10 Creating the Initial Infrastructure Domain for an Enterprise Deployment
- About the Initial Infrastructure Domain
Before you create the initial Infrastructure domain, be sure to review the following key concepts. - Variables Used When Creating the Infrastructure Domain
As you perform the tasks in this chapter, you reference the directory variables that are listed in this section. - Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1
Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for an enterprise deployment. - Creating the Database Schemas
Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware. - Configuring the Infrastructure Domain
The following topics provide instructions for creating a WebLogic Server domain using the Fusion Middleware Configuration wizard. - Download and Configure WebLogic Remote Console
This section describes how to download and configure the WebLogic Remote Console. - Configuring SSL Certificates for the Domain
This section describes how to configure SSL certificates for the domain. - Configuring a Per Host Node Manager for an Enterprise Deployment
For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager. - Configuring the Domain Directories and Starting the Servers on SOAHOST1
After the domain is created and the node manager is configured, you can then configure the additional domain directories and start the Administration Server and the Managed Servers on SOAHOST1. - Configuring Web Services Manager
This section describes how to configure Web Services Manager. - Propagating the Domain and Starting the Servers on SOAHOST2
After you start and validate the Administration Server and WLS_WSM1 Managed Server on SOAHOST1, you can then perform the following tasks on SOAHOST2. - Modifying the Upload and Stage Directories to an Absolute Path
After you configure the domain and unpack it to the Managed Server domain directories on all the hosts, verify and update the upload and stage directories for Managed Servers in the new clusters. - Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group
When you configure an Oracle Fusion Middleware domain, the domain is configured by default to use the WebLogic Server authentication provider (DefaultAuthenticator
). However, for an enterprise deployment, Oracle recommends that you use a dedicated, centralized LDAP-compliant authentication provider. - Adding the wsm-pm Role to the Administrators Group
After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (SOA Administrators
) as a member to thepolicy.Updater
role in thewsm-pm
application stripe. - Backing Up the Configuration
It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. - Verification of Manual Failover of the Administration Server
After you configure the domain, you should test the failover.
Parent topic: Configuring the Enterprise Deployment
About the Initial Infrastructure Domain
Before you create the initial Infrastructure domain, be sure to review the following key concepts.
About the Infrastructure Distribution
You create the initial Infrastructure domain for an enterprise deployment by using the Oracle Fusion Middleware Infrastructure distribution. This distribution contains both the Oracle WebLogic Server software and the Oracle JRF software.
The Oracle JRF software consists of Oracle Web Services Manager, Oracle Application Development Framework (Oracle ADF), Oracle Enterprise Manager Fusion Middleware Control, the Repository Creation Utility (RCU), and other libraries and technologies that are required to support the Oracle Fusion Middleware products.
Later in this guide, you can then extend the domain to support the Oracle Fusion Middleware products that are required for your enterprise deployment.
See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.
Parent topic: About the Initial Infrastructure Domain
Characteristics of the Domain
The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.
Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.
Characteristic of the Domain | More Information |
---|---|
Uses a separate virtual IP (VIP) address for the Administration Server. |
Configuration of the Administration Server and Managed Servers Domain Directories |
Uses separate domain directories for the Administration Server and the Managed Servers in the domain. |
Configuration of the Administration Server and Managed Servers Domain Directories |
Includes a dedicated cluster for Oracle Web Services Manager |
|
Uses a per host Node Manager configuration. |
About the Node Manager Configuration in a Typical Enterprise Deployment |
Requires a separately installed LDAP-based authentication provider. |
Understanding OPSS and Requests to the Authentication and Authorization Stores |
Parent topic: About the Initial Infrastructure Domain
Variables Used When Creating the Infrastructure Domain
As you perform the tasks in this chapter, you reference the directory variables that are listed in this section.
These directory variables are defined in File System and Directory Variables Used in This Guide.
-
ORACLE_HOME
-
ASERVER_HOME
-
MSERVER_HOME
-
APPLICATION_HOME
-
JAVA_HOME
-
NM_HOME
-
KEYSTORE_HOME
In addition, you reference the following virtual IP (VIP) addresses and host names that are defined in Physical and Virtual IP Addresses Required by the Enterprise Topology:
-
ADMINVHN (ADMINVIP)
-
SOAHOST1
-
SOAHOST2
-
DBHOST1
-
DBHOST2
-
SCAN Address for the Oracle RAC Database (
DB-SCAN.example.com
)
Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1
Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for an enterprise deployment.
- Installing a Supported JDK
- Starting the Infrastructure Installer on SOAHOST1
- Navigating the Infrastructure Installation Screens
- Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers
- Checking the Directory Structure
After you install the Oracle Fusion Middleware Infrastructure and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options that you selected during the installation. - Disabling the Derby Database
Installing a Supported JDK
Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.
Locating and Downloading the JDK Software
To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.
After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:
https://www.oracle.com/java/technologies/downloads/
Be sure to navigate to the download for the Java SE JDK.
Parent topic: Installing a Supported JDK
Installing the JDK Software
Install the JDK onto the VOL1
and VOL2
shared storage volumes mounted to /u01/oracle/products
on the application tier hosts. Name the folder for the JDK without version numbers to avoid re-configuration challenges during JDK upgrades. Example: /u01/oracle/products/jdk
.
Note:
Multiple installations may be needed as recommended mount points use multiple product shared volumes.For more information about the recommended location for the JDK software, see the Understanding the Recommended Directory Structure for an Enterprise Deployment.
The following example describes how to install a recent version of JDK 17.0.
Parent topic: Installing a Supported JDK
Starting the Infrastructure Installer on SOAHOST1
To start the installation program, perform the following steps.
When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.
Navigating the Infrastructure Installation Screens
The installation program displays a series of screens, in the order listed in the following table.
If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.
Table 10-1 Navigating the Infrastructure Installation Screens
Screen | Description |
---|---|
On UNIX operating systems, this screen appears if you are installing any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location. See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer. Note: Oracle recommends that you configure the central inventory directory on the products shared volume. Example: You may also need to execute the |
|
This screen introduces you to the product installer. |
|
Use this screen to search My Oracle Support automatically for available patches or automatically search a local directory for patches that you have already downloaded for your organization. |
|
Use this screen to specify the location of your Oracle home directory. For the purposes of an enterprise deployment, enter the value of the ORACLE_HOME variable listed in Table 7-2. |
|
Use this screen to select the type of installation and as a consequence, the products and feature sets that you want to install. For this topology, select Fusion Middleware Infrastructure. Note: The topology in this document does not include server examples. Oracle strongly recommends that you do not install the examples into a production environment. |
|
This screen verifies that your system meets the minimum requirements. If there are any warning or error messages, refer to the Oracle Fusion Middleware System Requirements and Specifications document on the Oracle Technology Network (OTN). |
|
If you already have an Oracle Support account, use this screen to indicate how you would like to receive security updates. If you do not have one and are sure that you want to skip this step, clear the check box and verify your selection in the follow-up dialog box. |
|
Use this screen to verify the installation options that you have selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation. For more information about silent or command-line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer. |
|
This screen allows you to see the progress of the installation. |
|
This screen appears when the installation is complete. Review the information on this screen, then click Finish to dismiss the installer. |
Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers
If you have configured a separate shared storage volume or partition for secondary hosts, then you must install the Infrastructure on one of those hosts.
