Embed Size (px)
Citation preview
© 2
012 T
ieto
Corp
ora
tio
n
Com
pany c
onfid
entia
l
Fusion Applications
Bare Metal
Provisioning
Lessons Learned
Andrejs Karpovs
Lead Oracle Apps DBA
Tieto
© 2012 Tieto Corporation
Com
pany
confidential
About me• Lead Oracle Apps DBA at Tieto Latvia
• R12 OCP, 11g RAC OCE, 11g OCM, WLS OCA
• Masters Degree in Computer Science
• Speaker» UKOUG 2012, UOGH 2012, OUG_IRE 2012, LVOUG 2011
• Twitter: @AndrejsKarpovs
• Blog: adbaday.wordpress.com
2013-10-152
© 2012 Tieto Corporation
Com
pany
confidential
Fusion Apps Installation Options• Bare metal
• On-premise, from scratch
• Installation takes ~2 weeks
• OVM template based• Templates shipped from Oracle
• Installation takes 3 days
• FSCM+H, CRM, HCM templates available
• Oracle Cloud Applications (SaaS)
3 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
My UNSuccess Story• My company decides to build their own Fusion Apps POC
environment
• Fusion Applications: Installation and Administration, Redwood Shores, SFO
4 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Expectation• Install Fusion Applications from scratch
• Understand all requirements and complete prerequisites
• Fusion Apps Know-how
5 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Result
6 2013-10-15
So are you ready to install Fusion Apps?
My Boss
Me
© 2012 Tieto Corporation
Com
pany
confidential
Reality• 90% of Fusion Applications bare metal provisioning is
related to Identity and Access Management. This is the base platform and main prerequisite
• Identity and Access Management is not covered in the course
• NEW! There is a separate course for that «Fusion Applications: Install And Configure Identity Management»
• Bugs• IdM is the root cause mostly
7 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendation I
8 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Why IdM?• Fusion Apps is truly build on modern Oracle middleware
platfrorm
• Fusion Apps leverages FMW’s service-oriented security to protect access to resources
• For large-scale enterprise environments, FA takesadvantage of IdM’s services, thus abstracting security from the applications, and administering the enterprise environment from a single point of control
9 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Consequences• Every Fusion Apps customer will become a Fusion
Middleware Security Customer
• Independent set of products that must be actively managed
• Mission critical. The IDM components of Fusion Applications are mission critical. If something is not working properly (or God forbid, aren’t working at all) then neither is Fusion Apps. It is that simple.
• IdM Skill Sets are required• Oracle recommends separating Apps DBA’s and IdM experts
10 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
11 2013-10-15
IdM
Arc
hite
ctu
re fo
r FA
© 2012 Tieto Corporation
Com
pany
confidential
Setup challenges• Complex architecture
• Lot of hosts involved
• Highly available
• Lots of components
• Needs intensive planning
12 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Where to start?
13 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Disclaimer• Not for Production deployments (Oracle Doc in for Prod)
• POC and evaluation
• Getting to know the overall process and training
14 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Lesson I – Leverage VirtualizationServer Role vCPU RAM (GB) Storage (GB)
Identity
Management
8 32 150
IdM DB 8 16 100+
Fusion Apps 8 150+ 500
Fusion Apps DB 8 32 100+
TOTAL 32 230+ 850+
15 2013-10-15
Isolate IdM and Fusion DB’s
© 2012 Tieto Corporation
Com
pany
confidential
Download the latest version from e-delivery
16 2013-10-15
All required components will be there!
© 2012 Tieto Corporation
Com
pany
confidential
Lesson II – Start with right Docs• Oracle® Fusion Applications Release Notes 11.1.x
• Contains all additional prereqs and patches for IdM
• Check for the latest version of document in MoS
• Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition)
• Oracle® Fusion Applications Installation Guide 11.1.x• Check for your installation version (most likely the latest one)
17 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Create your own step-by-step
18 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Create your own step-by-step
19 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
The right approach1. Install all the software from EDG for IdM (FA) – Do not
configure
2. Apply all the patches and workarounds from Release notes1. Check the patch README’s for Post Steps
3. Start the components1. Apply the patch Post Steps
4. Follow the further steps from documentation
20 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Get Ready!
21 2013-10-15
APM
OID OIM
OAM
OHS
© 2012 Tieto Corporation
Com
pany
confidential
What FMW Is In Fusion Apps• OPSS (Oracle Platform Security Services) provides the fine
grained authorization for the application in Fusion Apps as well as an assortment of other functions such as LDAP connectivity and key management (security foundation).
• APM (Authorization Policy Manager) graphical user-interface console for managing OPSS based authorization policies. APM was specifically designed to support FA security policies using a centrally managed approach
22 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
IdM components in Fusion Apps• ODS (Oracle Directory Services)
• OID (Oracle Internet Directory) – identity data/OPSS security policies
• OVD (Oracle Virtual Directory) – go-between layer for user stores when OID is not being used (Microsoft AD, third party ldaps)
• OIM (Oracle Identity Manager) – administer user access privileges across resources
• OAM (Oracle Access Manager) – provides authentication and SSO• Webgate - intercept access requests to resources,
check for a pre-existing authentication, validate credentials, and authenticate users.
