1. Enterprise Deployment Guide for Oracle SOA Suite
  2. Configuring the Enterprise Deployment
  3. Creating the Initial Infrastructure Domain for an Enterprise Deployment

10 Creating the Initial Infrastructure Domain for an Enterprise Deployment

The following topics describe how to install and configure an initial domain, which can be used as the starting point for an enterprise deployment. Later chapters in this guide describe how to extend this initial domain with the various products and components that comprise the enterprise topology that you are deploying.

Parent topic: Configuring the Enterprise Deployment

About the Initial Infrastructure Domain

Before you create the initial Infrastructure domain, be sure to review the following key concepts.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

About the Infrastructure Distribution

You create the initial Infrastructure domain for an enterprise deployment by using the Oracle Fusion Middleware Infrastructure distribution. This distribution contains both the Oracle WebLogic Server software and the Oracle JRF software.

The Oracle JRF software consists of Oracle Web Services Manager, Oracle Application Development Framework (Oracle ADF), Oracle Enterprise Manager Fusion Middleware Control, the Repository Creation Utility (RCU), and other libraries and technologies that are required to support the Oracle Fusion Middleware products.

Later in this guide, you can then extend the domain to support the Oracle Fusion Middleware products that are required for your enterprise deployment.

See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.

Parent topic: About the Initial Infrastructure Domain

Characteristics of the Domain

The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.

Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.

Characteristic of the Domain More Information

Uses a separate virtual IP (VIP) address for the Administration Server.

Configuration of the Administration Server and Managed Servers Domain Directories

Uses separate domain directories for the Administration Server and the Managed Servers in the domain.

Configuration of the Administration Server and Managed Servers Domain Directories

Includes a dedicated cluster for Oracle Web Services Manager

Using Oracle Web Services Manager in the Application Tier

Uses a per host Node Manager configuration.

About the Node Manager Configuration in a Typical Enterprise Deployment

Requires a separately installed LDAP-based authentication provider.

Understanding OPSS and Requests to the Authentication and Authorization Stores

Parent topic: About the Initial Infrastructure Domain

Variables Used When Creating the Infrastructure Domain

As you perform the tasks in this chapter, you reference the directory variables that are listed in this section.

These directory variables are defined in File System and Directory Variables Used in This Guide.

  • ORACLE_HOME

  • ASERVER_HOME

  • MSERVER_HOME

  • APPLICATION_HOME

  • JAVA_HOME

  • NM_HOME

  • KEYSTORE_HOME

In addition, you reference the following virtual IP (VIP) addresses and host names that are defined in Physical and Virtual IP Addresses Required by the Enterprise Topology:

  • ADMINVHN (ADMINVIP)

  • SOAHOST1

  • SOAHOST2

  • DBHOST1

  • DBHOST2

  • SCAN Address for the Oracle RAC Database (DB-SCAN.example.com)

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Use the following sections to install the Oracle Fusion Middleware Infrastructure software in preparation for configuring a new domain for an enterprise deployment.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Installing a Supported JDK

Oracle Fusion Middleware requires that a certified Java Development Kit (JDK) is installed on your system.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Locating and Downloading the JDK Software

To find a certified JDK, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.

After you identify the Oracle JDK for the current Oracle Fusion Middleware release, you can download an Oracle JDK from the following location on Oracle Technology Network:

https://www.oracle.com/java/technologies/downloads/

Be sure to navigate to the download for the Java SE JDK.

Installing the JDK Software

Install the JDK onto the VOL1 and VOL2 shared storage volumes mounted to /u01/oracle/products on the application tier hosts. Name the folder for the JDK without version numbers to avoid re-configuration challenges during JDK upgrades. Example: /u01/oracle/products/jdk.

Note:

Multiple installations may be needed as recommended mount points use multiple product shared volumes.

For more information about the recommended location for the JDK software, see the Understanding the Recommended Directory Structure for an Enterprise Deployment.

The following example describes how to install a recent version of JDK 17.0.

  1. Change directory to the location where you downloaded the JDK archive file.
    cd download_dir
  2. Unpack the archive into the JDK home directory, and then run the following commands:
    tar -xzvf jdk-17.0.10+11_linux-x64_bin.tar.gz

    Note:

    The JDK version listed here was accurate at the time this document was published. For the latest supported JDK, see the Oracle Fusion Middleware System Requirements and Specifications for the current Oracle Fusion Middleware release.
  3. Move the JDK directory to the recommended location in the directory structure.
    For example:
    mv jdk-17.0.10 /u01/oracle/products/jdk
  4. Define the JAVA_HOME and PATH environment variables for running Java on the host computer.
    For example:
    export JAVA_HOME=/u01/oracle/products/jdk
export PATH=$JAVA_HOME/bin:$PATH
  5. Run the following command to verify that the appropriate java executable is in the path and your environment variables are set correctly:
    java -version
    The Java version in the output should be displayed as 17.0.10.
  6. Repeat steps 1 through 5 for each unique products shared volume on an appropriate host. For example: SOAHOST1 and SOAHOST2.

Starting the Infrastructure Installer on SOAHOST1

To start the installation program, perform the following steps.

  1. Log in to SOAHOST1.
  2. Go to the directory where you downloaded the installation program.
  3. Launch the installation program by invoking the java executable from the JDK directory on your system, as shown in the following example:
    $JAVA_HOME/bin/java -jar distribution_file_name.jar

    In this example:

    • Replace JAVA_HOME with the environment variable or actual JDK location on your system.

    • Replace distribution_file_name with the actual name of the distribution JAR file.

      If you download the distribution from the Oracle Technology Network (OTN), then the JAR file is typically packaged inside a downloadable compressed file.

      To install the software required for the initial Infrastructure domain, the distribution you want to install is fmw_14.1.2.0.0_infrastructure.jar.

      For more information about the actual file names of each distribution, see Identifying and Obtaining Software Downloads for an Enterprise Deployment.

When the installation program appears, you are ready to begin the installation. See Navigating the Installation Screens for a description of each installation program screen.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Navigating the Infrastructure Installation Screens

The installation program displays a series of screens, in the order listed in the following table.

If you need additional help with any of the installation screens, click the screen name or click the Help button on the screen.

Table 10-1 Navigating the Infrastructure Installation Screens

Screen Description

Installation Inventory Setup

On UNIX operating systems, this screen appears if you are installing any Oracle product on this host for the first time. Specify the location where you want to create your central inventory. Ensure that the operating system group name selected on this screen has write permissions to the central inventory location.

See Understanding the Oracle Central Inventory in Installing Software with the Oracle Universal Installer.

Note:

Oracle recommends that you configure the central inventory directory on the products shared volume. Example: /u01/oracle/products/oraInventory

You may also need to execute the createCentralinventory.sh script as root from the oraInventory folder after the installer completes.

Welcome

This screen introduces you to the product installer.

Auto Updates

Use this screen to search My Oracle Support automatically for available patches or automatically search a local directory for patches that you have already downloaded for your organization.

Installation Location

Use this screen to specify the location of your Oracle home directory.

For the purposes of an enterprise deployment, enter the value of the ORACLE_HOME variable listed in Table 7-2.

Installation Type

Use this screen to select the type of installation and as a consequence, the products and feature sets that you want to install.

For this topology, select Fusion Middleware Infrastructure.

Note:

The topology in this document does not include server examples. Oracle strongly recommends that you do not install the examples into a production environment.

Prerequisite Checks

This screen verifies that your system meets the minimum requirements.

If there are any warning or error messages, refer to the Oracle Fusion Middleware System Requirements and Specifications document on the Oracle Technology Network (OTN).

Security Updates

If you already have an Oracle Support account, use this screen to indicate how you would like to receive security updates.

If you do not have one and are sure that you want to skip this step, clear the check box and verify your selection in the follow-up dialog box.

Installation Summary

Use this screen to verify the installation options that you have selected. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file. Response files can be used later in a silent installation situation.

For more information about silent or command-line installation, see Using the Oracle Universal Installer in Silent Mode in Installing Software with the Oracle Universal Installer.

Installation Progress

This screen allows you to see the progress of the installation.

Installation Complete

This screen appears when the installation is complete. Review the information on this screen, then click Finish to dismiss the installer.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Installing Oracle Fusion Middleware Infrastructure on the Other Host Computers

If you have configured a separate shared storage volume or partition for secondary hosts, then you must install the Infrastructure on one of those hosts.

See Shared Storage Recommendations When Installing and Configuring an Enterprise Deployment.

To install the software on the other host computers in the topology, log in to each host, and use the instructions in Starting the Infrastructure Installer on SOAHOST1 and Navigating the Infrastructure Installation Screens to create the Oracle home on the appropriate storage device.

Note:

In previous releases, the recommended enterprise topology included a colocated set of Oracle HTTP Server instances. In those releases, there was a requirement to install the Infrastructure on the web tier hosts (WEBHOST1 and WEBHOST2). However, for this release, the Enterprise Deployment topology assumes that the web servers are installed and configured in standalone mode, so they are not considered part of the application tier domain. See Configuring Oracle HTTP Server for an Enterprise Deployment

Parent topic: Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Checking the Directory Structure

After you install the Oracle Fusion Middleware Infrastructure and create the Oracle home, you should see the directory and sub-directories listed in this topic. The contents of your installation vary based on the options that you selected during the installation.

To check the directory structure:

  1. Change to the ORACLE_HOME directory where you installed the Infrastructure.
  2. Enter the following command:
    ls --format=single-column $ORACLE_HOME
    The directory structure on your system must match the structure shown in the following example:
    bin
cfgtoollogs
coherence
em
install
inventory
jlib
lib
OPatch
opmn
oracle_common
oraInst.loc
oui
wlserver
    See What are the Key Oracle Fusion Middleware Directories? in Understanding Oracle Fusion Middleware.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Disabling the Derby Database

Disable the embedded Derby database, which is a file-based database, packaged with Oracle WebLogic Server. The Derby database is used primarily for development environments. As a result, you must disable it when you are configuring a production-ready enterprise deployment environment; otherwise, the Derby database process starts automatically when you start the Managed Servers.
To disable the Derby database:
  1. Navigate to the following directory in the Oracle home:
    cd $WL_HOME/common/derby/lib
  2. Rename the Derby library jar file:
    mv derby.jar disable_derby.jar
  3. If each host uses a separate file system, repeat steps 1 and 2 on each host.

Parent topic: Installing the Oracle Fusion Middleware Infrastructure on SOAHOST1

Creating the Database Schemas

Oracle Fusion Middleware components require the existence of schemas in a database before you configure a Fusion Middleware Infrastructure domain. Install the schemas listed in this topic in a certified database for use with this release of Oracle Fusion Middleware.

  • Metadata Services (MDS)

  • Audit Services (IAU)

  • Audit Services Append (IAU_APPEND)

  • Audit Services Viewer (IAU_VIEWER)

  • Oracle Platform Security Services (OPSS)

  • User Messaging Service (UMS)

  • WebLogic Services (WLS)

  • Common Infrastructure Services (STB)

Use the Repository Creation Utility (RCU) to create the schemas. This utility is installed in the Oracle home for each Oracle Fusion Middleware product. For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.

Complete the following steps to install the required schemas:

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Installing and Configuring a Certified Database

Make sure that you have installed and configured a certified database, and that the database is up and running.