See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.
To install the software on the other host computers in the topology, log in to each host, and use the instructions in Starting the Infrastructure Installer on SOAHOST1 and Navigating the Infrastructure Installation Screens to create the Oracle home on the appropriate storage device.
Note:
In previous releases, the recommended enterprise topology included a colocated set of Oracle HTTP Server instances. In those releases, there was a requirement to install the Infrastructure on the web tier hosts (WEBHOST1 and WEBHOST2). However, for this release, the Enterprise Deployment topology assumes that the web servers are installed and configured in standalone mode, so they are not considered part of the application tier domain. See Configuring Oracle HTTP Server for an Enterprise Deployment
Checking the Directory Structure
After you install the Oracle Fusion Middleware Infrastructure and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options that you selected during the installation.
To check the directory structure:
Disabling the Derby Database
Creating the Database Schemas
Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.
-
Metadata Services (MDS)
-
Audit Services (IAU)
-
Audit Services Append (IAU_APPEND)
-
Audit Services Viewer (IAU_VIEWER)
-
Oracle Platform Security Services (OPSS)
-
User Messaging Service (UMS)
-
WebLogic Services (WLS)
-
Common Infrastructure Services (STB)
Use the Repository Creation Utility (RCU) to create the schemas. This utility is installed in the Oracle home for each Oracle Fusion Middleware product. For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.
Complete the following steps to install the required schemas:
Installing and Configuring a Certified Database
Make sure that you have installed and configured a certified database, and that the database is up and running.
See the Preparing the Database for an Enterprise Deployment.
Parent topic: Creating the Database Schemas
Starting the Repository Creation Utility (RCU)
To start the Repository Creation Utility (RCU):
Parent topic: Creating the Database Schemas
Navigating the RCU Screens to Create the Schemas
Follow the instructions in this section to create the schemas for the Fusion Middleware Infrastructure domain:
-
Task 6, "Verifying the Tablespaces for the Required Schemas"
-
Task 8, "Reviewing Completion Summary and Completing RCU Execution"
- Task 1 Introducing RCU
-
Review the Welcome screen and verify the version number for RCU. Click Next to begin.
- Task 2 Selecting a Method of Schema Creation
-
If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges.
If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates a SQL script, which can be provided to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility.
Click Next.
Tip:
For more information about the options on this screen, see Create repository in Creating Schemas with the Repository Creation Utility.
- Task 3 Providing Database Connection Details
-
Provide the database connection details for RCU to connect to your database.
-
As Database Type, select Oracle Database enabled for edition-based redefinition.
Note:
Oracle Database enabled for edition-based redefinition (EBR) is recommended to support Zero Down Time upgrades. For more information, see https://www.oracle.com/database/technologies/high-availability/ebr.html. -
In the Host Name field, enter the SCAN address of the Oracle RAC Database.
-
Enter the Port number of the RAC database scan listener, for example 1521.
-
Enter the RAC Service Name of the database.
-
Enter the User Name of a user that has permissions to create schemas and schema objects, for example SYS.
-
Enter the Password of the user name that you provided in step 4.
-
If you have selected the SYS user, ensure that you set the role to SYSDBA.
-
Click Next to proceed, and then click OK on the dialog window confirming that connection to the database was successful.
Tip:
For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.
-
- Task 4 Specifying a Custom Prefix and Selecting Schemas
-
-
Specify the custom prefix that you want to use to identify the Oracle Fusion Middleware schemas.
The custom prefix is used to logically group these schemas together for use in this domain. For the purposes of this guide, use the prefix FMW1412_
Tip:
Make a note of the custom prefix that you choose to enter here; you will need this later, during the domain creation process.
For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility.
-
Select AS Common Schemas.
When you select AS Common Schemas, all the schemas in this section are automatically selected.
If the schemas in this section are not automatically selected, then select the required schemas.
There are two mandatory schemas that are selected by default. You cannot deselect them: Common Infrastructure Services (the STB schema) and WebLogic Services (the WLS schema). The Common Infrastructure Services schema enables you to retrieve information from RCU during domain configuration. See Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.
Tip:
For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility.
Click Next to proceed, and then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.
-
- Task 5 Specifying Schema Passwords
-
Specify how you want to set the schema passwords on your database, then specify and confirm your passwords. Ensure that the complexity of the passwords meet the database security requirements before you continue. RCU proceeds at this point even if you do not meet the password polices. Hence, perform this check outside RCU itself.
Click Next.
Tip:
You must make a note of the passwords you set on this screen; you need them later on during the domain creation process.
- Task 6 Verifying the Tablespaces for the Required Schemas
-
You can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas.
Note:
You can configure a Fusion Middleware component to use JDBC stores for JMS servers and Transaction Logs, by using the Configuration Wizard. These JDBC stores are placed in the Weblogic Services component tablespace. If your environment expects to have a high level of transactions and JMS activity, you can increase the default size of the <PREFIX>_WLS tablespace to better suit the environment load.
Click Next to continue, and then click OK on the dialog window to confirm the tablespace creation.
For more information about RCU and its features and concepts, see About the Repository Creation Utility in Creating Schemas with the Repository Creation Utility.
- Task 7 Creating Schemas
-
Review the summary of the schemas to be loaded and click Create to complete schema creation.
Note:
If failures occurred, review the listed log files to identify the root cause, resolve the defects, and then use RCU to drop and recreate the schemas before you continue.
- Task 8 Reviewing Completion Summary and Completing RCU Execution
-
When you reach the Completion Summary screen, verify that all schema creations have been completed successfully, and then click Close to dismiss RCU.
Parent topic: Creating the Database Schemas
Verifying Schema Access
Verify schema access by connecting to the database as the new schema users are created by the RCU. Use SQL*Plus or another utility to connect, and provide the appropriate schema names and passwords entered in the RCU.
For example:
Note:
If the database is a plugable database (PDB), the apropriate tns alias that points to the PDB must be used in the sqlplus command.
./sqlplus FMW1412_WLS/<WLS_schema_password>
SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Wed Sep 11 14:20:00 2024 Version 23.5.0.24.07
Copyright (c) 1982, 2024, Oracle. All rights reserved.
Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.5.0.24.07
SQL>
Parent topic: Creating the Database Schemas
Configuring the Infrastructure Domain
The following topics provide instructions for creating a WebLogic Server domain using the Fusion Middleware Configuration wizard.
For more information on the other methods that are available for creating a domain, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.
Starting the Configuration Wizard
To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home on SOAHOST1.
