Wednesday, June 03, 2015

OAM PS3

Identity and Access Management Patch Set 3

It has been launched last week. I have seen it in March, during a partner event in Paris, and there are quite a few changes and improvements to get exited about.

Install over previous (not upgrade)

I cloned my PS2 OAM machine, and the plan is to get PS3 running asap. So, I fire up the V11.1.1.9 RCU, and drop the existing schemas.
Next, rerun the RCU, and create the schemas:
Note the Mobile Security - that's new...

Install OUD V11.1.1.9.0

Yep - that's new as well...
[oracle@oam ~]$ /mnt/orainst/Software/OFM/11.1.2.3.0/oud_11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME

Install WebLogic

Same as before, 10.3.6.0 - but with a load of patches. These will require you run JSSE!
A list of patches (but hold on downloading each of these!) :
18398295 (FSG4)
        This Oracle WebLogic Server patch is required only if you are using 
        Multi Byte Character Set.
Bit of an odd remark for an OAM installation guide, as OAM practically dictates you use AL32UTF8 for the standard characterset in your repository database.
14404715 (ZARV)        This is a mandatory Oracle WebLogic Server patch.

16844206 (NPM3)        This is a mandatory Oracle WebLogic Server patch.
Looks like that is only on MS Win, as the description is "WLST CANNOT GET ENV ON WINDOWS SERVER 12 WITH MINIMAL ENV"
13964737 (YVDZ)        This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7.
After you apply this patch to your WebLogic Server Middleware home, you must start 
the Node Manager, the WebLogic Administration Server, and the various Managed Servers 
with Java Secure Socket Extension (JSSE) enabled. To start the Node Manager with JSSE 
enabled, see the "Set the Node Manager Environment Variables" topic in Node Manager 
Administrator's Guide for Oracle WebLogic Server.

After starting Node Manager with JSSE enabled, you must start the 
WebLogic Administration Server and Managed Servers with JSSE enabled. 
For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in 
Securing Oracle WebLogic Server.

14174803 (IMWL)        This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7. 
After you apply this patch to your WebLogic Server Middleware home, you must start 
the Node Manager, the WebLogic Administration Server, and the various Managed Servers 
with Java Secure Socket Extension (JSSE) enabled. To start the Node Manager with JSSE 
enabled, see the "Set the Node Manager Environment Variables" topic in Node Manager 
Administrator's Guide for Oracle WebLogic Server.

After starting Node Manager with JSSE enabled, you must start the 
WebLogic Administration Server and Managed Servers with JSSE enabled. 
For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in 
Securing Oracle WebLogic Server.

17938462 (XECL)         This is a mandatory Oracle WebLogic Server patch when running 
Oracle WebLogic Server on Oracle JDK 7.

13114768 (56MM)        This is a mandatory Oracle WebLogic Server patch.

15865825 (CM69)        This is a mandatory Oracle WebLogic Server patch.

14809365 (XA6W)        This is a mandatory Oracle WebLogic Server patch.
Apart from all that, I would also apply 20181997 (YUIS): WLS PATCH SET UPDATE 10.3.6.0.11

Install OAM

[oracle@oam ~]$ /mnt/orainst/Software/OFM/11.1.2.3.0/Disk1/runInstaller -jreLoc $JAVA_HOME
You no longer need to kludge the refhost.xml file:

WLS Patching

cd /oracle/middleware/utils/bsu mkdir cache_dir cd cache_dir unzip /mnt/orainst/Software/weblogic/p20181997_1036_Generic.zip cd .. ./bsu.sh -install -patch_download_dir=/oracle/middleware/utils/bsu/cache_dir -patchlist=YUIS -prod_dir=/oracle/middleware/wlserver_10.3
Remove README.txt from the cache_dir, and repeat for
  • p17938462_1036_Generic.zip (XECL)
  • p13964737_1036_Generic.zip (YVDZ)
There is no need for
  • p15865825 (CM69)
  • p14809365 (XA6W)
  • p14404715 (ZARV)
  • p14174803 (IMWL)
as they conflict -or better: are resolved by- YUIS.
See MOS DocID 1997891.1 (bugs resolved by WLS 10.3.6.0.11).