See the Preparing the Database for an Enterprise Deployment.

Parent topic: Creating the Database Schemas

Starting the Repository Creation Utility (RCU)

To start the Repository Creation Utility (RCU):

  1. Navigate to the $ORACLE_HOME/oracle_common/bin directory on your system.
    cd $ORACLE_HOME/oracle_common/bin
  2. Make sure that the JAVA_HOME environment variable is set to the location of a certified JDK on your system. The location should be up to but not including the bin directory. For example, if your JDK is located in /u01/oracle/products/jdk:

    On UNIX operating systems:

    export JAVA_HOME=/u01/oracle/products/jdk
  3. Start RCU:

    On UNIX operating systems:

    ./rcu

    Note:

    If your database has Transparent Data Encryption (TDE) enabled, and you want to encrypt your tablespaces that are created by the RCU, provide the -encryptTablespace true option when you start RCU.

    This defaults the appropriate RCU GUI Encrypt Tablespace checkbox selection on the Map Tablespaces screen without further effort during the RCU execution. See Encrypting Tablespaces in Creating Schemas with the Repository Creation Utility.

Parent topic: Creating the Database Schemas

Navigating the RCU Screens to Create the Schemas

Follow the instructions in this section to create the schemas for the Fusion Middleware Infrastructure domain:

Task 1   Introducing RCU

Review the Welcome screen and verify the version number for RCU. Click Next to begin.

Task 2   Selecting a Method of Schema Creation

If you have the necessary permission and privileges to perform DBA activities on your database, select System Load and Product Load on the Create Repository screen. The procedure in this document assumes that you have the necessary privileges.

If you do not have the necessary permission or privileges to perform DBA activities in the database, you must select Prepare Scripts for System Load on this screen. This option generates a SQL script, which can be provided to your database administrator. See Understanding System Load and Product Load in Creating Schemas with the Repository Creation Utility.

Click Next.

Tip:

For more information about the options on this screen, see Create repository in Creating Schemas with the Repository Creation Utility.

Task 3   Providing Database Connection Details

Provide the database connection details for RCU to connect to your database.

  1. As Database Type, select Oracle Database enabled for edition-based redefinition.

    Note:

    Oracle Database enabled for edition-based redefinition (EBR) is recommended to support Zero Down Time upgrades. For more information, see https://www.oracle.com/database/technologies/high-availability/ebr.html.

  2. In the Host Name field, enter the SCAN address of the Oracle RAC Database.

  3. Enter the Port number of the RAC database scan listener, for example 1521.

  4. Enter the RAC Service Name of the database.

  5. Enter the User Name of a user that has permissions to create schemas and schema objects, for example SYS.

  6. Enter the Password of the user name that you provided in step 4.

  7. If you have selected the SYS user, ensure that you set the role to SYSDBA.

  8. Click Next to proceed, and then click OK on the dialog window confirming that connection to the database was successful.

Tip:

For more information about the options on this screen, see Database Connection Details in Creating Schemas with the Repository Creation Utility.

Task 4   Specifying a Custom Prefix and Selecting Schemas

  1. Specify the custom prefix that you want to use to identify the Oracle Fusion Middleware schemas.

    The custom prefix is used to logically group these schemas together for use in this domain. For the purposes of this guide, use the prefix FMW1412_

    Tip:

    Make a note of the custom prefix that you choose to enter here; you will need this later, during the domain creation process.

    For more information about custom prefixes, see Understanding Custom Prefixes in Creating Schemas with the Repository Creation Utility.

  2. Select AS Common Schemas.

    When you select AS Common Schemas, all the schemas in this section are automatically selected.

    If the schemas in this section are not automatically selected, then select the required schemas.

There are two mandatory schemas that are selected by default. You cannot deselect them: Common Infrastructure Services (the STB schema) and WebLogic Services (the WLS schema). The Common Infrastructure Services schema enables you to retrieve information from RCU during domain configuration. See Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

Tip:

For more information about how to organize your schemas in a multi-domain environment, see Planning Your Schema Creation in Creating Schemas with the Repository Creation Utility.

Click Next to proceed, and then click OK on the dialog window confirming that prerequisite checking for schema creation was successful.

Task 5   Specifying Schema Passwords

Specify how you want to set the schema passwords on your database, then specify and confirm your passwords. Ensure that the complexity of the passwords meet the database security requirements before you continue. RCU proceeds at this point even if you do not meet the password polices. Hence, perform this check outside RCU itself.

Click Next.

Tip:

You must make a note of the passwords you set on this screen; you need them later on during the domain creation process.

Task 6   Verifying the Tablespaces for the Required Schemas

You can accept the default settings on the remaining screens, or you can customize how RCU creates and uses the required tablespaces for the Oracle Fusion Middleware schemas.

Note:

You can configure a Fusion Middleware component to use JDBC stores for JMS servers and Transaction Logs, by using the Configuration Wizard. These JDBC stores are placed in the Weblogic Services component tablespace. If your environment expects to have a high level of transactions and JMS activity, you can increase the default size of the <PREFIX>_WLS tablespace to better suit the environment load.

Click Next to continue, and then click OK on the dialog window to confirm the tablespace creation.

For more information about RCU and its features and concepts, see About the Repository Creation Utility in Creating Schemas with the Repository Creation Utility.

Task 7   Creating Schemas

Review the summary of the schemas to be loaded and click Create to complete schema creation.

Note:

If failures occurred, review the listed log files to identify the root cause, resolve the defects, and then use RCU to drop and recreate the schemas before you continue.

Task 8   Reviewing Completion Summary and Completing RCU Execution

When you reach the Completion Summary screen, verify that all schema creations have been completed successfully, and then click Close to dismiss RCU.

Parent topic: Creating the Database Schemas

Verifying Schema Access

Verify schema access by connecting to the database as the new schema users are created by the RCU. Use SQL*Plus or another utility to connect, and provide the appropriate schema names and passwords entered in the RCU.

For example:

Note:

If the database is a plugable database (PDB), the apropriate tns alias that points to the PDB must be used in the sqlplus command. 

./sqlplus FMW1412_WLS/<WLS_schema_password>

SQL*Plus: Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems on Wed Sep 11 14:20:00 2024 Version 23.5.0.24.07
Copyright (c) 1982, 2024, Oracle. All rights reserved.


Connected to:
Oracle Database 23ai EE Extreme Perf Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.5.0.24.07

SQL>

Parent topic: Creating the Database Schemas

Configuring the Infrastructure Domain

The following topics provide instructions for creating a WebLogic Server domain using the Fusion Middleware Configuration wizard.

For more information on the other methods that are available for creating a domain, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Creating WebLogic Domains Using the Configuration Wizard.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Starting the Configuration Wizard

To begin domain configuration, run the following command in the Oracle Fusion Middleware Oracle home on SOAHOST1. 

$ORACLE_HOME/oracle_common/common/bin/config.sh

Parent topic: Configuring the Infrastructure Domain

Navigating the Configuration Wizard Screens to Configure the Infrastructure Domain

Follow the instructions in the following sections to create and configure the domain for the topology.

Task 1   Selecting the Domain Type and Domain Home Location

On the Configuration Type screen, select Create a new domain.

In the Domain Location field, specify the value of the ASERVER_HOME variable, as defined in File System and Directory Variables Used in This Guide.

Tip:

For more information about the other options on this screen of the Configuration Wizard, see Configuration Type in Creating WebLogic Domains Using the Configuration Wizard.

Task 2   Selecting the Configuration Templates

On the Templates screen, make sure Create Domain Using Product Templates is selected, then select the following templates:

  • Oracle Enterprise Manager [em]

    Selecting this template automatically selects the following dependencies:

    • Oracle JRF [oracle_common]

    • WebLogic Coherence Cluster Extension [wlserver]

  • Oracle WSM Policy Manager [oracle_common]

Tip:

More information about the options on this screen can be found in Templates in Creating WebLogic Domains Using the Configuration Wizard.

Task 3   Selecting the Application Home Location

On the Application Location screen, specify the value of the APPLICATION_HOME variable, as defined in File System and Directory Variables Used in This Guide.

Tip:

More information about the options on this screen can be found in Application Location in Creating WebLogic Domains Using the Configuration Wizard.

Task 4   Configuring the Administrator Account

On the Administrator Account screen, specify the user name (oracle recommends using a different name from “WebLogic”) and password for the default WebLogic Administrator account for the domain.

Make a note of the user name and password specified on this screen; you need these credentials later to boot and connect to the domain's Administration Server and for other operations.

Task 5   Specifying the Domain Mode and JDK

On the Domain Mode and JDK screen:

  • Select Production in the Domain Mode field.

    In the Enable or Disable Default Ports for You Domain field, use the default values provided for Production Mode:

    • Ensure that Enable Listen Ports (non-SSL Ports) is NOT checked.

    • Ensure that Enable SSL Listen Ports is checked.

    • Ensure that Enable Administration Port (SSL Port) is checked.

      Tip:

      More information about the options on this screen, including the differences between development mode and production mode, can be found in Domain Mode and JDK in Creating WebLogic Domains Using the Configuration Wizard.

  • Select Oracle Hotspot JDK in the JDK field.

    Note:

    Ensure that it points to the folder where you have installed the JDK. See Installing the JDK Software.
Task 6   Specifying the Database Configuration Type

On the Database Configuration Type screen:

  • Select RCU Data to activate the fields on this screen.

    The RCU Data option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for the schemas needed to configure the domain.

  • Verify that Vendor is Oracle and Driver is *Oracle's Driver (Thin) for Service Connections; Versions: Any.

  • Verify that Connection Parameters is selected.

Note:

If you choose to select Manual Configuration on this screen, you have to manually fill in the parameters for your schema on the JDBC Component Schema screen.

After you select RCU Data, fill in the fields as shown in the following table:

Field Description

Host Name

Enter the Single Client Access Name (SCAN) Address for the Oracle RAC database, which you entered in the Enterprise Deployment Workbook.

For information about the Enterprise Deployment Workbook, see Using the Enterprise Deployment Workbook.

DBMS/Service

Enter the service name for the Oracle RAC database appropriate for this domain where you will install the product schemas. For example:

soaedg.example.com

Specify the service name based on the value configured earlier in the Preparing the Database for an Enterprise Deployment section.

Port

Enter the port number on which the database listens. For example, 1521.

Schema Owner

Schema Password

Enter the user name and password to connect to the database's Service Table schema.

This is the schema user name and password that was specified for the Service Table component on the Schema Passwords screen in RCU (see Creating the Database Schemas).

The default user name is prefix_STB, where prefix is the custom prefix that you defined in RCU.

Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation is successful. 

Connecting to the database server...OK
Retrieving schema data from database server...OK
Binding local schema components with retrieved data...OK

Successfully Done.

Click Next if the connection to the database is successful.

Tip:

More information about the RCU Data option can be found in Understanding the Service Table Schema in Creating Schemas with the Repository Creation Utility.

More information about the other options on this screen can be found in Datasource Defaults in Creating WebLogic Domains Using the Configuration Wizard.

Task 7   Specifying JDBC Component Schema Information

Verify that the values on the JDBC Component Schema screen are correct for all schemas.

The schema table should be populated, because you selected Get RCU Data on the previous screen. As a result, the Configuration Wizard locates the database connection values for all the schemas required for this domain.