$ORACLE_HOME/oracle_common/common/bin/config.sh
Parent topic: Configuring the Infrastructure Domain
Navigating the Configuration Wizard Screens to Configure the Infrastructure Domain
Follow the instructions in the following sections to create and configure the domain for the topology.
-
Task 1, "Selecting the Domain Type and Domain Home Location"
-
Task 8, "Providing the GridLink Oracle RAC Database Connection Details"
-
Task 11, "Configuring the Administration Server Listen Address"
-
Task 21, "Reviewing Your Configuration Specifications and Configuring the Domain"
-
Task 22, "Writing Down Your Domain Home and Administration Server URL"
- Task 1 Selecting the Domain Type and Domain Home Location
-
On the Configuration Type screen, select Create a new domain.
In the Domain Location field, specify the value of the ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide.
Tip:
For more information about the other options on this screen of the Configuration Wizard, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.
- Task 2 Selecting the Configuration Templates
-
On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates:
-
Oracle Enterprise Manager [em]
Selecting this template automatically selects the following dependencies:
-
Oracle JRF [oracle_common]
-
WebLogic Coherence Cluster Extension [wlserver]
-
-
Oracle WSM Policy Manager [oracle_common]
Tip:
More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 3 Selecting the Application Home Location
-
On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide.
Tip:
More information about the options on this screen can be found in Application Location in Creating WebLogic Domains Using the Configuration Wizard.
- Task 4 Configuring the Administrator Account
-
On the Administrator Account screen, specify the user name (oracle recommends using a different name from “WebLogic”) and password for the default WebLogic Administrator account for the domain.
Make a note of the user name and password specified on this screen; you need these credentials later to boot and connect to the domain's Administration Server and for other operations.
- Task 5 Specifying the Domain Mode and JDK
-
On the Domain Mode and JDK screen:
-
Select Production in the Domain Mode field.
In the Enable or Disable Default Ports for You Domain field, use the default values provided for Production Mode:-
Ensure that Enable Listen Ports (non-SSL Ports) is NOT checked.
-
Ensure that Enable SSL Listen Ports is checked.
-
Ensure that Enable Administration Port (SSL Port) is checked.
Tip:
More information about the options on this screen, including the differences between development mode and production mode, can be found in Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.
-
-
Select Oracle Hotspot JDK in the JDK field.
Note:
Ensure that it points to the folder where you have installed the JDK. See Installing the JDK Software.
-
- Task 6 Specifying the Database Configuration Type
-
On the Database Configuration Type screen:
-
Select RCU Data to activate the fields on this screen.
The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain.
-
Verify that Vendor is Oracle and Driver is *Oracle's Driver (Thin) for Service Connections; Versions: Any.
-
Verify that Connection Parameters is selected.
Note:
If you choose to select Manual Configuration on this screen, you have to manually fill in the parameters for your schema on the JDBC Component Schema screen.
After you select RCU Data, fill in the fields as shown in the following table:
Field Description Host Name
Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook.
For information about the Enterprise Deployment Workbook, see Using the Enterprise Deployment Workbook.
DBMS/Service
Enter the service name for the Oracle RAC database appropriate for this domain where you will install the product schemas. For example:
soaedg.example.com
Specify the service name based on the value configured earlier in the Preparing the Database for an Enterprise Deployment section.
Port
Enter the port number on which the database listens. For example,
1521
.Schema Owner
Schema Password
Enter the user name and password to connect to the database's Service Table schema.
This is the schema user name and password that was specified for the Service Table component on the Schema Passwords screen in RCU (see Creating the Database Schemas).
The default user name is
prefix
_STB
, whereprefix
is the custom prefix that you defined in RCU.Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation is successful.
Connecting to the database server...OK Retrieving schema data from database server...OK Binding local schema components with retrieved data...OK Successfully Done.
Click Next if the connection to the database is successful.
Tip:
More information about the RCU Data option can be found in Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.
More information about the other options on this screen can be found in Datasource Defaults in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 7 Specifying JDBC Component Schema Information
-
Verify that the values on the JDBC Component Schema screen are correct for all schemas.
The schema table should be populated, because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain.
At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment.
In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in the High Availability Guide.
To convert the data sources to GridLink:
-
Select all the schemas by selecting the checkbox in the first header row of the schema table.
-
Click Convert to GridLink and click Next.
-
- Task 8 Providing the GridLink Oracle RAC Database Connection Details
-
On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown in following table.
Element Description and Recommended Value Service Name
Verify that the service name for the Oracle RAC database is the appropriate. For example, soaedg.example.com.
SCAN, Host Name, and Port
Select the SCAN check box.
In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database.
In the Port field, enter the SCAN listening port for the database (for example,
1521
).ONS Host and Port
These values are not required when you are using an Oracle 12c database or higher versions because the ONS list is automatically provided from the database to the driver.
Enable Fan
Verify that the Enable Fan check box is selected, so the database can receive and process FAN events.
For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in the High Availability Guide.
You can also click Help to display a brief description of each field on the screen.
- Task 9 Testing the JDBC Connections
-
Use the JDBC Component Schema Test screen to test the data source connections that you have just configured.
A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, and then try to test the connection again.
Tip:
More information about the other options on this screen can be found in Test Component Schema in Creating WebLogic Domains Using the Configuration Wizard.
- Task 10 Selecting Advanced Configuration
-
To complete domain configuration for the topology, select the following options on the Advanced Configuration screen:
-
Administration Server
This is required to configure the listen address of the Administration Server.
-
Node Manager
This is required to configure Node Manager.
-
Topology
This is required to add, delete, or modify the Settings for Server Templates, Managed Servers, Clusters, Virtual Targets, and Coherence.
Note:
When you use the Advanced Configuration screen in the Configuration Wizard:
-
If any of the above options are not available on the screen, then return to the Templates screen, and be sure that you selected the required templates for this topology.
-
Do not select the Domain Frontend Host Capture advanced configuration option. You later configure the frontend host property for specific clusters, rather than for the domain.
-
- Task 11 Configuring the Administration Server Listen Address
-
On the Administration Server screen:
-
In the Server Name field, retain the default value "AdminServer".
-
In the Listen Address field, enter the virtual host name that corresponds to the VIP of the ADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment.
For more information about the purpose of using the ADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment.
-
In the Configure Administration Server Ports section, perform the following steps:
-
Leave the Enable Listen Port field unchecked. The Listen Port value will be disabled in grey.
-
Ensure the Enable SSL Listen port field is checked.
-
Leave the default value as 7002 in the SSL Listen Port field.
-
Leave the default value as 9002 in the Administration Port.
-
-
Leave the default value as Unspecified in the Server Group.
-
- Task 12 Configuring Node Manager
-
Select Manual Node Manager Setup as the Node Manager type.
WARNING:
You can ignore the warning in the bottom pane. This guide provides the required steps for the Manual Node Manager configuration.Tip:
For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.
For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment.
For information about Node Manager configurations, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.
- Task 13 Configuring Managed Servers
-
Use the Managed Servers screen to create two new Managed Servers:
-
Click the Add button to create a new Managed Server.
-
Specify
WLS_WSM1
in the Server name column. -
In the SSL Listen Address column, enter SOAHOST1. Ensure you enter the host name that corresponds to SOAHOST1 and do not use the IP address.
-
Ensure that Enable Listen is unchecked and Listen Port is "Disabled" (grayed out).
-
Ensure that Enable SSL Port is checked for all servers.
-
Set SSL Listen Port to 7010.
-
Set Administration Port to 9003.
-
In the Server Groups drop-down list, select JRF-MAN-SVR and WSMPM-MAN-SVR.
These server groups ensure that the Oracle JRF and Oracle Web Services Manager (OWSM) services are targeted to the Managed Servers that you are creating.
Server groups target Fusion Middleware applications and services to one or more servers by mapping defined groups of application services to each defined server group. Any application services that are mapped to a given server group are automatically targeted to all servers that are assigned to that group. See Application Service Groups, Server Groups, and Application Service Mappings in Domain Template Reference.
Note:
Nonce caching for Oracle Web Services is initialized automatically by the WSM-CACHE-SVR server group and is suitable for most custom applications. This initialization is automatically performed in SOA, OSB, and other FMW servers that run JRF and create a coherence cluster. Nonce is a unique number that can be used only once in a SOAP request and is used to prevent replay attacks. Nonce caching naturally scales with the number of added Managed Servers that run Web service applications.
For information about advanced caching configurations, see Caching the Nonce with Oracle Coherence in Securing Web Services and Managing Policies with Oracle Web Services Manager, which provides additional guidance for the use of nonce caching and the WSM-CACHE-SVR server-group in custom WLS servers.
-
Repeat this process to create a second Managed Server named
WLS_WSM2
.Table 10-2 Managed Server
Server Name Listen Address Enable Listen Port Listen Port Enable SSL Port SSL Listen Port Administration Port Server groups WLS_WSM1
SOAHOST1
unchecked
Disabled
Checked
7010
9003
JRF-MAN-SVR
andWSMPM-MAN-SVR
WLS_WSM2
SOAHOST2
unchecked
Disabled
Checked
7010
9003
JRF-MAN-SVR
andWSMPM-MAN-SVR
The Managed Server names suggested in this procedure (WLS_WSM1 and WLS_WSM2) are referenced throughout this document; if you choose different names then be sure to replace them as needed.
Tip:
More information about the options on this screen can be found in Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 14 Configuring a Cluster
-
Use the Clusters screen to create a new cluster:
-
Click the Add button.
-
Specify
WSM-PM_Cluster
in the Cluster Name field. -
Click Next.
Note:
If you specify a front-end host and a front-end port, the URL validation fails after domain configuration because the web tier is not setup at this point. Hence, any redirections in the hosted application returns to the front-end address. You must configure the web tier to allow accessing the URLs through LBR.
You can configure the front-end port and address at a later point. For instructions, see Setting the Front End Host and Port for a WebLogic Cluster.
Tips:
For more information about the options on this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 15 Assigning Server Templates
-
Click Next.
- Task 16 Configuring Dynamic Servers
-
Verify that all dynamic server options are disabled for clusters that are to remain as static clusters.
-
Confirm that the Calculated Listen Port and Calculated Machine Names checkboxes on this screen are unchecked.
-
Confirm that the Server Template selection and Dynamic Server Groups are Unspecified.
-
Click Next.
-
- Task 17 Assigning Managed Servers to the Cluster
-
Use the Assign Servers to Clusters screen to assign
WLS_WSM1
andWLS_WSM2
to the new clusterWSM-PM_Cluster
:-
In the Clusters pane, select the cluster to which you want to assign the servers; in this case,
WSM-PM_Cluster
. -
In the Servers pane, assign
WLS_WSM1
toWSM-PM_Cluster
by doing one of the following:-
Click once on
WLS_WSM1
to select it, and then click on the right arrow to move it beneath the selected cluster (WSM-PM_Cluster
) in the Clusters pane.or
-
Double-click on
WLS_WSM1
to move it beneath the selected cluster (WSM-PM_Cluster
) in the clusters pane.
-
-
Repeat these steps to assign the WLS_WSM2 Managed Server to the WSM-PM_Cluster.
Tip:
More information about the options on this screen can be found in Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 18 Configuring Coherence Clusters
-
Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain.
In the Cluster Listen Port, enter
9991
.Note:
For Coherence licensing information, see Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual.
- Task 19 Creating Machines
-
Use the Machines screen to create new machines in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers.
-
Select the Unix Machine tab.
-
Click the Add button to create new UNIX machines.
Use the values in Table 10-3 to define the Name and Node Manager Listen Address of each machine.
-
Verify the port in the Node Manager Listen Port field.
The port number
5556
, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number, as needed.
Table 10-3 Values to Use When Creating Unix Machines
Name Node Manager Listen Address Node Manager Type Node Manager Listen Port ADMINHOST
Enter the value of the ADMINVHN variable.
SSL
5556
SOAHOST1
The value of the SOAHOST1 host name variable or SOAHOST1 alias. For example,
SOAHOST1.example.com
.SSL
5556 SOAHOST2
The value of the SOAHOST2 host name variable or SOAHOST2 alias. For example,
SOAHOST2.example.com
.SSL
5556
Tip:
More information about the options on this screen can be found in Machines in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 20 Assigning Servers to Machines
-
Use the Assign Servers to Machines screen to assign any statically defined managed servers to the appropriate machines. Servers that are part of a dynamic cluster are assigned to the calculated machine names automatically.
The Assign Servers to Machines screen is similar to the Assign Managed Servers to Clusters screen. Select the target machine in the Machines column, select the server name in the left column, and click the right arrow to assign the server to the appropriate machine.
Assign the servers as follows:
-
Assign the AdminServer to the ADMINHOST machine.
-
Assign the WLS_WSM1 Managed Server to the SOAHOST1 machine.
-
Assign the WLS_WSM2 Managed Server to the SOAHOST2 machine.
Tip:
More information about the options on this screen can be found in Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.
-
- Task 21 Reviewing Your Configuration Specifications and Configuring the Domain
-
The Configuration Summary screen contains the detailed configuration information for the domain that you are about to create. Review the details of each item on the screen and verify that the information is correct.
If you need to make any changes, you can go back to any previous screen either by using the Back button or by selecting the screen in the navigation pane.
Domain creation does not begin until you click Create.
In the Configuration Progress screen, click Next when it finishes.
Tip:
More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.
- Task 22 Writing Down Your Domain Home and Administration Server URL
-
The Configuration Success screen shows the following items about the domain you just configured:
-
Domain Location
-
Administration Server URL
You must make a note of both items as you need them later; the domain location is needed to access the scripts that are used to start the Administration Server.
