Overview

With the release of Identity & Access Management suite R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool to automate the installation and configuration of products related to the IAM suite. This tool is named Oracle Identity and Access Management Deployment Wizard

With the Deployment Wizard, you can fully automate the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD. Here’s everything you need to know.

Getting Started

First, you will need to download a completely separate set of software for this. The normal Identity & Access Management suite download packages won’t work. If you go to Oracle Download page for 11.1.2.2.0, here, you will see at the bottom a section for the Deployment Repository:

This package contains everything you will need: The IAM Suite, RCU, WebLogic, JDK, WebTier, WebGate (11g), SOA, OUD, and of course, the Deployment Wizard. All four zips come out to over 12GB in size. The overall process order is as follows:

  1. Install JDK
  2. Run the RCU to create the schemas
  3. Install the Deployment Wizard
  4. Run the Deployment Wizard to create a response file
  5. Run the Deployment Wizard using the generated response file to deploy

The deployment process itself is split up into 8 steps, and they have to be ran in order.  Here is a summary of what these steps do when selecting a full deployment (OAM/OIM/OUD):

preverify

  • This checks that each of the servers being used in the topology satisfies the minimum requirements of the software being installed and configured.

install

  • This installs all of the software and related patches present in Oracle Identity and Access Management deployment repository.

preconfigure

  • Creates OUD and seeds it with Users/Groups.
  • SSL Enable OUD
  • Creates the WebLogic Domain and extends it to all the necessary components
  • Creates OHS instance

configure

  • Starts managed servers as necessary
  • Configures OIM
  • Associates OAM with OUD

configure-secondary

  • Integrates Weblogic Domain with Webtier
  • Registers Webtier with domain
  • Integrates OAM and OIM

postconfigure

  • Runs OIM Reconciliation
  • Configures UMS Mail Server
  • Generates OAM Keystore
  • Configures Webgates

startup

  • This starts up all components in the topology

validate

  • This performs a number of checks on the built topology to ensure that everything is working as it should be.

The tool will step you through each section, but if you do it from the command line, you need to ensure the order and only proceed if the previous step completes successfully. If any step fails, you have to start over and this means deleting any directories the tool creates and, depending on where in the process it failed, drop and recreate your schemas.

Deployment Layout

The Deployment Wizard will install things in a very specific manner. First, every component is in it’s own WebLogic domain. So if you do a full deployment (OAM/OIM/OUD), you will have two WebLogic Domains in two separate WebLogic installations.

The directory structure is also unique. As you’ll see below in the screenshots, you’re given the option to specify 2 destination locations. The software and config locations, and it defaults to putting the config inside the other. So if you chose /fmw as your software installation, it will default to putting the shared configuration in /fmw/config.

The Shared Configuration location is where it will place:

  • Domain Homes
  • Instances (OUD and OHS)
  • NodeManager configuration
  • keystores
  • scripts folder to start/stop the suite
  • other deployment related things

In the Software Installation location you will see:

  • a “products” directory
    • separate WebLogic installations for OIM and OAM, each containing a copy of the IAM Oracle Home
    • OUD Oracle Home
    • OHS oracle Home
    • Webgate Oracle Home
  • a “provisioning” directory. This contains deployment related files and directories
  • some lock files

Installing the Deployment Wizard

To install the Oracle Identity and Access Management Deployment Wizard, run the following command:


[ZIP_FILES_EXTRACT]/installers/idmlcm/Disk1/runInstaller -jreLoc $JAVA_HOME

This installer is very basic so I won’t screenshot it’s process. Just specify a location where you want the Deployment Wizard Oracle_Home to be and it will do the rest. On my installation I chose “/fmw”. This location is also referred to as IDMLCM_HOME (LCM for Life Cycle Management).

Create a Response File

Below are screenshots of the Deployment Wizard creating a response file for a full deployment that includes OAM/OIM integrated and OUD. Start the Deployment Wizard from here:

IDMLCM_HOME/provisioning/bin/iamDeploymentWizard.sh
  • On the following screen we are asked to specify the following directories:
    Software Repository Location: This is the parent directory where you extracted the 4 zip files, it should contain a subdirectory called “installers”
    Software Installation Location: This is where everything will be installed
    Software Configuration Location: This will be auto populated but you can change it if needed. It is where the Domains and Instance directories will be placed
  • On this screen you are asked to provide OHS ports. If you’re wondering what the OIM Admin Front End Port is, the tool will make OHS listen on two ports, 7777 and 7778, and it will create two virtual hosts for each port and place all the OIM related reverse proxy mod_wl configs in the 7778 virtual host.
  • In this screen you are given the option to Configure Email Server. If you select this, the Deployment Wizard will configure the local system’s “sendmail” and also the User Messaging Services. Optionally, if you have another email server you’d like to use, you can specify the connection details in the Custom section

This will create the response file and a directory called “provisioning_data”. If you move the response file to another location, you must also copy this directory, as it contains the generated SSL wallet.

Deploying the suite

When you deploy the suite, you can either do it through the GUI tool, or via the command line. I chose to do it with the command line, but if you want to go the other route, you would simply run the Deployment Wizard again like above, only this time you would select the “Deploy IAM Environment from a response file” option.

To do it via the command line, you have to execute each stage in order:


IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target preverify
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target install
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target preconfigure
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target configure
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target configure-secondary
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target postconfigure
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target startup
IDMLCM_HOME/provisioning/bin/runIAMDeployment.sh -responseFile RESPONSE_FILE_LOCATION/provisioning.rsp -target validate

As I mentioned before, if anything fails you have to start over from scratch. Here’s a few things that caused my installation to fail:

  • Did not have 30GB free HD space
  • Did not have min 512MB swap (this can be ignored with -ignoreSysPrereqs). Deployment will fail if any pre-requirements are missing and the ignore flag isn’t set.
  • My shell had a previous $DOMAIN_HOME variable set and broke the deployment half way through. Make sure only JAVA_HOME is set
  • Couldn’t resolve my host name. My FQDN was “demo.idm.guru” and I had an entry for the FQDN in /etc/hosts, but at some point it failed and logs showed it couldn’t resolve “demo”. I appended that to the host file entry (x.x.x.x demo.idm.guru demo). Make sure the hostname resolves.

If everything goes well, it will take approximately 6 hours to do everything. If this seems long, keep in mind that it’s installing, configuring, integrating OIM and OAM, setting up LDAPSync, SSL enabling some components, configuring OHS with Webgate, configures WebLogic Authentication Providers, performs some light performance tuning, does OUD reconciliation, etc… A lot of the wait is the installation and waiting for the managed servers to re-start during all these phases.

Afterthoughts

All in all I’m very impressed. Once I ironed out the issues that were failing my install, it went through smoothly and everything worked perfectly. When it’s done, your oamconsole user is “oamAdminUser”, and to log into OUD, you must specify the full DN of Directory Manager “cn=Directory Manager,cn=Root DNs,cn=config”. Just “cn=Directory Manager” did not work.

I wish the Deployment Wizard would give me the choice of how to lay out the directory structures and whether or not I want OIM and OAM in a single or separate domains.

The tool also allows you to configure a High Availability topology with 2 nodes and also optionally putting OHS in a DMZ, but the documentation does not describe this process; trying this out is on my to do list.