At this point, the values are configured to connect to a single-instance database. However, for an enterprise deployment, you should use a highly available Real Application Clusters (RAC) database, as described in Preparing the Database for an Enterprise Deployment.

In addition, Oracle recommends that you use an Active GridLink datasource for each of the component schemas. For more information about the advantages of using GridLink data sources to connect to a RAC database, see Database Considerations in the High Availability Guide.

To convert the data sources to GridLink:

  1. Select all the schemas by selecting the checkbox in the first header row of the schema table.

  2. Click Convert to GridLink and click Next.

Task 8   Providing the GridLink Oracle RAC Database Connection Details

On the GridLink Oracle RAC Component Schema screen, provide the information required to connect to the RAC database and component schemas, as shown in following table.

Element Description and Recommended Value

Service Name

Verify that the service name for the Oracle RAC database is the appropriate. For example, soaedg.example.com.

SCAN, Host Name, and Port

Select the SCAN check box.

In the Host Name field, enter the Single Client Access Name (SCAN) Address for the Oracle RAC database.

In the Port field, enter the SCAN listening port for the database (for example, 1521).

ONS Host and Port

These values are not required when you are using an Oracle 12c database or higher versions because the ONS list is automatically provided from the database to the driver.

Enable Fan

Verify that the Enable Fan check box is selected, so the database can receive and process FAN events.

For more information about specifying the information on this screen, as well as information about how to identify the correct SCAN address, see Configuring Active GridLink Data Sources with Oracle RAC in the High Availability Guide.

You can also click Help to display a brief description of each field on the screen.

Task 9   Testing the JDBC Connections

Use the JDBC Component Schema Test screen to test the data source connections that you have just configured.

A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, and then try to test the connection again.

Tip:

More information about the other options on this screen can be found in Test Component Schema in Creating WebLogic Domains Using the Configuration Wizard.

Task 10   Selecting Advanced Configuration

To complete domain configuration for the topology, select the following options on the Advanced Configuration screen:

  • Administration Server

    This is required to configure the listen address of the Administration Server.

  • Node Manager

    This is required to configure Node Manager.

  • Topology

    This is required to add, delete, or modify the Settings for Server Templates, Managed Servers, Clusters, Virtual Targets, and Coherence.

Note:

When you use the Advanced Configuration screen in the Configuration Wizard:

  • If any of the above options are not available on the screen, then return to the Templates screen, and be sure that you selected the required templates for this topology.

  • Do not select the Domain Frontend Host Capture advanced configuration option. You later configure the frontend host property for specific clusters, rather than for the domain.

Task 11   Configuring the Administration Server Listen Address

On the Administration Server screen:

  1. In the Server Name field, retain the default value "AdminServer".

  2. In the Listen Address field, enter the virtual host name that corresponds to the VIP of the ADMINVHN that you procured in Procuring Resources for an Enterprise Deployment and enabled in Preparing the Host Computers for an Enterprise Deployment.

    For more information about the purpose of using the ADMINVHN virtual host, see Reserving the Required IP Addresses for an Enterprise Deployment.

  3. In the Configure Administration Server Ports section, perform the following steps:

    1. Leave the Enable Listen Port field unchecked. The Listen Port value will be disabled in grey.

    2. Ensure the Enable SSL Listen port field is checked.

    3. Leave the default value as 7002 in the SSL Listen Port field.

    4. Leave the default value as 9002 in the Administration Port.

  4. Leave the default value as Unspecified in the Server Group.

Task 12   Configuring Node Manager

Select Manual Node Manager Setup as the Node Manager type.

WARNING:

You can ignore the warning in the bottom pane. This guide provides the required steps for the Manual Node Manager configuration.

Tip:

For more information about the options on this screen, see Node Manager in Creating WebLogic Domains Using the Configuration Wizard.

For more information about per domain and per host Node Manager implementations, see About the Node Manager Configuration in a Typical Enterprise Deployment.

For information about Node Manager configurations, see Configuring Node Manager on Multiple Machines in Administering Node Manager for Oracle WebLogic Server.

Task 13   Configuring Managed Servers

Use the Managed Servers screen to create two new Managed Servers:

  1. Click the Add button to create a new Managed Server.

  2. Specify WLS_WSM1 in the Server name column.

  3. In the SSL Listen Address column, enter SOAHOST1. Ensure you enter the host name that corresponds to SOAHOST1 and do not use the IP address.

  4. Ensure that Enable Listen is unchecked and Listen Port is "Disabled" (grayed out).

  5. Ensure that Enable SSL Port is checked for all servers.

  6. Set SSL Listen Port to 7010.

  7. Set Administration Port to 9003.

  8. In the Server Groups drop-down list, select JRF-MAN-SVR and WSMPM-MAN-SVR.

    These server groups ensure that the Oracle JRF and Oracle Web Services Manager (OWSM) services are targeted to the Managed Servers that you are creating.

    Server groups target Fusion Middleware applications and services to one or more servers by mapping defined groups of application services to each defined server group. Any application services that are mapped to a given server group are automatically targeted to all servers that are assigned to that group. See Application Service Groups, Server Groups, and Application Service Mappings in Domain Template Reference.

    Note:

    Nonce caching for Oracle Web Services is initialized automatically by the WSM-CACHE-SVR server group and is suitable for most custom applications. This initialization is automatically performed in SOA, OSB, and other FMW servers that run JRF and create a coherence cluster. Nonce is a unique number that can be used only once in a SOAP request and is used to prevent replay attacks. Nonce caching naturally scales with the number of added Managed Servers that run Web service applications.

    For information about advanced caching configurations, see Caching the Nonce with Oracle Coherence in Securing Web Services and Managing Policies with Oracle Web Services Manager, which provides additional guidance for the use of nonce caching and the WSM-CACHE-SVR server-group in custom WLS servers.

  9. Repeat this process to create a second Managed Server named WLS_WSM2.

    Table 10-2 Managed Server

    Server Name Listen Address Enable Listen Port Listen Port Enable SSL Port SSL Listen Port Administration Port Server groups

    WLS_WSM1

    SOAHOST1

    unchecked

    Disabled

    Checked

    7010

    9003

    JRF-MAN-SVR and WSMPM-MAN-SVR

    WLS_WSM2

    SOAHOST2

    unchecked

    Disabled

    Checked

    7010

    9003

    JRF-MAN-SVR and WSMPM-MAN-SVR

The Managed Server names suggested in this procedure (WLS_WSM1 and WLS_WSM2) are referenced throughout this document; if you choose different names then be sure to replace them as needed.

Tip:

More information about the options on this screen can be found in Managed Servers in Creating WebLogic Domains Using the Configuration Wizard.

Task 14   Configuring a Cluster

Use the Clusters screen to create a new cluster:

  1. Click the Add button.

  2. Specify WSM-PM_Cluster in the Cluster Name field.

  3. Click Next.

Note:

If you specify a front-end host and a front-end port, the URL validation fails after domain configuration because the web tier is not setup at this point. Hence, any redirections in the hosted application returns to the front-end address. You must configure the web tier to allow accessing the URLs through LBR.

You can configure the front-end port and address at a later point. For instructions, see Setting the Front End Host and Port for a WebLogic Cluster.

Tips:

For more information about the options on this screen, see Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Task 15   Assigning Server Templates

Click Next.

Task 16   Configuring Dynamic Servers

Verify that all dynamic server options are disabled for clusters that are to remain as static clusters.

  1. Confirm that the Calculated Listen Port and Calculated Machine Names checkboxes on this screen are unchecked.

  2. Confirm that the Server Template selection and Dynamic Server Groups are Unspecified.

  3. Click Next.

Task 17   Assigning Managed Servers to the Cluster

Use the Assign Servers to Clusters screen to assign WLS_WSM1 and WLS_WSM2 to the new cluster WSM-PM_Cluster:

  1. In the Clusters pane, select the cluster to which you want to assign the servers; in this case, WSM-PM_Cluster.

  2. In the Servers pane, assign WLS_WSM1 to WSM-PM_Cluster by doing one of the following:

    • Click once on WLS_WSM1 to select it, and then click on the right arrow to move it beneath the selected cluster (WSM-PM_Cluster) in the Clusters pane.

      or

    • Double-click on WLS_WSM1 to move it beneath the selected cluster (WSM-PM_Cluster) in the clusters pane.

  3. Repeat these steps to assign the WLS_WSM2 Managed Server to the WSM-PM_Cluster.

Tip:

More information about the options on this screen can be found in Assign Servers to Clusters in Creating WebLogic Domains Using the Configuration Wizard.

Task 18   Configuring Coherence Clusters

Use the Coherence Clusters screen to configure the Coherence cluster that is automatically added to the domain.

In the Cluster Listen Port, enter 9991.

Note:

For Coherence licensing information, see Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual.

Task 19   Creating Machines

Use the Machines screen to create new machines in the domain. A machine is required in order for the Node Manager to be able to start and stop the servers.

  1. Select the Unix Machine tab.

  2. Click the Add button to create new UNIX machines.

    Use the values in Table 10-3 to define the Name and Node Manager Listen Address of each machine.

  3. Verify the port in the Node Manager Listen Port field.

    The port number 5556, shown in this example, may be referenced by other examples in the documentation. Replace this port number with your own port number, as needed.

Table 10-3 Values to Use When Creating Unix Machines

Name Node Manager Listen Address Node Manager Type Node Manager Listen Port

ADMINHOST

Enter the value of the ADMINVHN variable.

SSL

5556

SOAHOST1

The value of the SOAHOST1 host name variable or SOAHOST1 alias. For example, SOAHOST1.example.com.

SSL

 5556

SOAHOST2

The value of the SOAHOST2 host name variable or SOAHOST2 alias. For example, SOAHOST2.example.com.

SSL

5556

Tip:

More information about the options on this screen can be found in Machines in Creating WebLogic Domains Using the Configuration Wizard.

Task 20   Assigning Servers to Machines

Use the Assign Servers to Machines screen to assign any statically defined managed servers to the appropriate machines. Servers that are part of a dynamic cluster are assigned to the calculated machine names automatically.

The Assign Servers to Machines screen is similar to the Assign Managed Servers to Clusters screen. Select the target machine in the Machines column, select the server name in the left column, and click the right arrow to assign the server to the appropriate machine.

Assign the servers as follows:

  • Assign the AdminServer to the ADMINHOST machine.

  • Assign the WLS_WSM1 Managed Server to the SOAHOST1 machine.

  • Assign the WLS_WSM2 Managed Server to the SOAHOST2 machine.

Tip:

More information about the options on this screen can be found in Assign Servers to Machines in Creating WebLogic Domains Using the Configuration Wizard.

Task 21   Reviewing Your Configuration Specifications and Configuring the Domain

The Configuration Summary screen contains the detailed configuration information for the domain that you are about to create. Review the details of each item on the screen and verify that the information is correct.

If you need to make any changes, you can go back to any previous screen either by using the Back button or by selecting the screen in the navigation pane.

Domain creation does not begin until you click Create.

In the Configuration Progress screen, click Next when it finishes.

Tip:

More information about the options on this screen can be found in Configuration Summary in Creating WebLogic Domains Using the Configuration Wizard.