p13114768_1036_Generic.zip (56MM) is not listed in this document, yet reports it cannot co-exist with YUIS:
[oracle@oam bsu]$ ./bsu.sh -install -patch_download_dir=/oracle/middleware/utils/bsu/cache_dir -patchlist=56MM -prod_dir=/oracle/middleware/wlserver_10.3 Checking for conflicts... Conflict(s) detected - resolve conflict condition and execute patch installation again Conflict condition details follow: Patch 56MM is mutually exclusive and cannot coexist with patch(es): YUIS

Configure

OUD

OUD - has been done on previous entries. Some things have changed; the default memory assignments could be a bit less (although I could not get them below 1GB initial). Also, there's the possibility for DIP integration directly in OUD (i.e. not needing the ODSM weblogic stack???):

OAM

Has also been done before, but there are slight differences:
All I chose here, was Oracle Access Management and Mobile & Social (renamed from Oracle Access Management), as well as the Entitlement Server for Admin server.
Do NOT start the OAM stack, yet! You (still) need to follow chapter 11 "Configuring Database Security Store ... "
cd /oracle/middleware/oracle_common/common/bin ./wlst.sh /oracle/middleware/Oracle_IDM1/common/tools/configureSecurityStore.py \ -d /oracle/user_projects/domains/oam_domain -c IAM -m create -p [your OPSS password]

Start it up

Enable autostart (Production Mode)

cd /oracle/user_projects/domains/oam_domain mkdir -p servers/AdminServer/security vi servers/AdminServer/security/boot.properties /oracle/user_projects/domains/oam_domain/startWebLogic.sh
One thing that I noticed, was the amount of logging during the initial startup: it has been decreased enormously! You will see
SEVERE: Failed to communicate with any of configured Access Server, ensure that
 it is up and running.
, but that is an configuration issue that I will take care of. Several other errors (Primary Keys violated...) seem to have no effect; after about 5 minutes, I can login to the new interface (yet again...):
There are a lot of defaults now standard available, which you used to have to think of in the previous release; even the dreaded favicon is now excluded. Happily surprised!

Getting rid of the SEVERE error

Login to the WLS console (http://your_oam_host:7001/console), navigate to the security realm MyRealm, go to the Providers tab, and delete IAMSuiteAgent:
You will have to stop and start the Admin Server...

Finalize WLS Patching

One of the results of patching WLS is the prerequisite to use JSSE. The easiest way is to set the "Use JSSE" flag for all managed servers (WLS console, Lock and Edit, Environment, Servers, Select a server, navigate to the SSL tab, scroll to the bottom, click 'Enhanced', and -at the bottom- enable JSSE). After applying the changes, stop all servers.
For the node manager, edit the startNodeManager.sh script and add the following lines somewhere at the top of the file:
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true" export JAVA_OPTIONS
Somewhere around line 40 will do. File is located at /oracle/middleware/wlserver_10.3/server/bin/startNodeManager.sh
For all other, command line initiated scripts, introduce the following environment variables:
JAVA_OPTIONS="-Dweblogic.ssl.JSSEEnabled=true" export JAVA_OPTIONS
Starting the admin server will show this is the logging:
Starting WLS with line:
/oracle/jdk1.7.0_76/bin/java -server   -Xms1024m -Xmx2048m -XX:PermSize=256m -XX:MaxPermSize=512m 
-Dweblogic.Name=AdminServer -Djava.security.policy=/oracle/middleware/wlserver_10.3/server/lib/weblogic.policy
-Dweblogic.ProductionModeEnabled=true -Dweblogic.ssl.JSSEEnabled=true

No comments: