SSO With Oracle Applications R12

  • View

  • Download

Embed Size (px)


Oracle 10gR2 AS installation with Infrastructure & Identity Management 1) Download 10gR2 Application Server software from 2) Downloaded software is kept at /Stage/10gAS directory on AP008 server. 3) Login as root and create user orainfra. Assign DBA group to this user. Password assigned to this user is orainfra1. 4) Make following entries in /etc/sysctl.conf file and run sysctl p or reboot the server in order to make changes effective.kernel.sem= 256 32000 100 142 kernel.shmall= 2097152 kernel.shmmax= 4294967295 kernel.shmmni= 4096 kernel.msgmax= 8192 kernel.msgmnb= 65535 kernel.msgmni= 2878 fs.file-max= 206173 net.ipv4.ip_local_port_range= 1024 65000 net.core.rmem_default= 262144 net.core.rmem_max= 262144 net.core.wmem_default= 262144 net.core.wmem_max= 262144

5) Below mentioned packages must be installed on the server. Higher version of any of these packages will suffice for installation & running of SSO/OID.glibc-2.3.4-2.9 glibc-common-2.3.4-2.9 binutils- compat-libstdc++-296-2.96-132.7.2 compat-db-4.1.25-9 gcc-3.4.3-22.1 gcc-c++-3.4.3-22.1 libstdc++-3.4.3-22.1 libstdc++-devel-3.4.3-22.1 openmotif21-2.1.30-11.RHEL4.4 pdksh-5.2.14-30 setarch-1.6-1 make-3.80-5 gnome-libs- sysstat-5.0.5-1 control-center-2.8.0-12 xscreensaver-4.18-5.rhel4.2

6) Login as user orainfra and go to the directory /Stage/10gAS/disk1 and launch runinstaller. Unset environment variables LESSOPEN & LS_COLORS .Follow the screenshot below for selecting proper options. $. /Stage/10gAS/disk1/runInstaller

Warning was because it is looking for SHMMAX as 4 GB where as it was defined as 2GB. Value changed to 4294967295 in /etc/sysctl.conf after the installation.

Password given is infra123

Password given is infra1

Hit retry button and it will succeed.

This finishes installation of 10gR2 Oracle Infrastructure Server with SSO component.

7) Test Identity management infrastructure by accessing the URL: Log in using the orcladmin userid and password as infra1 Navigate to Directory > Create. Create a test userid, supplying a password and other user information. Click Submit. Log out. Log into Oracle Internet Directory Delegated Administration Services using the newly created test userid. Ensure the Directory Integration and Provisioning Platform Server is running. The command ps -ef | grep odi should show a process called $ORACLE_HOME/bin/odisrv running. 8) Now configure SSO/OID for Microsoft Active Directory To achieve this, we need to have an Active Directory account capable of reading user and group profiles must be established for use by OID DIP during the synchronization process. This may be accomplished through a variety of means, the easiest of which is to simply grant it Domain Admin privilege. Below is the detail used for OID/AD integration ( as provided by KV ) AD Server - AD Port - 389 Username - Password - Password1 9) The ability to connect to Active Directory with this account may be verifiedusing below mentioned command after login on to SSO/OID server as user orainfra and ensuring correct environment variables for the installation is set ( running infra.env under $HOME of the user orainfra): ldapbind -p 389 -h -D "" - w "Password1"

Above mentioned command should result in Bind Successful 10) Synchronization profile creation: The first step in the configuration process is to create a synchronization profile. The instructions in this section are based on those that appear in the Oracle Identity Management Guide. It can be invoked through the command line interface by executing the command dipassistant gui