Task 22   Writing Down Your Domain Home and Administration Server URL

The Configuration Success screen shows the following items about the domain you just configured:

  • Domain Location

  • Administration Server URL

You must make a note of both items as you need them later; the domain location is needed to access the scripts that are used to start the Administration Server.

Click Finish to dismiss the Configuration Wizard.

Parent topic: Configuring the Infrastructure Domain

Download and Configure WebLogic Remote Console

This section describes how to download and configure the WebLogic Remote Console.

Note:

For the initial configuration steps required in this EDG, you will need access to the AdminServer listen address and administration port. Later on you will configure access from a frontend load balancer.

Perform the following steps to download and configure the WebLogic Remote Console:

  1. Uninstall any previous versions of the WebLogic Remote Console from your computer.
  2. Download the WebLogic Remote Console. Go to https://github.com/oracle/weblogic-remote-console/releases and download the installer from your operating system.
  3. Run the installer.
  4. Install the WebLogic Remote Console extension in the WebLogic Server domain. The WebLogic Remote Console extension provides additional functionality when using the WebLogic Remote Console to manage WebLogic domains.

    Note:

    This step is optional.
    1. Create a management-services-ext directory under the domain home.
    2. Download the latest WebLogic Remote Console extension, console-rest-ext-<version>.war, from https://github.com/oracle/weblogic-remote-console/releases and save it inside the management-services-ext directory you created in the previous step. If you have an earlier version of the extension already downloaded, delete it and replace it with the latest version.
    3. Reboot the Administration Server if it is already running.
  5. Launch the WebLogic Remote Console application.

    Example:

    ./weblogic-remote-console

    In the next steps you must connect to the EDG domain provider using initially the Admin Servers listen address.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Configuring SSL Certificates for the Domain

This section describes how to configure SSL certificates for the domain.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Creating Certificates and Certificate Stores for the WebLogic Domain

The Enterprise Deployment Guide provides steps to configure a domain that uses SSL listen addresses for all Weblogic Managed Servers, Weblogic Administration Server and Node Managers in the application tier. To achieve this the required certificates for all servers, machines and NM listen addresses must be created and pointed to from the domain and Node Manager configuration.

In Oracle FMW 14.1.2.0, Oracle WebLogic allows the usage of a per-domain Certificate Authority (CA). In this model, the CertGen and ImportPrivateKey utilities are enhanced to use the domain's secret key to encrypt the passphrases and store them in the domain's DemoCerts.props file. A self-signed Demo CA is automatically created for the domain and it is used for signing certificates for the SSL listen addresses used in the EDG. Although in a real production system, standard CAs should be used, the per-domain CA model implements an SSL system using domain specific CA that provides a higher degree of protection than non-ssl configurations. If you want to use your own custom certificates, see About Using Third Party SSL Certificates in the WebLogic and Oracle HTTP Servers in the Common Configuration and Management Tasks for an Enterprise Deployment chapter.

Oracle recommends using a shared storage location (protected with the appropriate snapshot or file backup tooling) where all the different certificates and stores can be found by the different servers. Perform the following steps to generate an Identity store and a Trust Store that can be used for enabling SSL listeners in a Weblogic Server using a per-domain CA:

  1. Download the generate_perdomainCACERTS.sh script in the maa github repo.

    https://github.com/oracle-samples/maa/blob/main/1412EDG/generate_perdomainCACERTS.sh

  2. Run the script with the following arguments:

    • WLS_DOMAIN_DIRECTORY: Directory hosting the Weblogic Domain that the Administration Server uses.
    • WL_HOME: The directory within the Oracle home where the Oracle WebLogic Server software binaries are stored. Typically /u01/oracle/products/fmw/wlserver.
    • KEYSTORE_HOME: Directory where appIdentity and appTrust stores will be created.
    • KEYPASS: Password used for the weblogic administration user (will be reused for certs and stores).

    Example:

    ./generate_perdomainCACERTS.sh $ASERVER_HOME $ORACLE_HOME/wlserver $KEYSTORE_HOME <keypass>

The script will traverse the WLS_DOMAIN_DIRECTORY/config/config.xml to find all the listen addresses used in the domain, generate certificates for all of them, create a trust store with the domain CA and import certificates into a new Identity store. The aliases used in the import will be the same as the hostname used as listen address. Both the trust store and the identity store will be placed in the KEYSTORE_HOME directory.

Run the following command to verify if the "domainca" entry is there as a trustedCertEntry: 

keytool -list -keystore $KEYSTORE_HOME/appTrustKeyStore.pkcs12

Run the following command to verify if there is a PrivateKeyEntry for each listen address (the values for ADMINVHN, SOAHOST1 and SOAHOST2): 

keytool -list -keystore $KEYSTORE_HOME/appIdentityKeyStore.pkcs12

Parent topic: Configuring SSL Certificates for the Domain

Adding Certificate Stores Location to the WebLogic Servers Start Scripts

Once the Identity and Trust Stores are created for the domain some Java properties must be added to the WebLogic start scripts. These properties are added to the file setUserOverridesLate.sh in $ASERVER_HOME/bin. Any customizations you add to this file are preserved during domain upgrade operations and are carried over to remote servers when using the pack and unpack commands.

  • If you created the Identity and Trust Stores with the script generate_perdomainCACERTS.sh, as explained in Creating Certificates and Certificate Stores for the WebLogic Domain, then the properties are automatically added to the file setUserOverridesLate.sh in $ASERVER_HOME/bin. Just verify that the file exists and that the EXTRA_JAVA_PROPERTIES have been added.

  • If you are using your own custom certificates, then manually create the file setUserOverridesLate.sh in $ASERVER_HOME/bin. Edit the file and add the variable EXTRA_JAVA_PROPERTIES to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties with the values used by your EDG system. For example: 

    
EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES}
 -Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12
 -Djavax.net.ssl.trustStorePassword=mypassword"
export EXTRA_JAVA_PROPERTIES

Note:

The order of the extra java properties is relevant. In case that the same property is defined more than once, the later value is used. The custom values must be defined as in the example provided.

Parent topic: Configuring SSL Certificates for the Domain

Update Server's Security Settings Using the Remote Console

Parent topic: Configuring SSL Certificates for the Domain

Connecting to the Remote Console Using the Administration Server’s Virtual Hostname as Provider
The following procedure temporarily starts the Administration Server with the default start script so to enable you to perform these tasks. After you perform these tasks, you can stop this temporary session and use the Node Manager to start the Administration Server.

Note:

For this Remote Console initial access to the Administration Server, it is required that the machine that runs the Remote Console can resolve and connect to the Admin Server's Listen Address. This can be done by starting the Remote Console directly in the node where the Admin Server runs or creating a tunnel to this address from the node where the remote Console is executed.
  1. Using the following default start script to start the Administration Server:
    1. Change directory to the following directory:
      cd $ASERVER_HOME/bin
    2. Run the start script:
      ./startWebLogic.sh

      Monitor the terminal till the following message is displayed:

      <Server state changed to RUNNING>

      Also you must verify that the appropriate SSL listener is available, which can be confirmed with the a message like the following displayed in output:

      <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on XXXX:7002 for protocols iiops, t3s, ldaps, https.>
  2. Create a new provider in the WebLogic Remote Console as follows:
    1. Download the domain's trust keystore to the host or laptop where you run the WebLogic Remote Console. For example, when using the per-domain CA steps in previous sections, this would be located at $KEYSTORE_HOME/appTrustKeyStore.pkcs12.
    2. Open the Remote Console and add the domain trust store to the remote console settings. Click File > Settings and enter the following values.

      1. Trust Store type - jks

      2. Trust Store Path - The path to the trust keystore file in the host where the Remote Console runs.

      3. Trust Store Key - Enter the password provided in the steps above for certificate creation.

      4. Check Disable HostName verification if you are using Demo certificates as described in the steps above.

    3. Using the Providers window in the Remote Console, create a new provider by selecting Add Admin Server Connection Provider.

      1. In the provider name, enter the name of soaedg_domain_asvip. This will identify the type of access.

      2. Enter the WebLogic Domain Administration username provided in the configuration wizard user name.

      3. Enter the password used for the domain creation.

      4. Use https protocol and the admin server listen address used in the configuration wizard as URL for access and specify port 9002.

        For example, https://ADMINVHN.example.com:9002.

      5. Check the Make Insecure Connection checkbox.

        Note:

        This provider should not be used once the front end and webtier are configured.

      The Remote Console Home Window for the domain will be displayed.

Updating the WebLogic Servers Security Settings
Perform the following steps to update the WebLogic Servers Security Settings and Administration Port:
  1. Access the Domain provider in the Remote Console and update the Administration Server and WebLogic Servers Security Settings:
    1. Click Edit Tree.
    2. Click Environment > Servers > AdminServer.
    3. Click Security tab.
    4. Change the keystores dropdown to Custom Identity and Custom Trust.
    5. In Custom Identity Keystore, enter the fully qualified path to the identity keystore as follows:
      KEYSTORE_HOME/appIdentityKeyStore.pkcs12

      Replace KEYSTORE_HOME with the value of the folder you use for storing keystore, as described in the Table 7-2.

    6. Set the Custom Identity Keystore Type to JKS.

      Note:

      Specifying JKS or PKCS12 is valid both for pkcs12 and jks stores. Both formats can be read and managed if the Customer Key Store Type is set to "JKS".
    7. In Custom Identity Keystore Passphrase, enter the password Keystore_Password you provided in the certificate generation steps.
    8. In Custom Trust Keystore, enter the fully qualified path to the trust keystore.
      KEYSTORE_HOME/appTrustKeyStore.pkcs12

      Replace KEYSTORE_HOME with the value of the folder you use for storing keystore, as described in the Table 7-2.

    9. Set the Custom Trust Keystore Type to JKS.

      Note:

      Specifying JKS or PKCS12 is valid both for pkcs12 and jks stores. Both formats can be read and managed if the Customer Key Store Type is set to "JKS".
    10. In Custom Trust Keystore Passphrase, enter the password you provided as the <keypass> in the certificate generation steps.
    11. Click Save.
    12. Under Security settings, navigate to SSL tab.
    13. In the Server Private Key Alias filed enter the alias provided in the certificate generation steps. If you used the certificate generation script this will be the same as the listen address used for the WLS server.
    14. In the Server Private Key Pass Phrase field, enter the password provided in the certificate generation steps. If you used the certificate generation script this will be the same as the keystore passphrase.
    15. Click Save.

      The cart on the top right part of the screen will show full with a yellow bag inside.

    16. Click the Cart icon on the top right and select Commit Changes.

    Repeat the above steps for each managed server in the domain changing the alias to match the alias used for the certificates.

  2. Return to the terminal window where you started the Administration Server with the start script.
  3. Press Ctrl+C to stop the Administration Server process.

    Wait for the Administration Server process to end and for the terminal command prompt to appear.

  4. Start the Administration Server again by using the following script:
    1. Change directory to the following directory:
      cd $ASERVER_HOME/bin
    2. Run the start script:
      ./startWebLogic.sh
    3. Monitor the output in the terminal till the following output is displayed.
      <Server state changed to RUNNING>

Configuring KSS with Per-domain CA

For consistency purposes and to use a common CA all across the domain artifacts you may want to use the per-domain CA for KSS (store used by OPSS and other components in the WebLogic Infrastructure/JRF Domain.

