Performance tuning of Oracle Access Manager

I am glad that I got an opportunity to perform the tuning process of a real time IAM project implementation.
This is one area which I found very interesting and challenging.

Well, I would like to talk & give directions about various tuning aspects of Oracle Access Manager.
The Oracle Access Manager deployment guide and sizing guide (also called capacity planning) are references for this.

The tuning process has to be in the following order:

• Tuning the Database: In my case, we have used Oracle database and tuning guide is here.
• Tuning the LDAP: In my case, we have used Oracle Internet Directory as user store. OID tuning guide is here. No matter how well you tune the Oracle Access Manager, it makes to trip to LDAP for authentication and authorization calls. So, it is vital to tune the LDAP prior to Oracle Access Manager.
• Tuning the Web Server: Oracle Access Manager web components such as webpass and webgate webserver components has to be tuned well. In my case, we have used OHS WebServer (tuning documentation) and Apache WebServer (tuning documentation) for webgates and webpass components.
• Tuning the Oracle Access Manager: Components to be tuned here are Identity System and Access Server.
• Tuning the network: The performance of the overall network, or network latency, is a major factor in the performance of the system. A reduction in network latency will be reflected in the performance of Oracle Access Manager. Documentation is here.

I will explain tuning of every component in details in next posts. So, keep tuned to this!

Things to remember for integrating BPEL worklist with OSSO in realtime

I have written a post earlier on the integration aspects of OSSO with BPEL worklist. However, I did not talk about real time aspects of this integration. Let's assume there are 2 nodes of OSSO servers with software load balancer (with virtual hostname say osso.oracle.com) configured in the production system. In the same lines, let's assume there are 4 nodes of BPEL worklist with hardware loadbalancer (with virtual hostname say soa.oracle.com).


The first step of this integration is to register the BPEL worklist as a partner application to OSSO server using ssoreg.sh script. The question is on how many OSSO nodes will we run this script? The answer is single node. Since the OSSO servers are clustered, registering in one node will automatically get reflected in another node. However, a small additional step needs to be performed i.e., osso.conf file generated in first node has to be copied to the 2nd to the same location say $ORACLE_HOME/Apache/Apache/conf/osso/worklist. Remember that while running the ssoreg.sh script, the hostname specified for the middle tier i.e., SOA worklist is the Virutal hostname instead of individual server hostname.


To verify, login to OSSO console and check whether the application is registered or not.


Next step is the configuration part at the BPEL end using the metalink note 753087.1.  
The question is whether to perform this configuration part at single node of BPEL server or all the nodes? The answer is all the nodes.

Please reach out to me in case of any doubts.

How to start EM Console service explicitly?

Enterprise Manager console is the basic console to perform the health checkups, check ports and so on for Oracle Application Server. One of the easiest way to access the EM console (if you dont know the exact URL or port number) is by accessing the HTTP Server home page and clicking the Login to IAS Admin Console link. If the EM console is not started then you will see Page cannot be displayed error.

Now, you can check the status of the EM console using the command ./emctl status iasconsole (Execute this command in the location $ORACLE_HOME/bin) - This is for LINUX system
If it is not started, use this command to do so ./emctl start iasconsole and the output will be shown as below.

[oracle@hostname bin]$ ./emctl start iasconsole
TZ set to Asia/Calcutta
Oracle Enterprise Manager 10g Application Server Control Release 10.1.4.3.0
Copyright (c) 1996, 2006 Oracle Corporation.  All rights reserved.
http:// hostname:7018/emd/console/aboutApplication
Starting Oracle Enterprise Manager 10g Application Server Control ...... started successfully.
[oracle@hostname bin]$

Integration of E-Business Suite 12.x with Oracle Single Sign-on Server 10.1.4.3 in real time

Not many people talk about real time aspects of any integrations and the configurations involved. However, I would like to bring a small point which is vital for integrating E-Business Suite 12.x with Oracle Single Sign-On Server 10.1.4.3.
Lets assume E-Business suite is running on 2 nodes and OSSO server on 2 other nodes (nodes imply different machines or different instances in same machine) in production mode. In real time mode, you will be accessing the OSSO server console/application using a virtual hostname (instead of individual hostname) and same is the case for E-Business suite. For integrating OSSO with E-Business Suite, we will run a perl script txkrun.pl which registers E-Business Suite as partner application in OSSO server. The question is whether to run the script in both nodes of E-Business suite or just single node. The answer is single node as the script will pick up values from profile options that are in the database (A person called Atul helped me in this concept).

The runtime inputs to be provided for the perl script txkrun.perl is shown below:
$FND_TOP/bin/txkrun.pl -script=SetSSOReg

Enter the host name where Oracle iAS Infrastructure database is installed ? Virtual Hostname of OSSO Server (not to get confused as it specifies Infrastructure database hostname)
Enter the LDAP Port on Oracle Internet Directory server ? 389 (default port is 389, if you have customized the ports, then specify it)
Enter SSL LDAP Port on Oracle Internet Directory server ? 636 (default port is SSL, if you have customized the ports, then specify it)
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? (OID administrator password)
Enter the instance password that you would like to register this application instance with ? (mostly this password is same as OID admin password)
Enter Oracle E-Business apps database user password ? (EBS apps user password)

Configuring Oracle Access Manager 11g

This post covers the Configuration part of Oracle Access Manager 11g. To know about installing and configuring the Oracle Identity and Access Management 11.1.1.3, check the previous post .

Configuring Oracle Access Manager 11g contains the steps for creating a WebLogic domain which has OAM Admin Server, EM consoles etc., deployed in WebLogic server.

First step is to run the config.sh present in the location /common/bin.

 We are just configuring the OAM alone, hence we have selected Oracle Access Manager with Database Policy Store.A database policy store offers more security measures that can be layered based on the storage, thereby ensuring higher resiliency to corruption and better high availability. We have also selected Oracle Enterprise Manager here.

Note:

When you select the Oracle Access Manager with Database Policy Store - 11.1.1.3.0 [Oracle_IDM2] option, the Oracle JRF - 11.1.1.0 [oracle_common] option is also selected, by default.

 Specify a Domain name.

 Specify the weblogic user password.

 Specify the Service Name of the database, database hostname, database port. Select the OAM Infrastructure component for configuring the JDBC schema.

 Test the JDBC connection.

 

Start the WebLogic admin server using startWebLogic.sh present in the location Oracle_Home/user_projects/domains/oam_domain

Access the WebLogic administration console, http://host:port/console

 Start the OAM Access Server, run startManagedWebLogic.sh with parameter as oam_server1 as shown below.

Access the OAM console using http://host:port/oamconsole. Login as weblogic user.

This completes the OAM Configuration and now you can play with this product.

Step by Step installation of Oracle WebLogic Server 10.3.3

This post covers the installation part of Oracle WebLogic Server 10.3.3. 

Installing Oracle Identity and Access Management Suite 11.1.1.3.0

I have covered the installation part of Oracle Identity and Access Management suite 11.1.1.3.0 with screenshots.


The pre-requisites before installing this product are:

1. WebLogic Server 10.3.3 should have been installed.
2. Oracle Database above 11.1.7.0+ or 11.2.x should have been installed
3. Created schema for Oracle Access Manager using RCU.

Please note that while installing the Oracle IAM 11.1.1.3.0, an Oracle Home should be specified. This directory is the same as the Oracle Home created in the Oracle WebLogic Server installation. If you specify a different home location, the Installer displays a message and prompts you to confirm whether you want to proceed with the installation of only Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager. These two components of Oracle Identity Manager do not require a Middleware Home directory.
If you want to install only Oracle Identity Manager Design Console or Remote Manager, you do not need to install Oracle WebLogic Server or create a Middleware Home directory on the machine where Design Console or Remote Manager is being configured.

Now, let us proceed with installation screens directly.

Let us see the folders that gets created in Oracle Home location.

A folder called Oracle_IDM1 gets created and this is the IDM home.
Next step is to configure the Oracle Access Manager by creating WebLogic domain which will be covered in a seperate post.

Installing Oracle Database 11g R2 (11.2.0.1.0)

First time ever, I have installed an Oracle Database and have given few important screen shots in this post.
You can download the database 11.2.0.1.0 software here.