A login window will appear use orcladmin as the username, and provide its corresponding password ( infra1 ). The Oracle Directory Integration and Provisioning Server Administrator console window will appear once login is complete. Use vncviewer to login on AP008 server as user orainfra before launching dipassistant. 11) Select Active Directory Configuration in the System Objects list on the left-hand side of the window. An Express Configuration form will appear on the right-hand side of the window. Enter below mentioned details on the right hand side window: Active Directory Host - Active Directory Port - 389 Account Name - Account Password Password1 Connector Name - KVADSync Note that any Connector Name may be supplied. The Import Profile Name and Export Profile Name values are then generated based on that name. Click the Apply button once entries are complete. 12) Select Configuration Set1 in the System Objects list on the left-hand side of the window, and then click the Refresh button. Select the Import version of the newly-created profile (KVADSyncImport) on the right-hand side of the window and click the Edit button. A tabbed window will appear for the currently-selected profile. Verify the following: General tab Be sure to change the Profile Status to ENABLE. The Scheduling Interval and Maximum Number of Retries values may be adjusted to determine the synchronization frequency and maximum number of retry errors before failure, correspondingly. Execution tab The Active Directory account and password may be modified using the Connected Directory Account and Connected Directory Account Password. Status tab This tab can be used to periodically monitor synchronization status after completing the instructions in this document. Click the OK button to save any changes, and the window should then close. The Oracle Directory Integration and Provisioning Server Administrator console window may remain open during the remainder of these instructions.

13) Bootstrap Execution: The initial migration of data from AD to OID is known as a bootstrap. This is accomplished using the bootstrap option of the Directory Integration and Provisioning Assistant, which is detailed in the Bootstrapping Data between Directories section of the aforementioned Oracle Identity Management Integration Guide, Chapter 16. A command is similar to the following may be used to initiate the bootstrap process: dipassistant bootstrap -port 389 -profile KVADSyncImport -D "cn=orcladmin" -w infra1 A series of messages will be displayed indicating the number of records processed. Once the bootstrap successfully completes, return to the Oracle Directory Integration and Provisioning Server Administrator console and click the Refresh button. Select and Edit the current profile, and then ensure the Status tab indicates bootstrap success. NOTE: This command is placed in a file with name under $ORACLE_HOME. One should run it if there is significant delay in AD-OID synchronization. This script is also called (currently not scheduled to run) from the crontab of the user orainfra.

14) Active Directory External Authentication Plug-in Deployment: The final step in the configuration process is to deploy the Active Directory External authentication Plug-in, which validates user-supplied passwords with AD behind the scenes during a user login sequence. Detailed information about this process appears in the Installing Active Directory External Authentication Plug-ins section of the Oracle Identity Management Integration Guide, Chapter 16. This step involve execution of a UNIX shell script which can be found under $ORACLE_HOME/ldap/admin directory. $ cd $ORACLE_HOME/ldap/admin $ ./ A series of messages and prompts will be displayed as the script executes. Sample prompt responses: Please enter Active Directory host name: Do you want to use SSL to connect to Active Directory? (y/n) n Please enter Active Directory port number [389]: 389 Please enter DB connect string: infra Please enter ODS password: infra1 Please enter confirmed ODS password: infra1 Please enter OID host name: Please enter OID port number [389]: 389 Please enter orcladmin password: infra1 Please enter confirmed orcladmin password: infra1 Please enter the subscriber common user search base [orclcommonusersearchbase]: cn=users,dc=kv,dc=com Please enter the Plug-in Request Group DN: Please enter the exception entry property [(!(objectclass=orcladuser))]: Do you want to setup the backup Active Directory for failover? (y/n) n

Return to the Oracle Directory Manager console upon successful completion of the plug-in deployment process and navigate to the click the Plug-In Management fork. Make sure that the Plug-in Enable property is set for both adwhencompare and adwhenbind. 15) Configure Oracle Identity Management 10g Components with E-Business Suite: Login on application tier server i-e AP001 of the instance which needs to be enabled for SSO. Ensure that environment variables corresponding to the instance have been executed properly.

16) Go to $FND_TOP/bin directory of the instance and execute script with below mentioned options: ./ -script=SetSSOReg - provisiontype=4 NOTE: Provisiontype 4 is BiDiNoCreation Provisioning. Since KV is using single Infrastructure repository for all the instances, we need to keep provisiontype to 4 otherwise when users are created in one E-Business Instance, it will be provisioned to OID. Therefore, creating same user in another instance will result in LDAP error as user is already present in OID. The registration script will prompt for several parameters. Sample answers are below: Enter the host name where Oracle IAS Infrastructure database is installed? Enter the LDAP Port on Oracle Internet Directory server? 389 Enter SSL LDAP Port on Oracle Internet Directory server? 636 Enter the Oracle Internet Directory Administrator (orcladmin) Bind password? infra1 Enter the instance password that you would like to register this application instance with? test123 E