Perform the following steps to import the domain CA certificate in the KSS trusted store:

  1. Download the import-domainca-into-kss.sh script in the maa github repo https://github.com/oracle-samples/maa/blob/main/1412EDG/import-domainca-into-kss.sh.
  2. Edit the script and customize the following variables according to your environment:

    DOMAIN_HOME: Path to the WebLogic domain (ASERVER_HOME in this guide). For example, /u01/oracle/config/domains/soaedg_domain.

    MW_HOME: The path to the FMW home. For example, /u01/oracle/products/fmw.

    ADMINVHN: Administration Server’s listen address. For example, adminvhn.example.com.

    ADMINPORT: Administration Server’s listen port. For example, 9002.

    DOMAINUSER: Name of the administrator user for the WLS domain. For example, soaedgadmin.

    TRUSTSTOREFILE: Location of the truststore used to connect though SSL to the Admin Server. For example, /u01/oracle/config/keystores/appTrustKeyStore.pkcs12.

  3. Run the script with the following arguments:
    • DOMAINPASS: WLS domain administrator user’s password
    • KEYPASS: Password for the truststore.

    Example

    ./import-domainca-into-kss.sh adminpassword123 truststorepassword123

    The script imports the per Domain CA certificate into KSS and assigns it to jps.

    You can verify that the update was successful by inspecting the jps configuration files.

    grep domainca $ASERVER_HOME/config/fmwconfig/jps-config.xml

    The result of the command must be similar to the following example:

    <property name="ca.key.alias" value="domainca-new-24-05-07-16-44-52"/>
  4. Restart the Admin Server.
    If Admin Server was started with the script, perform the following steps:
    1. Press Ctrl+C to stop the Administration Server process.
    2. Go to directory $ASERVER_HOME/bin and run the following command:
      ./startWebLogic.sh

Parent topic: Configuring SSL Certificates for the Domain

Configuring a Per Host Node Manager for an Enterprise Deployment

For specific enterprise deployments, Oracle recommends that you configure a per-host Node Manager, as opposed to the default per-domain Node Manager.

For more information about the advantages of a per host Node Manager, see About the Node Manager Configuration in a Typical Enterprise Deployment

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Creating a Per Host Node Manager Configuration

The step in configuring a per-host Node Manager is to create a configuration directory and two new node manager configuration files. You must also edit the default startNodeManager.sh file.

To create a per-host Node Manager configuration, perform the following tasks, first on SOAHOST1, and then on SOAHOST2:

  1. Log in to SOAHOST1 and create a directory for the Node Manager configuration files :

    For example:

    mkdir -p /u02/oracle/config/nodemanager

    Note that this directory should be on a local disk, because it is specific to the host. This directory location is known as the Node Manager home, and it is identified by the NM_HOME directory variable in examples in this guide.

  2. Change directory to the Node Manager home directory:
    cd $NM_HOME
  3. Create a new text file called nodemanager.properties and add the values shown in Example: Contents of the nodemanager.properties File to this new file.

    Use the pertaining identity alias for the node that you are configuring. For example, soahost1.example.com in SOAHOST1 and soahost2.example.com in SOAHOST2.

    For more information about the properties that you can add to the nodemanager.properties file, see Node Manager Properties in Administering Node Manager for Oracle WebLogic Server.

    In the nodemanager.properties file, you enable crash recovery for servers as a part of this configuration. See Node Manager and System Crash Recovery in Administering Node Manager for Oracle WebLogic Server.

    Example: Contents of the nodemanager.properties File

    DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=14.1.2.0.0
AuthenticationEnabled=true
NodeManagerHome=/u02/oracle/config/nodemanager
#Include the specific JDK home
JavaHome=/u01/oracle/products/jdk
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
#Leave blank for listening on ANY
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=true
StartScriptEnabled=true
LogFile=/u02/oracle/config/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust 
CustomIdentityAlias=soahost1.example.com
CustomIdentityKeyStoreFileName=/u01/oracle/config/keystores/appIdentityKeyStore.pkcs12
CustomIdentityKeyStorePassPhrase=password
CustomIdentityPrivateKeyPassPhrase=password

    Notice the values for CustomIdentityAlias. If you used the generate_perdomainCACERTS.sh script, this is the hostname used as listen address in the configuration wizard for the Node Manager Machine. If you created the certificates one by one, this would be the alias that you assigned to the certificate import for SOAHOST1. You must also provide the location of the IdentityStore generated in the previous steps and the password for the same.

  4. Locate the startNodeManager.sh file in the following directory:
    $WL_HOME/server/bin
  5. Copy the startNodeManager.sh file to the Node Manager home directory.
    cp $WL_HOME/server/bin/startNodeManager.sh $NM_HOME
  6. Edit the new startNodeManager.sh file and add the NODEMGR_HOME property as follows:
    NODEMGR_HOME="NM_HOME"

    In this example, replace NM_HOME with the actual path to the Node Manager home.

  7. Locate the stopNodeManager.sh script in the WL_HOME/server/bin directory. Copy it to the Node Manager home directory. Edit the copied file and edit the NODEMGR_HOME property pointing to the node manager home (as it has been done for the startNodemanager.sh file):
    NODEMGR_HOME="NM_HOME"

    In this example, replace NM_HOME with the actual path to the Node Manager home.

  8. Create another new file in the Node Manager home directory, called nodemanager.domains.

    The nodemanager.domains file provides additional security by restricting Node Manager client access to the domains listed in this file.

  9. Perform steps 1 through 8 on SOAHOST2.
  10. Add the following entries to the new nodemanager.domains files:

    On SOAHOST1, add values for both the Administration Server domain home and the Managed Servers domain home: 

    soaedg_domain=MSERVER_HOME;ASERVER_HOME

    Note:

    The path that is mentioned first (MSERVER_HOME) is considered as the primaryDomainPath and Managed Servers are run from this location.

    On SOAHOST2, add the value for the Managed Servers domain home only: 

    soaedg_domain=MSERVER_HOME

    In these examples, replace ASERVER_HOME and MSERVER_HOME with the values of the respective variables, as described in File System and Directory Variables Used in This Guide.

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Starting the Node Manager on SOAHOST1

After you manually set up the Node Manager to use a per-host Node Manager configuration, you can start the Node Manager on SOAHOST1, by using the startNodeManager.sh script.
To start the Node Manager on SOAHOST1:
  1. Change directory to the Node Manager home directory:
    cd $NM_HOME
  2. Run the following command to start the Node Manager and send the output of the command to an output file, rather than to the current terminal shell:
    nohup ./startNodeManager.sh > ./nodemanager.out 2>&1 &
  3. Monitor the the nodemanager.out file; make sure the NodeManager starts successfully. The output should eventually contain the following strings:
    
<INFO> <Upgrade> <Encrypting NodeManager property: CustomIdentityKeyStorePassPhrase> 
<INFO> <Upgrade> <Encrypting NodeManager property: CustomIdentityPrivateKeyPassPhrase>
<Upgrade> <Saving upgraded NodeManager properties to '/u02/oracle/config/nodemanager/nodemanager.properties'>
<INFO> <Loading domains file: /u02/oracle/config/nodemanager/nodemanager.domains>
<INFO> <Loading identity key store: FileName=/u01/oracle/config/keystores/appIdentityKeyStore.pkcs12, Type=pkcs12, PassPhraseUsed=true>
<INFO> <Loaded NodeManager configuration properties from '/u02/oracle/config/nodemanager/nodemanager.properties'>
<INFO> <14.1.2.0.0>
<INFO> <Server Implementation Class: weblogic.nodemanager.server.NMServer$ClassicServer.>
<INFO> <Secure socket listener started on port 5556>

    You must check that the plain text used for passwords in nodemanager.properties has now been encrypted: 

    
[oracle@soalonhost1 keystores]$ cat /u02/oracle/config/nodemanager/nodemanager.properties 
#Tue Feb 06 11:53:10 GMT 2024
#Mon Feb 05 17:24:30 GMT 2024
DomainsFile=/u02/oracle/config/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=14.1.2.0.0
AuthenticationEnabled=true
NodeManagerHome=/u02/oracle/config/nodemanager
#Include the specific JDK home
JavaHome=/u01/oracle/products/jdk
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
#Leave blank for listening on ANY
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=true
StartScriptEnabled=true
LogFile=/u02/oracle/config/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust 
CustomIdentityAlias=soahost1.example.com
CustomIdentityKeyStoreFileName=/u01/oracle/config/keystores/appIdentityKeyStore.pkcs12
CustomIdentityKeyStorePassPhrase={AES256}EMvPrOCRfN7fyv3d8JcEnttTLyneG9Su+UVK5DGEmqmqDwLkpLz9nQFZ+fL1Bidc
CustomIdentityPrivateKeyPassPhrase={AES256}O5cEJD8WVYP3aRLp9KAbFZ3CGLyxmmIWFX1YzVfJvPpl1dc5RbMksAcsBLquKcWW

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Configuring the Node Manager Credentials

Perform the following steps to set the Node Manager credentials using the Remote Console:

  1. Access the Domain provider in the Remote Console.
  2. Click Edit Tree.
  3. Click Environment > Domain> Security.
  4. Check the Show Advanced Fields field.
  5. Set Node Manager Username to the same as the Weblogic Administrator, since this username will be used in other tasks mentioned in this guide.
  6. Change the NM password. Ensure the Node Manager password is set to the same as the Weblogic Administrator since this password will be used in other tasks mentioned in this guide.
  7. Click Save. The cart on the top right part of the screen will show full with a yellow bag inside.
  8. Click the Cart Icon on the top right and select Commit Changes.

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Enrolling the Domain with NM

Perform the following steps in a new terminal window to enroll the domain with Node manager.

Note:

You will be unable to connect to the Node Manager and use it to start the servers in the domain without performing this step.
  1. Change directory to the following directory:
    cd $ORACLE_COMMON_HOME/common/bin
  2. Start the WebLogic Server Scripting Tool (WLST). In order to use the certificates created for the appropriate SSL handshake, the location of the stores and password of the same need to be provided to WLST. Use the following command or add these in a script that can be easily invoked: 
    
export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12 -Dweblogic.security.CustomTrustKeyStorePassPhrase=storepassword"
./wlst.sh

    Note:

    You must avoid including the password in the script.
  3. Connect to the Administration Server by using the following WLST command:
    connect('admin_user','admin_password','admin_url')

    For example:

    connect('weblogic','<password>','t3s://ADMINVHN:9002')
  4. Use the nmEnroll command to enable the Node Manager to manage servers in a specified WebLogic domain.
    nmEnroll('ASERVER_HOME')

    For example:

    nmEnroll('/u01/oracle/config/domains/soaedg_domain')
  5. Generate startup properties for the Admin Server using the following WLST command:
    nmGenBootStartupProps('AdminServer')

    The startup.properties and boot.properties files are created in the following directory: 

    $ASERVER_HOME/servers/AdminServer/data/nodemanager/

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Adding Truststore Configuration to Node Manager

It is required to add the corresponding truststore configuration for Node Manager communication with the different WebLogic Server listeners. To do this, edit Node Manager's start script startNodeManager.sh located at $NM_HOME and add the variable JAVA_OPTIONS to set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties with the values used by your EDG system. For example: 

export JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStore=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12 -Djavax.net.ssl.trustStorePassword=mypassword"

Note:

If you have used the generate_perdomainCACERTS.sh script to generate certificates and stores, the trustStorePassword is the password provided as "KEYPASS" parameter to the script.