Click Finish to dismiss the Configuration Wizard.
-
Parent topic: Configuring the Infrastructure Domain
Download and Configure WebLogic Remote Console
This section describes how to download and configure the WebLogic Remote Console.
Note:
For the initial configuration steps required in this EDG, you will need access to the AdminServer listen address and administration port. Later on you will configure access from a frontend load balancer.
Perform the following steps to download and configure the WebLogic Remote Console:
Configuring SSL Certificates for the Domain
This section describes how to configure SSL certificates for the domain.
Creating Certificates and Certificate Stores for the WebLogic Domain
The Enterprise Deployment Guide provides steps to configure a domain that uses SSL listen addresses for all Weblogic Managed Servers, Weblogic Administration Server and Node Managers in the application tier. To achieve this the required certificates for all servers, machines and NM listen addresses must be created and pointed to from the domain and Node Manager configuration.
In Oracle FMW 14.1.2.0, Oracle WebLogic allows the usage of a per-domain Certificate Authority (CA). In this model, the CertGen and ImportPrivateKey utilities are enhanced to use the domain's secret key to encrypt the passphrases and store them in the domain's DemoCerts.props file. A self-signed Demo CA is automatically created for the domain and it is used for signing certificates for the SSL listen addresses used in the EDG. Although in a real production system, standard CAs should be used, the per-domain CA model implements an SSL system using domain specific CA that provides a higher degree of protection than non-ssl configurations. If you want to use your own custom certificates, see About Using Third Party SSL Certificates in the WebLogic and Oracle HTTP Servers in the Common Configuration and Management Tasks for an Enterprise Deployment chapter.
Oracle recommends using a shared storage location (protected with the appropriate snapshot or file backup tooling) where all the different certificates and stores can be found by the different servers. Perform the following steps to generate an Identity store and a Trust Store that can be used for enabling SSL listeners in a Weblogic Server using a per-domain CA:
-
Download the
generate_perdomainCACERTS.sh
script in the maa github repo.https://github.com/oracle-samples/maa/blob/main/1412EDG/generate_perdomainCACERTS.sh
-
Run the script with the following arguments:
- WLS_DOMAIN_DIRECTORY: Directory hosting the Weblogic Domain that the Administration Server uses.
- WL_HOME: The directory within the Oracle home where the Oracle
WebLogic Server software binaries are stored. Typically
/u01/oracle/products/fmw/wlserver
. - KEYSTORE_HOME: Directory where appIdentity and appTrust stores will be created.
- KEYPASS: Password used for the weblogic administration user (will be reused for certs and stores).
Example:
./generate_perdomainCACERTS.sh $ASERVER_HOME $ORACLE_HOME/wlserver $KEYSTORE_HOME <keypass>
The script will traverse the
WLS_DOMAIN_DIRECTORY/config/config.xml
to find all the listen
addresses used in the domain, generate certificates for all of them, create a trust
store with the domain CA and import certificates into a new Identity store. The aliases
used in the import will be the same as the hostname used as listen address. Both the
trust store and the identity store will be placed in the
KEYSTORE_HOME
directory.
Run the following command to verify if the "domainca" entry is there as a
trustedCertEntry
:
keytool -list -keystore $KEYSTORE_HOME/appTrustKeyStore.pkcs12
Run the following command to verify if there is a
PrivateKeyEntry
for each listen address (the values for ADMINVHN,
SOAHOST1 and SOAHOST2):
keytool -list -keystore $KEYSTORE_HOME/appIdentityKeyStore.pkcs12
Parent topic: Configuring SSL Certificates for the Domain
Adding Certificate Stores Location to the WebLogic Servers Start Scripts
Once the Identity and Trust Stores are created for the domain some Java properties must
be added to the WebLogic start scripts. These properties are added to the file
setUserOverridesLate.sh
in $ASERVER_HOME/bin
.
Any customizations you add to this file are preserved during domain upgrade operations
and are carried over to remote servers when using the pack and unpack commands.
-
If you created the Identity and Trust Stores with the script
generate_perdomainCACERTS.sh
, as explained in Creating Certificates and Certificate Stores for the WebLogic Domain, then the properties are automatically added to the filesetUserOverridesLate.sh
in$ASERVER_HOME/bin
. Just verify that the file exists and that theEXTRA_JAVA_PROPERTIES
have been added. -
If you are using your own custom certificates, then manually create the file
setUserOverridesLate.sh
in$ASERVER_HOME/bin
. Edit the file and add the variableEXTRA_JAVA_PROPERTIES
to set thejavax.net.ssl.trustStore
andjavax.net.ssl.trustStorePassword
properties with the values used by your EDG system. For example:EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES} -Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12 -Djavax.net.ssl.trustStorePassword=mypassword" export EXTRA_JAVA_PROPERTIES
Note:
The order of the extra java properties is relevant. In case that the same property is defined more than once, the later value is used. The custom values must be defined as in the example provided.Parent topic: Configuring SSL Certificates for the Domain
Update Server's Security Settings Using the Remote Console
- Connecting to the Remote Console Using the Administration Server’s Virtual Hostname as Provider
- Updating the WebLogic Servers Security Settings
Parent topic: Configuring SSL Certificates for the Domain
Connecting to the Remote Console Using the Administration Server’s Virtual Hostname as Provider
Note:
For this Remote Console initial access to the Administration Server, it is required that the machine that runs the Remote Console can resolve and connect to the Admin Server's Listen Address. This can be done by starting the Remote Console directly in the node where the Admin Server runs or creating a tunnel to this address from the node where the remote Console is executed.- Using the following default start script to start the Administration
Server:
- Create a new provider in the WebLogic Remote Console as follows:
Configuring KSS with Per-domain CA
For consistency purposes and to use a common CA all across the domain artifacts you may want to use the per-domain CA for KSS (store used by OPSS and other components in the WebLogic Infrastructure/JRF Domain.
Perform the following steps to import the domain CA certificate in the KSS trusted store:
Parent topic: Configuring SSL Certificates for the Domain
Configuring a Per Host Node Manager for an Enterprise Deployment
For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager.
For more information about the advantages of a per host Node Manager, see About the Node Manager Configuration in a Typical Enterprise Deployment
Creating a Per Host Node Manager Configuration
startNodeManager.sh
file.
To create a per-host Node Manager configuration, perform the following tasks, first on SOAHOST1, and then on SOAHOST2:
Starting the Node Manager on SOAHOST1
startNodeManager.sh
script.
Configuring the Node Manager Credentials
Perform the following steps to set the Node Manager credentials using the Remote Console:
- Access the Domain provider in the Remote Console.
- Click Edit Tree.
- Click Environment > Domain> Security.
- Check the Show Advanced Fields field.
- Set Node Manager Username to the same as the Weblogic Administrator, since this username will be used in other tasks mentioned in this guide.
- Change the NM password. Ensure the Node Manager password is set to the same as the Weblogic Administrator since this password will be used in other tasks mentioned in this guide.
