Oracle 10gR2 AS installation with Infrastructure & Identity Management

1) Download 10gR2 Application Server software from http://download.oracle.com2) Downloaded software is kept at /Stage/10gAS directory on AP008 server.3) Login as “root” and create user “orainfra”. Assign DBA group to this user.

Password assigned to this user is “orainfra1”.4) Make following entries in /etc/sysctl.conf file and run sysctl –p or reboot the

server in order to make changes effective.

kernel.sem= 256 32000 100 142kernel.shmall= 2097152kernel.shmmax= 4294967295kernel.shmmni= 4096kernel.msgmax= 8192kernel.msgmnb= 65535kernel.msgmni= 2878fs.file-max= 206173net.ipv4.ip_local_port_range= 1024 65000net.core.rmem_default= 262144net.core.rmem_max= 262144net.core.wmem_default= 262144net.core.wmem_max= 262144

5) Below mentioned packages must be installed on the server. Higher version of any of these packages will suffice for installation & running of SSO/OID.

glibc-2.3.4-2.9glibc-common-2.3.4-2.9binutils-2.15.92.0.2-13compat-libstdc++-296-2.96-132.7.2compat-db-4.1.25-9gcc-3.4.3-22.1gcc-c++-3.4.3-22.1libstdc++-3.4.3-22.1libstdc++-devel-3.4.3-22.1openmotif21-2.1.30-11.RHEL4.4pdksh-5.2.14-30setarch-1.6-1make-3.80-5gnome-libs-1.4.1.2.90-44.1sysstat-5.0.5-1control-center-2.8.0-12xscreensaver-4.18-5.rhel4.2

6) Login as user “orainfra” and go to the directory /Stage/10gAS/disk1 and launch runinstaller. Unset environment variables “LESSOPEN” & LS_COLORS” .Follow the screenshot below for selecting proper options.

$. /Stage/10gAS/disk1/runInstaller

Warning was because it is looking for SHMMAX as 4 GB where as it was defined as 2GB. Value changed to 4294967295 in /etc/sysctl.conf after the installation.

Password given is “infra123”

Password given is “infra1”

Hit retry button and it will succeed.

This finishes installation of 10gR2 Oracle Infrastructure Server with SSO component.

7) Test Identity management infrastructure by accessing the URL: http://grrusap008.kv.com:7777/oiddas/ Log in using the “orcladmin” userid and password as “infra1” Navigate to Directory > Create. Create a test userid, supplying a password and other user information.

Click Submit. Log out. Log into Oracle Internet Directory Delegated Administration Services

using the newly created test userid. Ensure the Directory Integration and Provisioning Platform Server is

running. The command ps -ef | grep odi should show a process called $ORACLE_HOME/bin/odisrv running.

8) Now configure SSO/OID for Microsoft Active Directory – To achieve this, we need to have an Active Directory account capable of reading user and group profiles must be established for use by OID DIP during the synchronization process. This may be accomplished through a variety of means, the easiest of which is to simply grant it Domain Admin privilege. Below is the detail used for OID/AD integration ( as provided by KV )

AD Server - grrusdc001.kv.com

AD Port - 389

Username - Svc-OIDAdmin@kv.com

Password - Password1

9) The ability to connect to Active Directory with this account may be verified using below

mentioned command after login on to SSO/OID server as user “orainfra” and ensuring correct environment variables for the installation is set ( running “infra.env” under $HOME of the user “orainfra”):

ldapbind -p 389 -h grrusdc001.kv.com -D "Svc-OIDAdmin@kv.com" -w "Password1"

Above mentioned command should result in “Bind Successful”

10) Synchronization profile creation: The first step in the configuration process is to create a synchronization profile. The instructions in this section are based on those that appear in the Oracle Identity Management Guide. It can be invoked through the command line interface by executing the command

“dipassistant –gui”

A login window will appear – use orcladmin as the username, and provide its corresponding password ( infra1 ). The Oracle Directory Integration and Provisioning Server Administrator console window will appear once login is complete. Use vncviewer to login on AP008 server as user “orainfra” before launching dipassistant.

11) Select Active Directory Configuration in the System Objects list on the left-hand side of the window. An Express Configuration form will appear on the right-hand side of the window. Enter below mentioned details on the right hand side window:

Active Directory Host - grrusdc001.kv.com

Active Directory Port - 389

Account Name - Svc-OIDAdmin@kv.com

Account Password – Password1

Connector Name - KVADSync

Note that any Connector Name may be supplied. The Import Profile Name and Export Profile Name values are then generated based on that name. Click the Apply button once entries are complete.

12) Select Configuration Set1 in the System Objects list on the left-hand side of the window, and then click the Refresh button. Select the “Import” version of the newly-created profile (KVADSyncImport) on the right-hand side of the window and click the Edit button. A tabbed window will appear for the currently-selected profile. Verify the following:

• General tab – Be sure to change the Profile Status to ENABLE. The Scheduling Interval and Maximum Number of Retries values may be adjusted to determine the synchronization frequency and maximum number of retry errors before failure, correspondingly.