Parent topic: Configuring a Per Host Node Manager for an Enterprise Deployment

Configuring the Domain Directories and Starting the Servers on SOAHOST1

After the domain is created and the node manager is configured, you can then configure the additional domain directories and start the Administration Server and the Managed Servers on SOAHOST1.

  • Starting the Administration Server Using the Node Manager
    After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.
  • Validating the Administration Server
    Before you proceed with the configuration steps, validate that the Administration Server has started successfully by making sure that you have access to the Oracle WebLogic Remote Console and Oracle Enterprise Manager Fusion Middleware Control; both of these are installed and configured on the Administration Servers.
  • Creating a Separate Domain Directory for Managed Servers on SOAHOST1
    When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory is used to run the Administration Server. You can now create a copy of the domain on the local storage for both SOAHOST1 and SOAHOST2. The domain directory on the local (or private) storage is used to run the Managed Servers.
  • Starting and Validating the WLS_WSM1 Managed Server on SOAHOST1
    After you have configured Node Manager and created the Managed Server domain directory, you can use Oracle Enterprise Manager Fusion Middleware Control to start the WLS_WSM1 Managed Server on SOAHOST1.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Starting the Administration Server Using the Node Manager

After you have configured the domain and configured the Node Manager, you can start the Administration Server by using the Node Manager. In an enterprise deployment, the Node Manager is used to start and stop the Administration Server and all the Managed Servers in the domain.

To start the Administration Server by using the Node Manager:

  1. Ensure that the Administration Server is stopped.
  2. Start the WebLogic Scripting Tool (WLST):
    
export WLST_PROPERTIES="
-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12
-Dweblogic.security.CustomTrustKeyStorePassPhrase=password"
cd $ORACLE_COMMON_HOME/common/bin
./wlst.sh

    Note:

    The weblogic.security.SSL.ignoreHostnameVerification=true is required when using Demo certificates as the ones provided my the generateCertifcates scripts. In an environment with formal CA and certificates, this flag should not be used.
  3. Connect to Node Manager by using the Node Manager credentials:
    nmConnect('nodemanager_username','nodemanager_password','ADMINVHN','5556','domain_name','ASERVER_HOME','SSL')

    Replace ADMINVHN and ASERVER_HOME with the values of the respective variables.

    Note:

    This user name and password are used only to authenticate connections between Node Manager and clients. They are independent of the server administrator ID and password and are stored in the nm_password.properties file located in the following directory: 

    ASERVER_HOME/config/nodemanager
  4. Start the Administration Server:
    nmStart('AdminServer')

    Note:

    When you start the Administration Server, it attempts to connect to Oracle Web Services Manager for WebServices policies. It is expected that the WSM-PM Managed Servers are not yet started, and so, the following message appears in the Administration Server log:

    <Warning><oracle.wsm.resources.policymanager>
<WSM-02141><Unable to connect to the policy access service due to Oracle WSM policy manager host server being down.>
  5. Exit WLST:
    exit()

Parent topic: Configuring the Domain Directories and Starting the Servers on SOAHOST1

Validating the Administration Server

Before you proceed with the configuration steps, validate that the Administration Server has started successfully by making sure that you have access to the Oracle WebLogic Remote Console and Oracle Enterprise Manager Fusion Middleware Control; both of these are installed and configured on the Administration Servers.

To navigate to Fusion Middleware Control, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:

https://ADMINVHN:9002/em

You should be able to connect to the Admin Server from the Remote Console as before.

Parent topic: Configuring the Domain Directories and Starting the Servers on SOAHOST1

Creating a Separate Domain Directory for Managed Servers on SOAHOST1

When you initially create the domain for enterprise deployment, the domain directory resides on a shared disk. This default domain directory is used to run the Administration Server. You can now create a copy of the domain on the local storage for both SOAHOST1 and SOAHOST2. The domain directory on the local (or private) storage is used to run the Managed Servers.

Placing the MSERVER_HOME on local storage is recommended to eliminate the potential contention and overhead caused by servers writing logs to shared storage. It is also faster to load classes and jars need from the domain directory, so any temporary or cache data that the Managed Servers use from the domain directory is processed quicker.

As described in Preparing the File System for an Enterprise Deployment, the path to the Administration Server domain home is represented by the ASERVER_HOME variable, and the path to the Managed Server domain home is represented by the MSERVER_HOME variable.

To create the Managed Server domain directory:

  1. Sign in to SOAHOST1 and run the pack command to create a template as follows:
    cd $ORACLE_COMMON_HOME/common/bin
 
./pack.sh -managed=true \ 
          -domain=ASERVER_HOME \ 
          -template=/full_path/create_domain.jar \ 
          -template_name=create_domain_template \
	  -log_priority=DEBUG \ 
          -log=/tmp/pack.log

    In this example:

    • Replace ASERVER_HOME with the actual path to the domain directory you created on the shared storage device.

    • Replace full_path with the complete path to the location where you want to create the domain template jar file. You need to reference this location when you copy or unpack the domain template jar file. It is recommended to choose a shared volume other than ORACLE_HOME, or write to /tmp/ and copy the files manually between servers.

      You must specify a full path for the template jar file as part of the -template argument to the pack command: 

      SHARED_CONFIG_DIR/domains/template_filename.jar

    • The create_domain.jar file is a sample name for the jar file that you create, which contains the domain configuration files.

    • The create_domain_template label is the label is assigned to the template data stored in the template file.

  2. Make a note of the location of the create_domain.jar file that you just created with the pack command.

    Tip:

    For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

  3. If you have not already, create the recommended directory structure for the Managed Server domain on the SOAHOST1 local storage device.
  4. Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
    cd $ORACLE_COMMON_HOME/common/bin

./unpack.sh -domain=MSERVER_HOME \
            -overwrite_domain=true \
            -template=/full_path/create_domain.jar \
	    -log_priority=DEBUG \
            -log=/tmp/unpack.log \
            -app_dir=APPLICATION_HOME

    Note:

    The -overwrite_domain option in the unpack command allows you to unpack a managed server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the managed server domain directory, they must be restored after this unpack operation.

    Additionally, to customize server startup parameters that apply to all servers in a domain, you can create a file called setUserOverridesLate.sh and configure it to, for example, add custom libraries to the WebLogic Server classpath, specify additional JAVA command-line options for running the servers, or specify additional environment variables. Any customizations that you add to this file are preserved during domain upgrade operations, and are carried over to remote servers when you use the pack and unpack commands.

    In this example:

    • Replace MSERVER_HOME with the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain is unpacked.

    • Replace /full_path/create_domain.jar with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack the domain on the shared storage device.

    • Replace APPLICATION_HOME with the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.

    Tip:

    For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

  5. Change directory to the newly created Managed Server directory and verify that the domain configuration files were copied to the correct location on the SOAHOST1 local storage device.

Parent topic: Configuring the Domain Directories and Starting the Servers on SOAHOST1

Starting and Validating the WLS_WSM1 Managed Server on SOAHOST1

After you have configured Node Manager and created the Managed Server domain directory, you can use Oracle Enterprise Manager Fusion Middleware Control to start the WLS_WSM1 Managed Server on SOAHOST1.

  1. Enter the following URL into a browser to display the Fusion Middleware Control login screen:
    https://ADMINVHN:9002/em

    In this example:

  2. Sign-in to the Fusion Middleware Control by using the administrator's account.
  3. Select the Servers pane to view the Managed Servers in the domain.
  4. Select only the WLS_WSM1 Managed Server, and note the assigned port number.
  5. Click Control > Start on the tool bar to start the selected WLS_WSM1 Managed Server.
  6. To verify that the Managed Server is working correctly, open your browser and enter the following URL:
    https://SOAHOST1:7010/wsm-pm/

    Enter the domain admin user name and password when prompted.

    Note:

    The wsm-pm validator does not work properly until the appropriate WSM Domain Configuration and WSM bootstrap steps are completed as described in the following sections.

Parent topic: Configuring the Domain Directories and Starting the Servers on SOAHOST1

Configuring Web Services Manager

This section describes how to configure Web Services Manager.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Updating WebServices Domain Configuration

  1. Log into the Fusion Middleware Control by using the administrator’s account.
  2. In the Weblogic Domain drop down menu, select WebServices > WSM Domain Configuration.
  3. Click Policies Access tab.
  4. Select the Auto Discover and Use SSL Only check boxes.
  5. In the SSL Setup section, select Oneway.
  6. In KeyStore Type, select JKS (Java Key Store).

    Note:

    You must select JKS if you are using the certificates and stores created in previous steps.

  7. In the Truststore Path enter the location of the truststore used in previous sections as follows:
    /u01/oracle/config/keystores/appTrustKeyStore.pkcs12
  8. In the Key field, enter a name to uniquely identify the password used for the truststore.
  9. In the password field, enter the password used for the truststore in previous sections (same as domain admin).
  10. Click Apply.

Parent topic: Configuring Web Services Manager

Bootstrapping WSM

In a new terminal window, perform the following steps to bootstrap WSMPM.

Note:

If this task is not performed, the WSMPM does not work properly .
  1. Change directory to the following directory as follows:
    cd $ORACLE_COMMON_HOME/common/bin
  2. Start the WebLogic Server Scripting Tool (WLST). To use the certificates created for the appropriate SSL handshake, the location of the stores and password of the same need to be provided to WLST. Use the following command or add these in a script that can be easily invoked (avoid including the password in the script): 
    
export WLST_PROPERTIES="-Dweblogic.security.TrustKeyStore=CustomTrust
-Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12
-Dweblogic.security.CustomTrustKeyStorePassPhrase=storepassword"
./wlst.sh
  3. Connect to the Administration Server by using the following WLST command:
    connect('admin_user','admin_password','admin_url')

    For example:

    connect('weblogic','<password>','t3s://ADMINVHN:9002')
  4. Use the setWSMBootstrapConfig to enable WSM pm.url.
    setWSMBootstrapConfig('domain_name','domainpath','ConfigManager','pm.url','auto-ssl')

    For example:

    setWSMBootstrapConfig('soaedg_domain','/u01/oracle/config/domains/soaedg_domain','ConfigManager','pm.url','auto-ssl')

    Check that the appropriate entry is created in the $ASERVER_HOME/config/fmwconfig/wsm-config.xml for the domain. For example: 

    
cat /u01/oracle/config/domains/soaedg_domain/config/fmwconfig/wsm-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<orares:properties xmlns:orares="http://xmlns.oracle.com/wsm/resources" xmlns:wsp15="http://www.w3.org/ns/ws-policy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orares:type="CONFIGURATION" orares:resource="/">
   <orares:property orares:category="ConfigManager" orares:name="pm.url">
      <orares:value>auto-ssl</orares:value>
   </orares:property>
</orares:properties>

Parent topic: Configuring Web Services Manager

Propagating the Domain and Starting the Servers on SOAHOST2

After you start and validate the Administration Server and WLS_WSM1 Managed Server on SOAHOST1, you can then perform the following tasks on SOAHOST2.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Unpacking the Domain on SOAHOST2

This procedure assumes you have copied the file that you created earlier in a location that is accessible from both SOAHOST1 and SOAHOST2; such as the ASERVER_HOME directory, which is located on the shared storage filer:

  1. Log in to SOAHOST2.
  2. If you haven't already, create the recommended directory structure for the Managed Server domain on the SOAHOST2 storage device.
  3. Make sure the create_domain.jar accessible to SOAHOST2.
    For example, if you are using a separate shared storage volume or partition for SOAHOST2, then copy the template to the volume or partition mounted to SOAHOST2.
  4. Run the unpack command to unpack the template in the domain directory onto the local storage, as follows:
    cd $ORACLE_COMMON_HOME/common/bin

./unpack.sh -domain=MSERVER_HOME \
            -overwrite_domain=true \
            -template=/full_path/create_domain.jar \ 
            -log_priority=DEBUG \
            -log=/tmp/unpack.log \
            -app_dir=APPLICATION_HOME

    Note:

    The -overwrite_domain option in the unpack command allows unpacking a managed server template into an existing domain and existing applications directories. For any file that is overwritten, a backup copy of the original is created. If any modifications had been applied to the start scripts and ear files in the managed server domain directory, they must be restored after this unpack operation.