- Click Save. The cart on the top right part of the screen will show full with a yellow bag inside.
- Click the Cart Icon on the top right and select Commit Changes.
Enrolling the Domain with NM
Perform the following steps in a new terminal window to enroll the domain with Node manager.
Note:
You will be unable to connect to the Node Manager and use it to start the servers in the domain without performing this step.Adding Truststore Configuration to Node Manager
It is required to add the corresponding truststore configuration for Node
Manager communication with the different WebLogic Server listeners. To do this, edit
Node Manager's start script startNodeManager.sh
located at
$NM_HOME
and add the variable JAVA_OPTIONS to set the javax.net.ssl.trustStore
and
javax.net.ssl.trustStorePassword
properties with the values used by
your EDG system. For example:
export JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12 -Djavax.net.ssl.trustStorePassword=mypassword"
Note:
If you have used thegenerate_perdomainCACERTS.sh
script to generate
certificates and stores, the trustStorePassword
is the password
provided as "KEYPASS
" parameter to the script.
Configuring the Domain Directories and Starting the Servers on SOAHOST1
After the domain is created and the node manager is configured, you can then configure the additional domain directories and start the Administration Server and the Managed Servers on SOAHOST1.
- Starting the Administration Server Using the Node Manager
After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain. - Validating the Administration Server
Before you proceed with the configuration steps, validate that the Administration Server has started successfully by making sure that you have access to the Oracle WebLogic Remote Console and Oracle Enterprise Manager Fusion Middleware Control; both of these are installed and configured on the Administration Servers. - Creating a Separate Domain Directory for Managed Servers on SOAHOST1
When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory is used to run the Administration Server. You can now create a copy of the domain on the local storage for both SOAHOST1 and SOAHOST2. The domain directory on the local (or private) storage is used to run the Managed Servers. - Starting and Validating the WLS_WSM1 Managed Server on SOAHOST1
After you have configured Node Manager and created the Managed Server domain directory, you can use Oracle Enterprise Manager Fusion Middleware Control to start the WLS_WSM1 Managed Server on SOAHOST1.
Starting the Administration Server Using the Node Manager
After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
To start the Administration Server by using the Node Manager:
Validating the Administration Server
Before you proceed with the configuration steps, validate that the Administration Server has started successfully by making sure that you have access to the Oracle WebLogic Remote Console and Oracle Enterprise Manager Fusion Middleware Control; both of these are installed and configured on the Administration Servers.
To navigate to Fusion Middleware Control, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:
https://ADMINVHN:9002/em
You should be able to connect to the Admin Server from the Remote Console as before.
Creating a Separate Domain Directory for Managed Servers on SOAHOST1
When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory is used to run the Administration Server. You can now create a copy of the domain on the local storage for both SOAHOST1 and SOAHOST2. The domain directory on the local (or private) storage is used to run the Managed Servers.
Placing the MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead caused by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that the Managed Servers use from the domain directory is processed quicker.
As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the MSERVER_HOME variable.
To create the Managed Server domain directory:
Configuring Web Services Manager
This section describes how to configure Web Services Manager.
Bootstrapping WSM
Note:
If this task is not performed, the WSMPM does not work properly .Parent topic: Configuring Web Services Manager
Propagating the Domain and Starting the Servers on SOAHOST2
After you start and validate the Administration Server and WLS_WSM1 Managed Server on SOAHOST1, you can then perform the following tasks on SOAHOST2.
Unpacking the Domain on SOAHOST2
This procedure assumes you have copied the file that you created earlier in a location that is accessible from both SOAHOST1 and SOAHOST2; such as the ASERVER_HOME directory, which is located on the shared storage filer:
Starting the Node Manager on SOAHOST2
Starting and Validating the WLS_WSM2 Managed Server on SOAHOST2
Use the procedure in Starting and Validating the WLS_WSM1 Managed Server on SOAHOST1 to start and validate the WLS_WSM2 Managed Server on SOAHOST2.
Modifying the Upload and Stage Directories to an Absolute Path
Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group
When you configure an Oracle Fusion Middleware domain, the domain is configured by default to use the WebLogic Server authentication provider (DefaultAuthenticator
). However, for an enterprise deployment, Oracle recommends that you use a dedicated, centralized LDAP-compliant authentication provider.
The following topics describe how to use the Oracle WebLogic Remote Console to create a new authentication provider for the enterprise deployment domain. This procedure assumes that you have already installed and configured a supported LDAP directory, such as Oracle Unified Directory or Oracle Internet Directory.
- About the Supported Authentication Providers
- About the Enterprise Deployment Users and Groups
- Prerequisites for Creating a New Authentication Provider and Provisioning Users and Groups
- Provisioning a Domain Connector User in the LDAP Directory
- Creating the New Authentication Provider
- Provisioning an Enterprise Deployment Administration User and Group
- Adding the Administration Role to the New Administration Group
About the Supported Authentication Providers
Oracle Fusion Middleware supports a variety of LDAP authentication providers. See Identity Store Types and WebLogic Authenticators in Securing Applications with Oracle Platform Security Services.
The instructions in this guide assume that you are using one of the following providers:
-
Oracle Unified Directory
-
Oracle Internet Directory
-
Microsoft Active Directory
Note:
By default, the instructions here describe how to configure the identity service instance to support querying against a single LDAP identity store with an unencrypted connection.
If the connection to your identity provider has to be secured through SSL, then additional keystone configuration is required for role management in the Enterprise Manager Fusion Middleware Control to function correctly. For additional configuration information, see Doc ID 1670789.1 at support.oracle.com.
Also, you can configure the service to support a virtualized identity store, which queries multiple LDAP identity stores, by using LibOVD.
For more information about configuring a Multi-LDAP lookup, refer to Configuring the Identity Store Service in Securing Applications with Oracle Platform Security Services.
About the Enterprise Deployment Users and Groups
The following topics provide important information on the purpose and characteristics of the enterprise deployment administration users and groups.
About Using Unique Administration Users for Each Domain
When you use a central LDAP user store, you can provision users and groups for use with multiple Oracle WebLogic Server domains. As a result, there is a possibility that one WebLogic administration user can have access to all the domains within an enterprise.
It is a best practice to create and assign a unique distinguished name (DN) within the directory tree for the users and groups that you provision for the administration of your Oracle Fusion Middleware domains.
For example, if you plan to install and configure an Oracle SOA Suite enterprise deployment domain, then create a user called weblogic_soa
and an administration group called SOA Administrators
.
Parent topic: About the Enterprise Deployment Users and Groups
About the Domain Connector User
Oracle recommends that you create a separate domain connector user (for example, soaLDAP
) in your LDAP directory. This user allows the domain to connect to the LDAP directory for the purposes of user authentication. It is recommended that this user be a non-administrative user.
