With the recent IDM 11gR2PS2 release Oracle has developed a new deployment tool that aims to automate and reduce the time required to install and configure Oracle Identity and Access Management Components.
In this post we are going to present the benefits, supported topologies and components and key points to keep in mind to conduct a successful IDM deployment.
Architecture and Components
Currently the Deployment Wizard Supports two types of topologies:
- Single Host/Domain: All components are installed in one host under a single domain. This is recommended for testing and demos but not for production due to the lack of redundancy.
- Multi Host/Domain: Components are installed in multiple hosts and split in two domains for High Availability, AccessDomain (OAM) and GovernanceDomain (OIM). By having OAM and OIM in different domains also helps to maintain and patch each component separately.
This approach also offers a mix of options:
- Distributed: 8 hosts, consisting of 2 web hosts, 2 OAM hosts, 2 OIM hosts and 2 directory hosts.
- Consolidated: 4 hosts, consisting of 2 web hosts, 2 IAM hosts (OIM + OAM + LDAP)
There is also an option to install just OIM or just OAM but I will not cover those in this post.
The tool supports OUD, OAM, OAAM *, OIM, SOA and OHS/Webgate but there are plans to include other IDM products in future releases.
*OAAM is supported through an EDG-documented scale-out procedure.
Automated x Manual Installation
There are a few advantages and disadvantages for both cases, let’s discuss each option.
- Automated. The biggest advantage is the time spent in deploying the components. The deployment of a HA, split domain, consolidated topology can be done in a couple of days work. Also, the complexity and numbers of manual steps required is greatly reduced, translating in fewer errors, issues and planning time. Rather than having to manually install and configure each component (JRE, WLS, OUD, OAM, SOA, OIM), this new tool allows you to run a few commands to install and configure the whole stack. Another advantage is the ability to reproduce a successful install: once you created a response file, is easy to just change its values (hostnames, port numbers, passwords, etc, etc) and run the deployment tool again on another environment. That also leads to consistency between your environments as they will all have the same basic structure and configuration.
- Manual. The manual approach gives you more freedom and flexibility, as to which components, architecture and products you want to install (though future releases will probably reduce this gap). The manual installation requires a considerable amount of time to plan, install and configure all components, and if not followed the exact process can lead to a problematic environment down the road. The number of required manual steps is estimated in over a thousand and it will require more than a week (if you're already familiar with the process) to get a full working OAM-OIM integrated environment in a High Available architecture. Reproducibility is another problem. Trying to recreate a second environment (Development, Test, Production, DR, etc) requires a controlled and documented installation process and I’ve seen many customers failing to do so.
Things to watch out when deploying with the new tool
The new tool isn’t a silver bullet and will require at least a minimum of preparation before starting. The tool has a “preverify” phase where it will try to validate your environment but it will not catch all the missing configuration and it will fail later. Failing to follow some of the recommendations will result in errors down the road requiring you to start the whole deployment process all over. So, in order to prepare and have a smooth installation, based on my first impressions, I would recommend:
- Get familiar with the 11gR2PS2 Enterprise Deployment Guide (http://docs.oracle.com/cd/E40329_01/doc.1112/e48618/toc.htm). It will help you understand the new concept and to make the required preparations before starting the deployment;
- Stick to the recommended architecture, whichever you choose, single domain or split domain, and to the number of hosts/components;
- Having a NFS shared mounting point to host the installation files makes the process even faster and easier. Make sure to mount the installation directory in the web hosts too, you can unmount it later after the installation completes.
- Dedicate some time to verify if all the hosts and infrastructure are correctly configured. Check if all hosts are resolvable both in through DNS and hosts files (again, you can isolate the web hosts later, after installation finishes), kernel parameters, mounting points, database, available disk space and temp directory, load balancer, etc. Refer to the EDG guide and make notes of all the requirements before starting the deployment.
- When you create the Database Schemas with RCU, use two prefixes, but make sure to create the ORASDPM schema for both OIM and OAM. For example:
|EDGIAD ||OAM, IAU, ORASDPM, MDS, OPSS, OAAM |
|EDGIAG ||OIM, SOA_INFRA, MDS, OPSS, ORASDPM |
- Before even start to run the tool check the Support Note 1662923.1. There are some required manual steps that need to be executed before and right after executing the tool.
- In case you encounter an error, the clean up procedure basically instructs you to erase everything and start all over. In my experience I found some minor issues (low /tmp space or hosts not resolvable) that were not caused by the tool itself. In my case just deleting the /stage/lcm/provisioning/phaseguards files for that particular phase lured the tool into thinking it hasn’t started the phase yet and it allowed me to correct the issue and run phase again. Might worth a try before erasing everything and starting over.
- After the installation (and the manual steps described in Support Note 1662923.1, https://support.oracle.com/epmos/faces/DocumentDisplay?id=1662923.1) completes, there are still a couple of manual steps that need to be executed. Don’t forget to check the EDG guide and follow them through.
Although the new deployment tool does not fit all needs and it currently support a few components, options and features, it’s a great step towards a more simple and effective way to install and configure IDM components. In future releases there will be more flexibility and a more refined and robust tool available. We hope that this tool will help to provide customer with an easier way to test and deploy our products and reduce the number of issues and required time to install IDM.
- IDM 11gR2PS2 EDG: http://docs.oracle.com/cd/E40329_01/doc.1112/e48618/toc.htm
- Identity Management Deployment Repository Download Page: http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html
- Support Note 1662923.1 - https://support.oracle.com/epmos/faces/DocumentDisplay?id=1662923.1