    Additionally, to customize server startup parameters that apply to all servers in a domain, you can create a file called setUserOverridesLate.sh and configure it to, for example, add custom libraries to the WebLogic Server classpath, specify additional java command line options for running the servers, or specify additional environment variables. Any customizations you add to this file are preserved during domain upgrade operations, and are carried over to remote servers when using the pack and unpack commands.

    In this example:

    • Replace MSERVER_HOME with the complete path to the domain home to be created on the local storage disk. This is the location where the copy of the domain will be unpacked.

    • Replace /full_path/create_domain.jar with the complete path and file name of the domain template jar file that you created when you ran the pack command to pack up the domain on the shared storage device.

    • Replace APPLICATION_HOME with the complete path to the Application directory for the domain on shared storage. See File System and Directory Variables Used in This Guide.

    Tip:

    For more information about the pack and unpack commands, see Overview of the Pack and Unpack Commands in Creating Templates and Domains Using the Pack and Unpack Commands.

  5. Change directory to the newly created MSERVER_HOME directory and verify that the domain configuration files were copied to the correct location on the SOAHOST2 local storage device.

Parent topic: Propagating the Domain and Starting the Servers on SOAHOST2

Starting the Node Manager on SOAHOST2

After you manually set up the Node Manager to use a per host Node Manager configuration, you can start the Node Manager by using the following commands on SOAHOST2:
  1. Change directory to the Node Manager home directory:
    cd $NM_HOME
  2. Run the following command to start the Node Manager and send the output of the command to an output file, rather than to the current terminal shell:
    nohup ./startNodeManager.sh > nodemanager.out 2>&1 &

Parent topic: Propagating the Domain and Starting the Servers on SOAHOST2

Starting and Validating the WLS_WSM2 Managed Server on SOAHOST2

Use the procedure in Starting and Validating the WLS_WSM1 Managed Server on SOAHOST1 to start and validate the WLS_WSM2 Managed Server on SOAHOST2.

Parent topic: Propagating the Domain and Starting the Servers on SOAHOST2

Modifying the Upload and Stage Directories to an Absolute Path

After you configure the domain and unpack it to the Managed Server domain directories on all the hosts, verify and update the upload and stage directories for Managed Servers in the new clusters. See Modifying the Upload and Stage Directories to an Absolute Path in an Enterprise Deployment.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

When you configure an Oracle Fusion Middleware domain, the domain is configured by default to use the WebLogic Server authentication provider (DefaultAuthenticator). However, for an enterprise deployment, Oracle recommends that you use a dedicated, centralized LDAP-compliant authentication provider.

The following topics describe how to use the Oracle WebLogic Remote Console to create a new authentication provider for the enterprise deployment domain. This procedure assumes that you have already installed and configured a supported LDAP directory, such as Oracle Unified Directory or Oracle Internet Directory.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

About the Supported Authentication Providers

Oracle Fusion Middleware supports a variety of LDAP authentication providers. See Identity Store Types and WebLogic Authenticators in Securing Applications with Oracle Platform Security Services.

The instructions in this guide assume that you are using one of the following providers:

  • Oracle Unified Directory

  • Oracle Internet Directory

  • Microsoft Active Directory

Note:

By default, the instructions here describe how to configure the identity service instance to support querying against a single LDAP identity store with an unencrypted connection.

If the connection to your identity provider has to be secured through SSL, then additional keystone configuration is required for role management in the Enterprise Manager Fusion Middleware Control to function correctly. For additional configuration information, see Doc ID 1670789.1 at support.oracle.com.

Also, you can configure the service to support a virtualized identity store, which queries multiple LDAP identity stores, by using LibOVD.

For more information about configuring a Multi-LDAP lookup, refer to Configuring the Identity Store Service in Securing Applications with Oracle Platform Security Services.

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

About the Enterprise Deployment Users and Groups

The following topics provide important information on the purpose and characteristics of the enterprise deployment administration users and groups.

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

About Using Unique Administration Users for Each Domain

When you use a central LDAP user store, you can provision users and groups for use with multiple Oracle WebLogic Server domains. As a result, there is a possibility that one WebLogic administration user can have access to all the domains within an enterprise.

It is a best practice to create and assign a unique distinguished name (DN) within the directory tree for the users and groups that you provision for the administration of your Oracle Fusion Middleware domains.

For example, if you plan to install and configure an Oracle SOA Suite enterprise deployment domain, then create a user called weblogic_soa and an administration group called SOA Administrators.

About the Domain Connector User

Oracle recommends that you create a separate domain connector user (for example, soaLDAP) in your LDAP directory. This user allows the domain to connect to the LDAP directory for the purposes of user authentication. It is recommended that this user be a non-administrative user.

In a typical Oracle Identity and Access Management deployment, you create this user in the systemids container. This container is used for system users that are not normally visible to users. Placing the user into the systemids container ensures that customers who have Oracle Identity Governance do not reconcile this user.

About Adding Users to the Central LDAP Directory

After you configure a central LDAP directory to be the authenticator for the enterprise domain, then you should add all new users to the new authenticator and not to the default WebLogic Server authenticator.

To add new users to the central LDAP directory, you cannot use the WebLogic Remote Console. Instead, you must use the appropriate LDAP modification tools, such as ldapbrowser or JXplorer.

When you are using multiple authenticators (a requirement for an enterprise deployment), login and authentication will work, but role retrieval will not. The role is retrieved from the first authenticator only. If you want to retrieve roles using any other authenticator, then you must enable virtualization for the domain.

To enable virtualization:

  1. Browse to the Fusion Middleware Control, and log in with the administrative credentials.

    https://ADMINVHN:9002/em

  2. Navigate to WebLogic Domain > Security > Security Provider Configuration.

  3. Expand Security Store Provider.

  4. Expand Identity Store Provider.

  5. Click Configure.

  6. Add a custom property.

  7. Set the following properties:
    • virtualize with value true
    • optimize_search with value true

    Click OK.

  8. Click OK again to persist the change.

  9. Restart the Administration Server and all managed servers.

For more information about the virtualize property, see OPSS System and Configuration Properties in Securing Applications with Oracle Platform Security Services.

Note:

When you set virtualize to true, applications that create users or groups in the LDAP require two additional custom properties in the Identity Store Provider:

  • Property user.create.bases, to specify the DN under which the users will be created. Example: cn=users,dc=example,dc=com.

  • Property group.create.bases, to specify the DN under which the groups will be created. Example: cn=groups,dc=example,dc=com.

You can configure these properties by following the steps that are described above for adding the virtualize property.

SOA products do not have any application that creates users or groups in the LDAP, so this is required only if you are planning to deploy any additional application that does it. See Configuring the Identity Store in Securing Applications with Oracle Platform Security Services

About Product-Specific Roles and Groups for Oracle SOA Suite

Each Oracle Fusion Middleware product implements its own predefined roles and groups for administration and monitoring.

As a result, as you extend the domain to add additional products, you can add these product-specific roles to the SOA Administrators group. After they are added to the SOA Administrators group, each product administrator user can administer the domain with the same set of privileges for performing administration tasks.

For instructions on adding additional roles to the SOA Administrators group, see Common Configuration and Management Tasks for an Enterprise Deployment.

Example Users and Groups Used in This Guide

In this guide, the examples assume that you provision the following administration user and group with the following DNs:

  • Admin User DN:

    cn=weblogic_soa,cn=users,dc=example,dc=com

  • Admin Group DN:

    cn=SOA Administrators,cn=groups,dc=example,dc=com
  • Product-specific LDAP Connector User:
    cn=soaLDAP,cn=systemids,dc=example,dc=com
    This is the user that you use to connect WebLogic Managed Servers to the LDAP authentication provider. This user must have permissions to read and write to the Directory Trees:
    cn=users,dc=example,dc=com
cn=groups,dc=example,dc=com

Note:

This user needs to be granted membership in the following groups to provide read and write access:

cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com
cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com
cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com
cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com

Prerequisites for Creating a New Authentication Provider and Provisioning Users and Groups

Before you create a new LDAP authentication provider, back up the relevant configuration files:

$ASERVER_HOME/config/config.xml
$ASERVER_HOME/config/fmwconfig/jps-config.xml
$ASERVER_HOME/config/fmwconfig/system-jazn-data.xml

In addition, back up the boot.properties file for the Administration Server in the following directory: 

ASERVER_HOME/servers/AdminServer/security

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

Provisioning a Domain Connector User in the LDAP Directory

This example shows how to create a user called soaLDAP in the central LDAP directory.

To provision the user in the LDAP provider:

  1. Create an LDIF file named domain_user.ldif with the following contents and then save the file: 

    dn: cn=soaLDAP,cn=systemids,dc=example,dc=com
changetype: add
orclsamaccountname: soaLDAP
userpassword: password
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: soaLDAP@example.com
givenname: soaLDAP
sn: soaLDAP
cn: soaLDAP
uid: soaLDAP

    Note:

    If you use Oracle Unified Directory, then add the following four group memberships to the end of the LDIF file to grant the appropriate read/write privileges:

    dn:
cn=orclFAUserReadPrivilegeGroup,cn=groups,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com

dn: cn=orclFAGroupReadPrivilegeGroup,cn=groups,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com

dn: cn=orclFAUserWritePrivilegeGroup,cn=groups,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com

dn: cn=orclFAGroupWritePrivilegeGroup,cn=groups,dc=example,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=soaLDAP,cn=systemids,dc=example,dc=com

  2. Provision the user in the LDAP directory.

    For example, for an Oracle Unified Directory LDAP provider:

    OUD_INSTANCE_HOME/bin/ldapmodify -a \
                                 -h idstore.example.com
                                 -D "cn=oudadmin" \
                                 -w password \
                                 -p 1389 \
                                 -f domain_user.ldif

    For Oracle Internet Directory:

    OID_ORACLE_HOME/bin/ldapadd -h idstore.example.com \
                             -p 3060 \
                             -D cn="orcladmin" \
                             -w password \
                             -c \
                             -v \
                             -f domain_user.ldif

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

Creating the New Authentication Provider

To configure a new LDAP-based authentication provider:

  1. Log into the WebLogic Remote Console.
  2. Click Edit Tree.
  3. In the left navigational bar, click Security > Realms > myrealm > Authentication Providers.

