Migrating your Fusion Applications Auth OHS to a DMZ server

Introduction

There maybe a need to expose your application to non-employees outside of your organization such as suppliers who make use of supplier portal. This article is intended to describe how you can do this after you have already provisioned your Fusion Applications environment.

Main Article

In this article we will describe the steps needed to move an existing IDM OHS from the middle tier to a web tier located on a machine in the DMZ. This process will require us to move your OHS binaries and configuration files from the middle tier machine to another web tier machine in the DMZ and update the configuration to support the DMZ deployment as per the illustration below.

 

basic_topology_oains_122:51:47

Moving the IDM OHS software

The root directory for Oracle Identity Management product binary files is IDM_BASE. The IDM_BASE/products directory includes your binary files and should have a directory structure similar to the one below

drwxr-xr-x.  8 oras14 oinstall  8 Mar 25  2014 ohs
drwxr-x---. 13 oras14 oinstall 18 Mar 25  2014 dir
drwxr-x---. 16 oras14 oinstall 21 Mar 26  2014 app

Pack the contents of IDM_BASE/products/ohs including all subdirectories from the existing machine to you new target machine in the DMZ.

This new directory structure on the DMZ machine should include all the following sub-directories:

drwxr-xr-x.  9 oras14 oinstall 11 Dec 11  2013 jdk6
drwxr-x---. 48 oras14 oinstall 52 Mar 25  2014 ohs
drwxr-xr-x.  3 oras14 oinstall  3 Mar 25  2014 utils
drwxr-x---. 33 oras14 oinstall 36 Mar 25  2014 oracle_common
drwxr-x---.  9 oras14 oinstall 10 Mar 25  2014 webgate
drwxr-x---.  5 oras14 oinstall  5 Mar 25  2014 oraInventory

This step can be completed even with your system is up and running.

Verify that the directory path is correct in oraInst.loc after this move.

cd /u01/app/idm/products/ohs/ohs
cat oraInst.loc
inventory_loc=/u01/app/idm/products/ohs/oraInventory
inst_group=oinstall

If you are using a different path for your IDM_BASE on the new machine then update the directory within the oraInst.loc file.

vi IDM_BASE/ohs/ohs/oraInst.loc


Moving and updating IDM OHS Configuration

 

The root directory for Oracle Identity Management product configuration files is IDM_BASE/config. The IDM_BASE/config directory includes your files and should have a directory structure similar to the one below.

 

drwxr-xr-x. 7 oras14 oinstall       7 Mar 25  2014 provisioning
drwxr-xr-x. 5 oras14 oinstall       5 Mar 25  2014 lcmconfig
drwxr-x---. 3 oras14 oinstall       3 Mar 25  2014 domains
drwxr-x---. 3 oras14 oinstall       3 Mar 25  2014 nodemanager
drwxr-xr-x. 2 oras14 oinstall       5 Mar 26  2014 keystores
drwxr-x---. 6 oras14 oinstall       6 Mar 26  2014 instances
drwxr-xr-x. 2 oras14 oinstall       5 Sep 22  2016 fa
drwxr-xr-x. 5 oras14 oinstall      11 Sep 22  2016 scripts

Pack the contents of IDM_BASE/config/instances/ohs1 including all subdirectories from the existing machine to you new target machine in the DMZ.

 

scp -r IDM_BASE/config/instances/ohs1 dmzuser@dmz_server:IDM_BASE/config/instances/ohs1

This new directory structure on the DMZ machine should include all the following sub-directories:

 

drwx------. 2 oras14 oinstall 2 Mar 25  2014 tmp
drwx------. 3 oras14 oinstall 3 Mar 25  2014 diagnostics
drwx------. 2 oras14 oinstall 3 Mar 25  2014 bin
drwx------. 3 oras14 oinstall 3 Mar 25  2014 OHS
drwx------. 4 oras14 oinstall 4 Mar 25  2014 config
drwx------. 3 oras14 oinstall 3 Mar 25  2014 auditlogs

The next step can be skipped if you have installed your system using abstract hostnames. It will only be needed if you have used real hostnames during install.

On the DMZ machine where you have copied the files replace any instances where the physical server name for the existing OHS is present with the new DMZ abstract hostname.

You will need to do this in this set of files:

IDM_BASE/config/instances/ohs1/config/OPMN/opmn/states/.locale

IDM_BASE/config/instances/ohs1/config/OHS/ohs1/*.conf

IDM_BASE/config/instances/ohs1/config/OHS/ohs1/moduleconf/*.conf

 

change directory to : IDM_BASE/config/instances/ohs1/config and check with the command:

grep -rl "<physical server name>" * 

If you can find any other occurance of the “<physical server name>” with this command please replace this with the new name.

 

Changes during Downtime

 

For the next steps you need to shutdown your fusion applications environment, only your databases should be running.

Update the /etc/hosts entry on the IDM Node and íf needed on the FA Node(s).

Update the IP for any abstract/virtual hostnames used for new IDM OHS eg. idmwebhost1.sample.com to the IP address of the new machine in the DMZ.

The next step can be skipped if you have installed your system using abstract hostnames. It will only be needed if you have used real hostnames during install.

Make a backup of the file : IDM_BASE/config/domains/IDMDomain/config/fmwconfig/oam-config.xml.

Then manually change all occurrences of the old OHS machine name to the new OHS name in the original file /u01/app/idm/config/domains/IDMDomain/config/fmwconfig/oam-config.xml and save these changes.

Update your network configuration:

Modify Firewall Rules if required

Allow outbound traffic from DMZ Node on Port 80 to Load Balancer

Allow outbound traffic from DMZ Node on Port 14000 to IDM OIM Server IP

Allow outbound traffic from DMZ Node on Port 8001 to IDM SOA Server IP

Allow outbound traffic from DMZ Node on Port 7001 to IDM Admin Server IP

Check if any other firewall rules exist for AUTH OHS that need to be configured for IDM Node.

Modify Pool Members for AUTH OHS on LBR, VIP Listening on 443 and 80

IDM should now offload traffic to the IDM Node and not the OHS Node

Check that monitor in LBR is showing OHS as UP

 

Restart Environment

 

As your OHS is now located on the DMZ machine and typically does not share the same storage with your webtier you will need to start the OHS using the opmn command in the /bin directory

 

cd IDM_BASE/config/instances/ohs1/bin
./opmnctl startall
opmnctl startall: starting opmn and all managed processes...
./opmnctl status

Processes in Instance: ohs1
---------------------------------+--------------------+---------+---------
ias-component                    | process-type       |     pid | status  
---------------------------------+--------------------+---------+---------
ohs1                             | OHS                |     808 | Alive

Check functionality for moved OHS

 

Before you release the environment please do a functional test for the moved OHS component.

You can use the test scenarios described in R9 Clone guide Perform validation steps to do that.

The list should include the following steps:

Test connectivity to IDM consoles via LBR / OHS

Validate SSO for IDM

Validate IDM Web Tier

Leverage existing IDM validation code

 

This excerpt is only giving you the description how to test the moved component, we recommend that you perform a full test cycle prior to making any production changes.

Add Your Comment