1. Run the following command: dcmctl whichFarm
2. If the command returns a farm name, the OracleAS instance is still part of a farm, and hence, still associated with an existing repository. Use the dcmctl
leaveFarm command to bring the instance to a standalone state.
3. After ensuring that the instance is not part of a farm, run the following command at one of the instances that is joined to the farm of the repository that you want to join. This command gets the repository ID of the file-based repository. If you want to establish and join a new file-based repository using the host where the
standalone instance is as the repository host, run the following command at the standalone instance.
dcmctl getRepositoryId
A repository identifier in the format "hostname:port" is returned.
4. Join the farm of the desired repository using the following command: dcmctl joinFarm -r <repository_ID>
Enabling SSL For Communication Between Instances That are Using a File-Based
Repository
When instances in a farm use a file-based repository, you can configure DCM so that configuration information that is sent between instances uses SSL. This feature provides for the security of messages sent between all instances in the farm and prevents unauthorized instances from joining the farm.
This section describes the steps required to setup SSL and certificate-based security for instances that use a file-based repository. The overall steps are:
■ Generating the Keystore
■ Shutdown Oracle Application Server Processes on Each Instance ■ Set Up the Keystore Information File on Each Instance in the Farm ■ Enable SSL By Configuring dcmCache.xml
■ Verify that Configuration Changes are Effected ■ Start Each Instance in the Farm
■ Adding a New Instance to a SSL-Enabled Farm
Note: if you are using Application Server Console to view the changes after executing the dcmctl joinFarm command, you need to restart Application Server Console for the changes to appear. Use
the emctl start and stop commands to restart Application Server
Console.
Using a File-Based Repository with OracleAS Clusters
Generating the Keystore Use the JDK keytool command to generate a certificate and set up the keystore, as documented in:
http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html
If you have already generated the key pair and obtained the certificate for OC4J, then you can use the same keystore you previously obtained.
To use SSL certificate-based security, a Java keystore must be setup on each instance in the farm. This keystore may be the same as that used by other Java applications or it can be unique for DCM file-based repository configuration. Note the path to each keystore location for each instance in the farm.
Shutdown Oracle Application Server Processes on Each Instance At each instance of the farm, execute the following commands to shut down Oracle Application Server processes:
in UNIX:
$ORACLE_HOME/bin/emctl stop iasconsole $ORACLE_HOME/dcm/bin/dcmctl stopproc in Windows:
%ORACLE_HOME%\bin\emctl stop iasconsole %ORACLE_HOME%\dcm\bin\dcmctl shutdown
Set Up the Keystore Information File on Each Instance in the Farm After obtaining the keystore and certificate information, on each Oracle Application Server instance in the farm, you need to use the dcmctlconfigRepositorySSL command to create the file that holds keystore information.
To set up the keystore information file, execute the following instructions beginning with the repository host instance of the file-based repository (after that, the
instructions can be performed in no particular sequence for the remaining instances):
1. Copy the keystore file that you generated in the first step, "Generating the Keystore," to a location in the local host.
2. Use the configRepositorySSL as follows on each instance to create the keystore information file:
dcmctl configRepositorySSL -keystore <path_to_keystore> -storepass <password>
The generated file, .ssl.conf, is stored in <ORACLE_HOME>/dcm/config. Enable SSL By Configuring dcmCache.xml Modify the dcmCache.xml cache
configuration <useSSL> attribute as shown in Table 4–3 to enable or disable the use of SSL.
Optionally, you can specify the location of the file that was generated using
configRepositorySSL by modifying the value of the <sslConfigFile> element.
If you modify this value, you need to copy the .ssl.conf file that Important: The keystore information file must be set up for the repository host instance of the file-based repository before any other instance in the farm. To find the respository host and host instance, execute the following:
Using a File-Based Repository with OracleAS Clusters
configRepositorySSL generated to the new file that you specify using
<sslConfigFile>.
The dcmCache.xml file is in $ORACLE_HOME/dcm/config directory in Unix, and in
%ORACLE_HOME%\dcm\config directory in Windows.
Verify that Configuration Changes are Effected Ensure that the configuration changes are effected by executing the following command on each instance in the farm beginning with the repository host instance:
dcmctl getstate
The synchronization state of the local instance with the file-based repository is shown. Start Each Instance in the Farm After the security configuration is consistent across all the instances in the farm, restart each instance, beginning with the repository host
instance, using the following command: in UNIX:
$ORACLE_HOME/opmn/bin/opmnctl startall $ORACLE_HOME/bin/emctl start iasconsole in Windows:
%ORACLE_HOME%\opmn\bin\opmnctl startall %ORACLE_HOME%\bin\emctl start iasconsole
Adding a New Instance to a SSL-Enabled Farm You can add a standalone instance to a farm that is using SSL. On the standalone machine:
1. Copy the keystore file that you generated in the first step, "Generating the Keystore," to a location in the local host.
2. Use the configRepositorySSL as follows on each instance to create the keystore information file:
dcmctl configRepositorySSL -keystore <path_to_keystore> -storepass <password>
The generated file, .ssl.conf, is stored in <ORACLE_HOME>/dcm/config.
3. Follow the instructions in the section Joining a Farm Managed Using a File-Based Repository on page 4-11 to join the instance to the farm.
Table 4–3 Elements for Enabling SSL in a Farm Using a File-Based Repository
Element Description
<useSSL> true | false </useSSL>
Set to true to use SSL or to false to disable the use of SSL by the DCM file-based repository communications mechanism. The default value is false.
Valid values: true, false <sslConfigFile>
sslfile
</sslConfigFile>
Specifies the name, sslfile for the SSL configuration file. The default value is .ssl.conf.
For most installations, there should be no need to change the default value for this element.