In a typical Oracle Identity and Access Management deployment, you create this user in the systemids
container. This container is used for system users that are not normally visible to users. Placing the user into the systemids
container ensures that customers who have Oracle Identity Governance do not reconcile this user.
Parent topic: About the Enterprise Deployment Users and Groups
About Adding Users to the Central LDAP Directory
After you configure a central LDAP directory to be the authenticator for the enterprise domain, then you should add all new users to the new authenticator and not to the default WebLogic Server authenticator.
To add new users to the central LDAP directory, you cannot use the WebLogic Remote Console. Instead, you must use the appropriate LDAP modification tools, such as ldapbrowser or JXplorer.
When you are using multiple authenticators (a requirement for an enterprise deployment), login and authentication will work, but role retrieval will not. The role is retrieved from the first authenticator only. If you want to retrieve roles using any other authenticator, then you must enable virtualization for the domain.
To enable virtualization:
-
Browse to the Fusion Middleware Control, and log in with the administrative credentials.
https://ADMINVHN:9002/em
-
Navigate to WebLogic Domain > Security > Security Provider Configuration.
-
Expand Security Store Provider.
-
Expand Identity Store Provider.
-
Click Configure.
-
Add a custom property.
-
Set the following properties:
- virtualize with value true
- optimize_search with value true
Click OK.
-
Click OK again to persist the change.
-
Restart the Administration Server and all managed servers.
For more information about the virtualize property, see OPSS System and Configuration Properties in Securing Applications with Oracle Platform Security Services.
Note:
-
Property
user.create.bases
, to specify the DN under which the users will be created. Example:cn=users,dc=example,dc=com
. -
Property
group.create.bases
, to specify the DN under which the groups will be created. Example:cn=groups,dc=example,dc=com
.
You can configure these properties by following the steps that are described above for adding the virtualize property.
SOA products do not have any application that creates users or groups in the LDAP, so this is required only if you are planning to deploy any additional application that does it. See Configuring the Identity Store in Securing Applications with Oracle Platform Security Services
Parent topic: About the Enterprise Deployment Users and Groups
About Product-Specific Roles and Groups for Oracle SOA Suite
Each Oracle Fusion Middleware product implements its own predefined roles and groups for administration and monitoring.
As a result, as you extend the domain to add additional products, you can add these product-specific roles to the SOA Administrators
group. After they are added to the SOA Administrators
group, each product administrator user can administer the domain with the same set of privileges for performing administration tasks.
For instructions on adding additional roles to the SOA Administrators
group, see Common Configuration and Management Tasks for an Enterprise Deployment.
Parent topic: About the Enterprise Deployment Users and Groups
Example Users and Groups Used in This Guide
In this guide, the examples assume that you provision the following administration user and group with the following DNs:
-
Admin User DN:
cn=
weblogic_soa
,cn=users,dc=example,dc=com -
Admin Group DN:
cn=
SOA Administrators
,cn=groups,dc=example,dc=com -
Product-specific LDAP Connector User:
cn=
This is the user that you use to connect WebLogic Managed Servers to the LDAP authentication provider. This user must have permissions to read and write to the Directory Trees:soaLDAP
,cn=systemids,dc=example,dc=comcn=users,dc=example,dc=com cn=groups,dc=example,dc=com
Note:
This user needs to be granted membership in the following groups to provide read and write access:
cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com
cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com
cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com
cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com
Parent topic: About the Enterprise Deployment Users and Groups
Prerequisites for Creating a New Authentication Provider and Provisioning Users and Groups
Before you create a new LDAP authentication provider, back up the relevant configuration files:
$ASERVER_HOME/config/config.xml $ASERVER_HOME/config/fmwconfig/jps-config.xml $ASERVER_HOME/config/fmwconfig/system-jazn-data.xml
In addition, back up the boot.properties
file for the Administration Server in the following directory:
ASERVER_HOME/servers/AdminServer/security
Provisioning a Domain Connector User in the LDAP Directory
This example shows how to create a user called soaLDAP
in the central LDAP directory.
To provision the user in the LDAP provider:
-
Create an LDIF file named
domain_user.ldif
with the following contents and then save the file:dn: cn=
soaLDAP
,cn=systemids,dc=example,dc=com changetype: add orclsamaccountname:soaLDAP
userpassword: password objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 mail:soaLDAP
@example.com givenname:soaLDAP
sn:soaLDAP
cn:soaLDAP
uid:soaLDAP
Note:
If you use Oracle Unified Directory, then add the following four group memberships to the end of the LDIF file to grant the appropriate read/write privileges:
dn: cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=
soaLDAP
,cn=systemids,dc=example,dc=com dn: cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP
,cn=systemids,dc=example,dc=com dn: cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP
,cn=systemids,dc=example,dc=com dn: cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com changetype: modify add: uniquemember uniquemember: cn=soaLDAP
,cn=systemids,dc=example,dc=com -
Provision the user in the LDAP directory.
For example, for an Oracle Unified Directory LDAP provider:
OUD_INSTANCE_HOME/bin/ldapmodify -a \ -h idstore.example.com -D "cn=oudadmin" \ -w password \ -p 1389 \ -f domain_user.ldif
For Oracle Internet Directory:
OID_ORACLE_HOME/bin/ldapadd -h idstore.example.com \ -p 3060 \ -D cn="orcladmin" \ -w password \ -c \ -v \ -f domain_user.ldif
Creating the New Authentication Provider
To configure a new LDAP-based authentication provider:
- Log into the WebLogic Remote Console.
- Click Edit Tree.
- In the left navigational bar, click
Security >
Realms >
myrealm >
Authentication
Providers.
Note:
TheDefaultAuthenticator
provider is configured for the realm. This is the default WebLogic Server authentication provider. - Click New button.
-
Enter a name for the provider.
Use one of the following names, based on the LDAP directory service that you plan to use as your credential store:
-
OUDAuthenticator
for Oracle Unified Directory -
OIDAuthenticator
for Oracle Internet Directory
-
-
Select the authenticator type from the Type drop-down list.
Select one of the following types, based on the LDAP directory service that you plan to use as your credential store:
-
OracleUnifiedDirectoryAuthenticator
for Oracle Unified Directory -
OracleInternetDirectoryAuthenticator
for Oracle Internet Directory
-
-
Select SUFFICIENT from the Control Flag drop-down menu for the newly created authenticator provider.
Setting the control flag to SUFFICIENT indicates that if the authenticator can successfully authenticate a user, then the authenticator should accept that authentication and should not continue to invoke any additional authenticators.
If the authentication fails, it falls through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flags set to SUFFICIENT; in particular, check the
DefaultAuthenticator
option and make sure that its control flag is set to SUFFICIENT. -
Click Create.
-
Click the Authenticator Parameters tab and enter the details specific to your LDAP server, as shown in the following table.
Note that only the required fields are discussed in this procedure. For information about all the fields on this page, consider the following resources:
-
To display a description of each field, click Help on the Provider Specific tab.