• Execution tab – The Active Directory account and password may be modified using the Connected Directory Account and Connected Directory Account Password.

• Status tab – This tab can be used to periodically monitor synchronization status after completing the instructions in this document.

Click the OK button to save any changes, and the window should then close. The Oracle Directory Integration and Provisioning Server Administrator console window may remain open during the remainder of these instructions.

13) Bootstrap Execution: The initial migration of data from AD to OID is known as a “bootstrap”. This is accomplished using the bootstrap option of the Directory Integration and Provisioning Assistant, which is detailed in the Bootstrapping Data between Directories section of the aforementioned Oracle Identity Management Integration Guide, Chapter 16.

A command is similar to the following may be used to initiate the bootstrap process:

dipassistant bootstrap -port 389 -profile KVADSyncImport -D "cn=orcladmin" -w infra1

A series of messages will be displayed indicating the number of records processed. Once the bootstrap successfully completes, return to the Oracle Directory Integration and Provisioning Server Administrator console and click the Refresh button. Select and Edit the current profile, and then ensure the Status tab indicates bootstrap success.

NOTE: This command is placed in a file with name adsync.sh under $ORACLE_HOME. One should run it if there is significant delay in AD-OID synchronization. This script is also called (currently not scheduled to run) from the crontab of the user “orainfra”.

14) Active Directory External Authentication Plug-in Deployment: The final step in the configuration process is to deploy the Active Directory External authentication Plug-in, which validates user-supplied passwords with AD “behind the scenes” during a user login sequence. Detailed information about this process appears in the Installing Active Directory External Authentication Plug-ins section of the Oracle Identity Management Integration Guide, Chapter 16.

This step involve execution of a UNIX shell script oidspadi.sh which can be found under $ORACLE_HOME/ldap/admin directory.

$ cd $ORACLE_HOME/ldap/admin

$ ./oidspadi.sh

A series of messages and prompts will be displayed as the script executes. Sample prompt responses:

Please enter Active Directory host name: grrusdc001.kv.com

Do you want to use SSL to connect to Active Directory? (y/n) n

Please enter Active Directory port number [389]: 389

Please enter DB connect string: infra

Please enter ODS password: infra1

Please enter confirmed ODS password: infra1

Please enter OID host name: grrusap008.kv.com

Please enter OID port number [389]: 389

Please enter orcladmin password: infra1

Please enter confirmed orcladmin password: infra1

Please enter the subscriber common user search base [orclcommonusersearchbase]: cn=users,dc=kv,dc=com

Please enter the Plug-in Request Group DN:

Please enter the exception entry property [(!(objectclass=orcladuser))]:

Do you want to setup the backup Active Directory for failover? (y/n) n

Return to the Oracle Directory Manager console upon successful completion of the plug-in deployment process and navigate to the click the Plug-In Management fork. Make sure that the Plug-in Enable property is set for both adwhencompare and adwhenbind.

15) Configure Oracle Identity Management 10g Components with E-Business Suite: Login on application tier server i-e AP001 of the instance which needs to be enabled for SSO. Ensure that environment variables corresponding to the instance have been executed properly.

16) Go to $FND_TOP/bin directory of the instance and execute txkrun.pl script with below mentioned options:

./txkrun.pl -script=SetSSOReg - provisiontype=4

NOTE: Provisiontype 4 is “BiDiNoCreation Provisioning”. Since KV is using single Infrastructure repository for all the instances, we need to keep provisiontype to 4 otherwise when users are created in one E-Business Instance, it will be provisioned to OID. Therefore, creating same user in another instance will result in LDAP error as user is already present in OID.

The registration script will prompt for several parameters. Sample answers are below:

Enter the host name where Oracle IAS Infrastructure database is installed? grrusap008.kv.com

Enter the LDAP Port on Oracle Internet Directory server? 389

Enter SSL LDAP Port on Oracle Internet Directory server? 636

Enter the Oracle Internet Directory Administrator (orcladmin) Bind password? infra1

Enter the instance password that you would like to register this application instance with? test123

Enter Oracle E-Business apps database user password? Apps

17) When the registration script completes successfully, it will print the following line:

End of <FND_TOP>/patch/115/bin/txkSetSSOReg.pl : No Errors encountered

If you do not see this confirmation, examine the following file to investigate the problem:

$APPLRGF/TXK/txkSetSSOReg_[timestamp].xml

18) Bounce the application tier of the instance which was configured for SSO.19) Try log-in into the environment by hitting the URL ( e.g. DEV URL ):

http://grrusap001-t.kv.com:8005/OA_HTML/AppsLogin

20) This should re-direct you to SSO Login page.

21) Enter username as your KV email address i-e x.y@kv.com and password as your current LAN password.

22) Depending upon whether your E-Business Account is already linked with AD account, you will either be presented responsibility page of Oracle Applications OR the page which asks you to provide your Oracle Applications Username/Password for linking. Kindly note that account linking is “once per environment” activity. Once your AD account is linked with Oracle Applications account, users will be able to go to responsibility page directly after providing AD credentials.