be set to: (&(cn=%u)(objectclass=person))).
    User Name Attribute	For example: uid	The attribute of an LDAP user object that specifies the name of the user.
    Use Retrieved User Name as Principal	Checked	Must be turned on.
    Group Base DN	For example: cn=groups,dc=example,dc=com	Specify the DN that points to your Groups node.
    GUID Attribute	entryuuid	This value is prepopulated with entryuuid when OracleUnifiedDirectoryAuthenticator is used for OUD. Check this value if you are using Oracle Unified Directory as your authentication provider.

14. Click Save to save the changes.

15. Return to the Providers page by clicking Security Realms in the right navigation pane, clicking the default realm name (myrealm), and then Providers.

16. Click Reorder, and then use the resulting page to make the Provider you just created first in the list of authentication providers.

    Figure 10-2 Reordering the Authentication Providers

    
    Description of "Figure 10-2 Reordering the Authentication Providers"

17. Click OK.

18. On the Providers Page, click DefaultAuthenticator.

19. From the Control Flag drop-down, select SUFFICIENT.

20. Click Save to update the DefaultAuthenticator settings.

21. In the Change Center, click Activate Changes.

22. Restart the Administration Server and all managed servers.

    To stop the Managed Servers, log in to Fusion Middleware Control, select the Managed Servers in the Target Navigator and click Shut Down in the toolbar.

    To stop and start the Administration Server using the Node Manager:

    1. Start WLST:

       cd ORACLE_COMMON_HOME/common/bin
       ./wlst.sh
       

    2. Connect to Node Manager using the Node Manager credentials you defined in when you created the domain in the Configuration Wizard:

       wls:/offline>nmConnect('nodemanager_username','nodemanager_password',
                   'ADMINVHN','5556','domain_name',
                   'ASERVER_HOME')
       

    3. Stop the Administration Server:

       nmKill('AdminServer')
       

    4. Start the Administration Server:

       nmStart('AdminServer')
       

    5. Exit WLST:

       exit()
       

    To start the Managed Servers, log in to Fusion Middleware Control, select the Managed Servers, and click Start Up in the toolbar.

23. After the restart, review the contents of the following log file:

    ASERVER_HOME/servers/AdminServer/logs/AdminServer.log
    

    Verify that no LDAP connection errors occurred. For example, look for errors such as the following:

    The LDAP authentication provider named "OUDAuthenticator" failed to make connection to ldap server at ...
    

    If you see such errors in the log file, then check the authorization provider connection details to verify they are correct and try saving and restarting the Administration Server again.

24. After you restart and verify that no LDAP connection errors are in the log file, try browsing the users and groups that exist in the LDAP provider:

    In the Administration Console, navigate to the Security Realms > myrealm > Users and Groups page. You should be able to see all users and groups that exist in the LDAP provider structure.

This example shows how to create a user called weblogic_bi and a group called BIAdministrators.

To provision the administration user and group in LDAP provider:

1. Create an LDIF file named admin_user.ldif with the following contents and then save the file:

   dn: cn=weblogic_bi,cn=users,dc=example,dc=com
   changetype: add
   orclsamaccountname: weblogic_bi
   userpassword: password
   objectclass: top
   objectclass: person
   objectclass: organizationalPerson
   objectclass: inetorgperson
   objectclass: orcluser
   objectclass: orcluserV2
   mail: weblogic_bi@example.com
   givenname: weblogic_bi
   sn: weblogic_bi
   cn: weblogic_bi
   uid: weblogic_bi

2. Provision the user in the LDAP directory.

   For example, for an Oracle Unified Directory LDAP provider:

   OUD_INSTANCE_HOME/bin/ldapmodify -a \
                                    -h idstore.example.com
                                    -D "cn=oudadmin" \
                                    -w password \
                                    -p 1389 \
                                    -f admin_user.ldif

   For Oracle Internet Directory:

   OID_ORACLE_HOME/bin/ldapadd -h idstore.example.com \
                                -p 3060 \
                                -D cn="orcladmin" \
                                -w password \
                                -c \
                                -v \
                                -f admin_user.ldif
   

3. Create an LDIF file named admin_group.ldif with the following contents and then save the file:

   dn: cn=BIAdministrators,cn=Groups,dc=example,dc=com
   displayname: BIAdministrators
   objectclass: top
   objectclass: groupOfUniqueNames
   objectclass: orclGroup
   uniquemember: cn=weblogic_bi,cn=users,dc=example,dc=com
   cn: BIAdministrators
   description: Administrators Group for the Oracle Analytics Server Domain
   

4. Provision the group in the LDAP Directory.

   For Oracle Unified Directory:

   OUD_INSTANCE_HOME/bin/ldapmodify -a \
                                    -D "cn=oudadmin" \
                                    -h oudhost.example.com \
                                    -w password \
                                    -p 1380 \
                                    -f admin_group.ldif
   

   For Oracle Internet Directory:

   OID_ORACLE_HOME/bin/ldapadd -h oidhost.example.com \
                               -p 3060 \
                               -D cn="orcladmin" \
                               -w password \
                               -c \
                               -v \
                               -f admin_group.ldif
   

5. Verify that the changes were made successfully:

   1. Log in to the Oracle WebLogic Server Administration Console.

   2. In the left pane of the console, click Security Realms.

   3. Click the default security realm (myrealm).

   4. Click the Users and Groups tab.

   5. Verify that the administrator user and group that you provisioned are listed on the page.

After you add the users and groups to Oracle Internet Directory, the group must be assigned the Administration role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for the domain.

To assign the Administration role to the new enterprise deployment administration group:

After you create the new administration user and group, you must update the Administration Server boot.properties file with the administration user credentials that you created in the LDAP directory: