Thursday, August 1, 2013

Installing Oracle Single Sign on 10gR3 against OID 11G using an Oracle 11GR2 (11.2.0.3 ) database

Important Note: This is not a supported method for installing SSO 10gR3 against OID 11g, as the database version we are using here, is 11.2.0.3...
So according to Oracle Support: we need a 10g database fot the installation of SSO 10gR3.. If there is a need for using a 11gR2 database, we need to upgrade the database tier, after the SSO installation..
But, I installed it my way, actually the way adressed in "http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/sso_das.htm#CIHEGHIG" ..
It seems there is a conflict between  these document.. Whatver, I  fixed the errors during the installation , and it seems sso is working, and after all it is supported now..



So procedure is as follows;

First of all, we install OID 11.1.1.7.. We follow the steps in  the following link http://ermanarslan.blogspot.com/p/weblogic-and-applications.html#oid11g_install
Dont do the step in "OID and weblogic to use service-ip.." steps if you are not using a cluster.

After the installation of OID 11.1.1.7, we make a quick health check and if everyting seems ok we will start the Oracle Single Sign 10gR3  installation against OID 11g..

The root document to follow  for this operation is : http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/sso_das.htm#CIHEGHIG..
This document explains how to install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g Release 1 (11.1.1).

*So in this context; first of all , we run inspre11.pl with option 1 argument .

Example:
$OID11gR1_ORACLE_HOME/perl/bin/perl \
$OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \
OID_COMPONENT DB_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD \
{-op1 | -op2 | -op3}

*Next, we install Oracle Repca 10.1.4.3.0 in to our windows client(very important.. the version must be 10.1.4.3.0)
Regional setting of the Windows client should be "English". Otherwise, we can have some problem in the filename conversion and lower/uppercase conversion during the installation ..
Repca 10.1.4.3.0 is an old release.. So if you dont have the installation files, you have to open Sr for this..
10.1.4.3.0 Repca zip file name is V18656-1. It has two Disk folder in it. We use Disk1/runInstaller to install the Repca in our client first.
After the installation, we use runRepca.bat (which resides in the folder where we installed our Repca) to load the Sso schemas.
After loading the Sso schemas, we will use Repca's register option to register the schemas.. Note we need to use the Ssl port of OID for the registration.

* When we finish our work with Repca, we take the below actions one by one;
Unlock the ods user in OID database(if it s locked)
Change the password of ods schema (back to the same).
Set the TNS_ADMIN environment variable to point to the $ORACLE_INSTANCE/config
Create the wallet using the following (note that we can use our OID database SID in the connect string)
$OID11gR1_ORACLE_HOME/ldap/bin/oidpasswd \
connect=CONNECT_STRING create_wallet=true
Restart OID.


*Now we execute the inspre11.pl script once again but this time with op2 argument (option 2)

$OID11gR1_ORACLE_HOME/perl/bin/perl \
$OID11gR1_ORACLE_HOME/ldap/bin/inspre11.pl OID_HOST OID_PORT {-ssl | -nonssl} \
OID_COMPONENT DB_CONNECT_STRING ODS_PASSWORD ORCLADMIN_PASSWORD -op2


At this point , we created our sso schemas in OID database and also registered them with OID..
So we are ready to Install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1).
Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g(10.1.4.0.1) is an old release.. So if you dont have the installation files, you have to open Sr for this..
The installation files we will use are (Note that: we are installing it on Aix..) ; B34349-01, B34350-01, B34351-01, B34352-01 -> 4 zip files.

Before the installation, to prevent the ORA-24247: network access denied by access control list (ACL) errors, we create and assing an ACL to PUBLIC. This can be accomplished by the following;
Note that this error is encountered in the configuration phase.

exec DBMS_NETWORK_ACL_ADMIN.create_acl (
   acl => 'sso_oid.xml',
   description => 'ACL for SSO to connect to OID',
   principal => 'PUBLIC',
   is_grant => TRUE,
   privilege => 'connect');
 

exec dbms_network_acl_admin.add_privilege
(acl=>'sso_oid.xml',
principal=>'PUBLIC',
is_grant=>TRUE,
privilege=>'resolve');

begin
DBMS_NETWORK_ACL_ADMIN.assign_acl (
   acl => 'sso_oid.xml',
   host => '*');
END;
/

!!!DO NOT forget to commit!!!