-
For more information on setting the User Base DN, User From Name Filter, and User Attribute fields, see Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers in Administering Security for Oracle WebLogic Server.
Parameter Sample Value Value Description Host
For example:
idstore.example.com
The LDAP server's server ID.
Port
For example:
1389
The LDAP server's port number.
Principal
For example:
cn=
soaLDAP
, cn=systemids,dc=example,dc=comThe LDAP user DN used to connect to the LDAP server.
Credential
Enter LDAP password.
The password used to connect to the LDAP server.
SSL Enabled
Unchecked (clear)
Specifies whether SSL protocol is used when connecting to the LDAP server.
User Base DN
For example:
cn
=users,dc=example,dc=com
Specify the DN under which your users start.
All Users Filter
(&(uid=*)(objectclass=person))
Instead of a default search criteria for All Users Filter, search all users based on the
uid
value.If the User Name Attribute for the user object class in the LDAP directory structure is a type other than
uid
, then change that type in the User From Name Filter field.For example, if the User Name Attribute type is
cn
, then this field should be set to:(&(cn=*)(objectclass=person)))
User From Name Filter
For example:
(&(uid=%u)(objectclass=person))
If the User Name Attribute for the user object class in the LDAP directory structure is a type other than
uid
, then change that type in the settings for the User From Name Filter.For example, if the User Name Attribute type is
cn
, then this field should be set to:(&(cn=%u)(objectclass=person)))
.User Name Attribute
For example:
uid
The attribute of an LDAP user object that specifies the name of the user.
Group Base DN
For example:
cn
=groups,dc=example,dc=com
Specify the DN that points to your Groups node.
Use Retrieved User Name as Principal
Checked
Must be turned on.
GUID Attribute
entryuuid
This value is prepopulated with
entryuuid
whenOracleUnifiedDirectoryAuthenticator
is used for OUD. Check this value if you use Oracle Unified Directory as your authentication provider. -
-
Click Save to save the changes.
- Commit the changes in the shopping cart.
- Navigate to Authenticator Providers under Security > Realms > myrealm.
- Check the Authenticator Providers you just created and move up to the first position.
-
On the Authentication Providers screen, click DefaultAuthenticator.
-
From the Control Flag drop-down, select SUFFICIENT.
-
Click Save to update the DefaultAuthenticator settings.
-
Commit the changes in the shopping cart.
-
Restart the Administration Server and all managed servers.
To stop the Managed Servers, sign in to Fusion Middleware Control, select the Managed Servers in the Target Navigator and click Shut Down in the toolbar.
To stop and start the Administration Server by using the Node Manager:
- Start
WLST:
export WLST_PROPERTIES=" -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=password" cd $ORACLE_COMMON_HOME/common/bin ./wlst.sh
-
Connect to Node Manager by using the Node Manager credentials that you defined when you created the domain in the Configuration Wizard:
wls:/offline>nmConnect('nodemanager_username','nodemanager_password', 'ADMINVHN','5556','domain_name', 'ASERVER_HOME','SSL')
-
Stop the Administration Server:
nmKill('AdminServer')
-
Start the Administration Server:
nmStart('AdminServer')
-
Exit WLST:
exit()
To start the Managed Servers, log in to Fusion Middleware Control, select the Managed Servers, and click Start Up in the toolbar.
Note:
If you plan to log in to the system immediately by using the central LDAP user role, you can skip the restart until you have assigned the Administration role to the new enterprise deployment administration group. For more information, see Adding the Administration Role to the New Administration Group.
- Start
WLST:
-
After the restart, review the contents of the following log file:
$ASERVER_HOME/servers/AdminServer/logs/AdminServer.log
Verify that no LDAP connection errors occurred. For example, look for errors such as the following:
The LDAP authentication provider named "OUDAuthenticator" failed to make connection to ldap server at ...
If you see such errors in the log file, then check the authorization provider connection details to verify that they are correct and try saving and restarting the Administration Server again.
-
After you restart and verify that no LDAP connection errors are in the log file, try browsing the users and groups that exist in the LDAP provider:
-
In the Remote Console, go to the Security Tree.
-
Navigate to Realms > myrealm > Authentication Providers.
-
Expand the new Authentication Provider.
-
Click Users and then click Groups.
You should be able to see all users and groups that exist in the LDAP provider structure.
-
Provisioning an Enterprise Deployment Administration User and Group
This example shows how to create a user called weblogic_soa
and a group called SOA Administrators
.
To provision the administration user and group in LDAP provider:
-
Create an
LDIF
file namedadmin_user.ldif
with the following contents and then save the file:dn: cn=
weblogic_soa
,cn=users,dc=example,dc=com changetype: add orclsamaccountname:weblogic_soa
userpassword: password objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 mail:weblogic_soa
@example.com givenname:weblogic_soa
sn:weblogic_soa
cn:weblogic_soa
uid:weblogic_soa
-
Provision the user in the LDAP directory.
For example, for an Oracle Unified Directory LDAP provider:
OUD_INSTANCE_HOME/bin/ldapmodify -a \ -h idstore.example.com -D "cn=oudadmin" \ -w password \ -p 1389 \ -f admin_user.ldif
For Oracle Internet Directory:
OID_ORACLE_HOME/bin/ldapadd -h idstore.example.com \ -p 3060 \ -D "cn=oudadmin" \ -w password \ -c \ -v \ -f admin_user.ldif
-
Create an
LDIF
file namedadmin_group.ldif
with the following contents and then save the file:dn: cn=
SOA Administrators
,cn=Groups,dc=example,dc=com displayname:SOA Administrators
objectclass: top objectclass: GroupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_soa,cn=users,dc=example,dc=com cn:SOA Administrators
description: Administrators Group for the Oracle SOA Suite Domain -
Provision the group in the LDAP Directory.
For Oracle Unified Directory:
OUD_INSTANCE_HOME/bin/ldapmodify -a \ -D "cn=oudadmin" \ -h oudhost.example.com \ -w password \ -p 1380 \ -f admin_group.ldif
For Oracle Internet Directory:
OID_ORACLE_HOME/bin/ldapadd -h oidhost.example.com \ -p 3060 \ -D "cn=oudadmin" \ -w password \ -c \ -v \ -f admin_group.ldif
-
Verify that the changes were made successfully:
-
In the Remote Console, go to Security Tree.
-
Navigate to Realms > myrealm > Authentication Providers.
-
Expand the new Authentication Provider.
-
Click Users and verify if the administrator user that you provisioned is listed.
-
Click Groups and verify if the administrator group that you provisioned is listed.
-
Adding the Administration Role to the New Administration Group
After you add the users and groups to your LDAP directory, the group must be assigned the Administration role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for the domain.
To assign the Administration role to the new enterprise deployment administration group:
Adding the wsm-pm Role to the Administrators Group
After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (SOA Administrators
) as a member to the policy.Updater
role in the wsm-pm
application stripe.
Backing Up the Configuration
It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.
The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.
For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.