    Note:

    The DefaultAuthenticator provider is configured for the realm. This is the default WebLogic Server authentication provider.
  4. Click New button.

  5. Enter a name for the provider.

    Use one of the following names, based on the LDAP directory service that you plan to use as your credential store:

    • OUDAuthenticator for Oracle Unified Directory

    • OIDAuthenticator for Oracle Internet Directory

  6. Select the authenticator type from the Type drop-down list.

    Select one of the following types, based on the LDAP directory service that you plan to use as your credential store:

    • OracleUnifiedDirectoryAuthenticator for Oracle Unified Directory

    • OracleInternetDirectoryAuthenticator for Oracle Internet Directory

  7. Select SUFFICIENT from the Control Flag drop-down menu for the newly created authenticator provider.

    Setting the control flag to SUFFICIENT indicates that if the authenticator can successfully authenticate a user, then the authenticator should accept that authentication and should not continue to invoke any additional authenticators.

    If the authentication fails, it falls through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flags set to SUFFICIENT; in particular, check the DefaultAuthenticator option and make sure that its control flag is set to SUFFICIENT.

  8. Click Create.

  9. Click the Authenticator Parameters tab and enter the details specific to your LDAP server, as shown in the following table.

    Note that only the required fields are discussed in this procedure. For information about all the fields on this page, consider the following resources:

    Parameter Sample Value Value Description

    Host

    For example: idstore.example.com

    The LDAP server's server ID.

    Port

    For example: 1389

    The LDAP server's port number.

    Principal

    For example: cn=soaLDAP, cn=systemids,dc=example,dc=com

    The LDAP user DN used to connect to the LDAP server.

    Credential

    Enter LDAP password.

    The password used to connect to the LDAP server.

    SSL Enabled

    Unchecked (clear)

    Specifies whether SSL protocol is used when connecting to the LDAP server.

    User Base DN

    For example: cn=users,dc=example,dc=com

    Specify the DN under which your users start.

    All Users Filter

    (&(uid=*)(objectclass=person))

    Instead of a default search criteria for All Users Filter, search all users based on the uid value.

    If the User Name Attribute for the user object class in the LDAP directory structure is a type other than uid, then change that type in the User From Name Filter field.

    For example, if the User Name Attribute type is cn, then this field should be set to:

    (&(cn=*)(objectclass=person)))

    User From Name Filter

    For example:

    (&(uid=%u)(objectclass=person))

    If the User Name Attribute for the user object class in the LDAP directory structure is a type other than uid, then change that type in the settings for the User From Name Filter.

    For example, if the User Name Attribute type is cn, then this field should be set to:

    (&(cn=%u)(objectclass=person))).

    User Name Attribute

    For example: uid

    The attribute of an LDAP user object that specifies the name of the user.

    Group Base DN

    For example: cn=groups,dc=example,dc=com

    Specify the DN that points to your Groups node.

    Use Retrieved User Name as Principal

    Checked

    Must be turned on.

    GUID Attribute

    entryuuid

    This value is prepopulated with entryuuid when OracleUnifiedDirectoryAuthenticator is used for OUD. Check this value if you use Oracle Unified Directory as your authentication provider.

  10. Click Save to save the changes.

  11. Commit the changes in the shopping cart.
  12. Navigate to Authenticator Providers under Security > Realms > myrealm.
  13. Check the Authenticator Providers you just created and move up to the first position.

  14. On the Authentication Providers screen, click DefaultAuthenticator.

  15. From the Control Flag drop-down, select SUFFICIENT.

  16. Click Save to update the DefaultAuthenticator settings.

  17. Commit the changes in the shopping cart.

  18. Restart the Administration Server and all managed servers.

    To stop the Managed Servers, sign in to Fusion Middleware Control, select the Managed Servers in the Target Navigator and click Shut Down in the toolbar.

    To stop and start the Administration Server by using the Node Manager:

    1. Start WLST:
      export WLST_PROPERTIES="
-Dweblogic.security.TrustKeyStore=CustomTrust 
-Dweblogic.security.CustomTrustKeyStoreFileName=/u01/oracle/config/keystores/appTrustKeyStore.pkcs12 
-Dweblogic.security.CustomTrustKeyStorePassPhrase=password"
cd $ORACLE_COMMON_HOME/common/bin
./wlst.sh

    2. Connect to Node Manager by using the Node Manager credentials that you defined when you created the domain in the Configuration Wizard:

      wls:/offline>nmConnect('nodemanager_username','nodemanager_password',
            'ADMINVHN','5556','domain_name',
            'ASERVER_HOME','SSL')

    3. Stop the Administration Server:

      nmKill('AdminServer')

    4. Start the Administration Server:

      nmStart('AdminServer')

    5. Exit WLST:

      exit()

      To start the Managed Servers, log in to Fusion Middleware Control, select the Managed Servers, and click Start Up in the toolbar.

      Note:

      If you plan to log in to the system immediately by using the central LDAP user role, you can skip the restart until you have assigned the Administration role to the new enterprise deployment administration group. For more information, see Adding the Administration Role to the New Administration Group.

  19. After the restart, review the contents of the following log file:

    $ASERVER_HOME/servers/AdminServer/logs/AdminServer.log

    Verify that no LDAP connection errors occurred. For example, look for errors such as the following:

    The LDAP authentication provider named "OUDAuthenticator" failed to make connection to ldap server at ...

    If you see such errors in the log file, then check the authorization provider connection details to verify that they are correct and try saving and restarting the Administration Server again.

  20. After you restart and verify that no LDAP connection errors are in the log file, try browsing the users and groups that exist in the LDAP provider:

    1. In the Remote Console, go to the Security Tree.

    2. Navigate to Realms > myrealm > Authentication Providers.

    3. Expand the new Authentication Provider.

    4. Click Users and then click Groups.

      You should be able to see all users and groups that exist in the LDAP provider structure.

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

Provisioning an Enterprise Deployment Administration User and Group

This example shows how to create a user called weblogic_soa and a group called SOA Administrators.

To provision the administration user and group in LDAP provider:

  1. Create an LDIF file named admin_user.ldif with the following contents and then save the file: 

    dn: cn=weblogic_soa,cn=users,dc=example,dc=com
changetype: add
orclsamaccountname: weblogic_soa
userpassword: password
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: weblogic_soa@example.com
givenname: weblogic_soa
sn: weblogic_soa
cn: weblogic_soa
uid: weblogic_soa

  2. Provision the user in the LDAP directory.

    For example, for an Oracle Unified Directory LDAP provider:

    OUD_INSTANCE_HOME/bin/ldapmodify -a \
                                 -h idstore.example.com
                                 -D "cn=oudadmin" \
                                 -w password \
                                 -p 1389 \
                                 -f admin_user.ldif

    For Oracle Internet Directory:

    OID_ORACLE_HOME/bin/ldapadd -h idstore.example.com \
                             -p 3060 \
                             -D "cn=oudadmin" \
                             -w password \
                             -c \
                             -v \
                             -f admin_user.ldif

  3. Create an LDIF file named admin_group.ldif with the following contents and then save the file: 

    dn: cn=SOA Administrators,cn=Groups,dc=example,dc=com
displayname: SOA Administrators
objectclass: top
objectclass: GroupOfUniqueNames
objectclass: orclGroup
uniquemember: cn=weblogic_soa,cn=users,dc=example,dc=com
cn:SOA Administrators
description: Administrators Group for the Oracle SOA Suite Domain

  4. Provision the group in the LDAP Directory.

    For Oracle Unified Directory:

    OUD_INSTANCE_HOME/bin/ldapmodify -a \
                                 -D "cn=oudadmin" \
                                 -h oudhost.example.com \
                                 -w password \
                                 -p 1380 \
                                 -f admin_group.ldif

    For Oracle Internet Directory:

    OID_ORACLE_HOME/bin/ldapadd -h oidhost.example.com \
                            -p 3060 \
                            -D "cn=oudadmin" \
                            -w password \
                            -c \
                            -v \
                            -f admin_group.ldif

  5. Verify that the changes were made successfully:

    1. In the Remote Console, go to Security Tree.

    2. Navigate to Realms > myrealm > Authentication Providers.

    3. Expand the new Authentication Provider.

    4. Click Users and verify if the administrator user that you provisioned is listed.

    5. Click Groups and verify if the administrator group that you provisioned is listed.

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

Adding the Administration Role to the New Administration Group

After you add the users and groups to your LDAP directory, the group must be assigned the Administration role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for the domain.

To assign the Administration role to the new enterprise deployment administration group:

  1. Log in to the WebLogic Remote Console by using the administration credentials that you provided in the Configuration Wizard.

    Do not use the credentials for the administration user that you created and provided for the new authentication provider.

  2. Click Security Data Tree.
  3. Click Realms > myrealm > Role Mappers > XACMLRoleMapper > Global > Roles.
  4. Click the Admin role.
  5. Click Add conditions.
  6. Select Group from the Predicate List drop-down menu, and then click Next.
  7. Enter SOA Administrators in the Group Argument Name field, and then click OK.

    SOA Administrators is added to the list box of arguments.

  8. Click Save to finish adding the Admin Role to the SOA Administrators group.
  9. Validate that the changes were made by logging into the WebLogic Remote Console and into the Fusion Middleware Control by using the new weblogic_soa user credentials.

    If you can log into the Oracle WebLogic Remote Console and Fusion Middleware Control with the credentials of the new administration user that you just provisioned in the new authentication provider, then you have configured the provider successfully.

Parent topic: Creating a New LDAP Authenticator and Provisioning Enterprise Deployment Users and Group

Adding the wsm-pm Role to the Administrators Group

After you configure a new LDAP-based Authorization Provider and restart the Administration Server, add the enterprise deployment administration LDAP group (SOA Administrators) as a member to the policy.Updater role in the wsm-pm application stripe.

  1. Sign in to the Fusion Middleware Control by using the administrator's account. For example: weblogic_soa.
  2. From the WebLogic Domain menu, select Security, and then Application Roles.
  3. Select the wsm-pm application stripe from the Application Stripe drop-down menu.
  4. Click the triangular icon next to the role name text box to search for all role names in the wsm-pm application stripe.
  5. Select the row for the policy.Updater role to be edited.
  6. Click the Application Role Edit icon to edit the role.
  7. Click the Application Role Add icon on the Edit Application Role page.
  8. In the Add Principal dialog box, select Group from the Type drop-down menu.
  9. To search for the enterprise deployment administrators group, enter the group name SOA Administrators in the Principal Name Starts With field and click the right arrow to start the search.
  10. Select the appropriate administrators group in the search results and click OK.
  11. Click OK on the Edit Application Role page.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Backing Up the Configuration

It is an Oracle best practices recommendation to create a backup after you successfully extended a domain or at another logical point. Create a backup after you verify that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps.

The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.

For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment

Verification of Manual Failover of the Administration Server

After you configure the domain, you should test the failover. For instructions to test, see Verifying Manual Failover of the Administration Server.

Parent topic: Creating the Initial Infrastructure Domain for an Enterprise Deployment