After this , we invoke the installer and Install Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1)..
In the installation when the installer request us to run the root script; we dont immediately do that.
(Important)At that time, we apply patch 5649850 for release 10.1.0.5, and when installation of the patch 5649850 become successful, we run the root script and continue to installation.
Note that: This patch allows Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.0.1) to connect to a Release11.x database.

During the installation we can encounter a warning says " opmn cannot be started" or something similar, we ignore this.

In the configuration phase of the installation, we can encounter a timezone check error on the Enterprise Manager step.
For the solution, we change the line with "return $rc;" to return 0 in the $ORACLE_HOME/bin/EmctlCommon.pm.. The line number is =~ 313

After the installation of SSO 10.1.4.0.1, we need to install the upgrade patch to upgrade our SSO to version 10.1.4.0.3..
Note that, 10.1.4.0.3 upgrade patch number is 7215628 , and it s available in Oracle Support.
Before beginning the 721528 installation, we need to apply patch 6265268.. This patch will prevent 11g database connection problem of the runInstaller that we use for the 10.1.4.0.3 installation.
(Important)Note that ( we need to make all the copy operations in that patch's Readme..!)


So that is it, we installed Oracle Single Sign-On and Oracle Delegated Administration Services Release 10g (10.1.4.3.0) against Oracle Internet Directory 11g..

According the scenario, you can go further..

*So if you have an EBS R12 , and if you want to integrate it with this SSO.

You run the following command from the FND_TOP/bin to accomplish that..

$FND_TOP/bin/txkrun.pl -script=SetSSOReg  (note that , if you have multiple application nodes , you have to run this in all the nodes..)

Note that: There are three components that can be registered or de-registered in Release 12 with the SSO/OID registration utility when integrating with Oracle Single Sign-On Server 10gR3.
The registration utility automatically detects the registered components and performs registration for the un-registered components.
So there is no requirement to pass individual registration arguments.

Reference Support Note: Registering Oracle E-Business Suite Release 12 with Oracle Internet Directory 11gR1 and Single Sign-On [ID 1370938.1]

*If you have a cluster and want OID to use the cluster hostname..
-Change ServerName in httpd.conf to virtual server name.
-Ensure theres no added "VirtualHost" configuration in the httpd.conf.
-run the following -> $ORACLE_HOME/sso/bin/ssocfg.sh http virtual_server_name 7777
-In OID odsm;open  cn=OracleContext>cn=Products>cn=DAS and select cn=OperationURLs, The right hand pane will display a number of fields or attributes. The last field will be orcldasurlbase and will
should be set to the Infrastructure HTTP Server and port..
-Clear oid cache by connecting to OID database using sqlplus.. (with orasso user) and executing the following;
sqlplus orasso/(orasso_password) --> find it first
wwsec_oid.refresh_local_cache(true);
commit;


-To find Orasso Password:

ldapsearch -h "thehostnameoftheoidserver" -p oidnonsslport \ -D cn=orcladmin -w orcladmin-password \ -b "cn=IAS Infrastructure Databases, cn=ias, cn=Products, cn=OracleContext" \ -s sub "orclResourceName=ORASSO" orclpasswordattribute
- reregister sso with the OID using ssoreg.sh
Ex:ssoreg.sh -oracle_home_path $ORACLE_HOME -site_name virtualhostname:port -config_mod_osso TRUE -mod_osso_url http://kaoidoapst3:7777

-Clean the OID cache once again and restart sso services using opmnctl.

Reference Support Notes:
Preparing and Configuring Virtual Hosts on OracleAS 10g HTTP Server (Doc ID 293697.1)
Note:292380.1 How to Refresh Cache for OID Parameters





No comments :

Post a Comment