23 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
IdM components in Fusion Apps• OWSM (Oracle Web Services Manager) - provides web
services security (WS-SEC) for both FA internal web services communication and the external web services interfaces to FA.
• OHS (Oracle HTTP Server) - serves as the web tier for Fusion Apps• Front end for IdM
• Front end for FA
• SOA Suite – workflow engine used in user provisioning
OIM
24 2013-10-15
Webgate OAM
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Plan• Network Considerations: Virtual Hostnames and IPs
• admin.mycompany.com
• oiminternal.mycompany.com
• sso.mycompany.com
• policystore.mycompany.com
• idstore.mycompany.com
• SSL?
• Load Balancers?
• Topology / Nodes?
25 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Plan• Directory (File System) Structure
• Database• OID
• Policy store
• Identity store
• OIM related products (OIM, OAM,
OIF)
• RAC or Non RAC
• OVD (third party ldap) and OIF (federation single sign-on)
26 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Plan• Weblogic Servers
• Clustered
• Non Clustered
• Communication mode• Open
• Simple
• Certificate
• Authentication and authorization policies
• You can end up with one host for everything
27 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
28 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Simplify• Maintain a table
29 2013-10-15
EDG Node Name Components Physical host
WEBHOST OHS webhost1.mycompany.com
WEBHOST 2 OHS webhost2.mycompany.com
IDMHOST WLS, OAM, ODSM, EM idm1.mycompany.com
IDMHOST 2 OAM, ODSM, EM idm2.mycompany.com
OIMHOST OIM, SOA oim1.mycompany.com
OIMHOST 2 OIM, SOA oim2.mycompany.com
… … …
idmsuite.mycompany.com
idmsuite.mycompany.com
idmsuite.mycompany.com
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Simplify• And
30 2013-10-15
Virtual Host Maps to
sso.mycompany.com sso.mycompany.com
oiminternal.mycompany.com oiminternal.mycompany.com
admin.mycompany.com idm-
fa.admin.mycompany.com
policystore.mycompany.com ldap.mycompany.com
idstore.mycompany.com ldap.mycompany.com
idmsuite.mycompany.com
idmsuite.mycompany.com
idmsuite.mycompany.com
idmsuite.mycompany.com
idmsuite.mycompany.com
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Verify• Make sure all services are running (OAM, OIM, ODSM,
SOA)
• Verify that connection to OID is working (login through ODSM)
• Verify that the following users exist
• Document all the passwords!
31 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Verify• Verify the following groups exist
• Verify user membership
• Verify OAM
• Verify OIM
• Verify OAM and OIM integration
• Verify Webgate is working
properly
32 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Test• oamtest tool (IAM_HOME/oam/server/tester)
33 2013-10-15
Beware of the bug
[ID 1345915.1]
when using
Webgate 11g agent
Do not proceed
unless it is
working
© 2012 Tieto Corporation
Com
pany
confidential
Provisioning Wizard• Remaining 10% of manual work
• Fusion DB host:
• Install Provisioning Framework
• Start and create Transactional Database
• Load metadata using RCU
• Fusion Apps host:
• Install Provisioning Framework
• Create a response file
34 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Pass• idmConfigTool will generate and append
idmDomainConfig.param upon each configuration step
• Transfer the file to Fusion Applications server
• Open the file during Provisioning wizard
35 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Execute• Run provisioning wizard with -ignoreSysPrereqs true
• Skip failed prerequisites
36 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Execute• Environment variable PROV_ENCRYPT_DISABLE=TRUE
• Clear text passwords in response file
• Helps in troubleshooting
37 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: Execute• 7 provisioning stages
• a
38 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: If it goes wrong…
39 2013-10-15
• Consult the Release notes for known issues
• Search in MoS for related notes/bugs
• Log an SR [Fusion Applications Toolkit]
• Try to understand the scope of the problem
• Assign to the right team for troubleshooting
© 2012 Tieto Corporation
Com
pany
confidential
Recommendations: As the last resort• Modify the provisioning phaseguards
• DISCLAIMER: You should NEVER touch the phaseguards unless you are sure you know what you are doing
• MoS [1516819.1]• Delete the phaseguard file
APPLICATIONS_CONFIG/phaseguards/validate-<host name>-FAILED.grd
• Create zero byte files validate-<host name>-COMPLETED.grd and validate-<host name>-ENDED.grd
• Go back to the Provisioning Wizard. The Next button should be enabled to go to the Summary phase.
40 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Summary• If you have a possibility, attend or have your technicians
attend the correct course (IdM)
• Plan your infrastructure (use virtualization)
• Simplify your setup if applicable
• Download the latest FA version and use the correct documentation
• Skip the ignorable prerequisite failures
41 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Success
42 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Success
43 2013-10-15
© 2012 Tieto Corporation
Com
pany
confidential
Useful links• http://fusionsecurity.blogspot.com
• http://www.oracle.com/technetwork/indexes/documentation/index.html#fusion_applications
• http://fusionapplications-ateam.blogspot.com/
• Fusion Applications Security Best Practices [1369336.1]
44 2013-10-15
© 2
012 T
ieto
Corp
ora
tio
n
Com
pany c
onfid
entia
l
45 2013-10-15
