In local area networks that experience high traffic, it may be beneficial to supplement multiple single sign-on middle tiers with replicated instances of Oracle Internet Directory. This arrangement, depicted inFigure 9–5on page 9-15, provides failover not only at the middle tier, but also at the directory server.
Usage Scenario
The usage scenario that follows assumes the following hypothetical configurations:
■ There are two single sign-on middle tiers. One is installed on host
sso1.mydomain.com. The other is installed on sso2.mydomain.com.
Identity Management Infrastructure Database Shared Storage Space Browser
OracleAS Active Failover Clusters Node 1
Oracle Internet Directory
Database Processes
OracleAS Active Failover Clusters Node 2 Oracle Internet Directory Single Sign-On Middle Tier Single Sign-On Middle Tier Database Processes HTTP / Directory Load Balancer
Deployment Scenarios
■ An HTTP load balancer is situated between the browser and the two single
sign-on middle tiers.
■ The address of the single sign-on server that is published to partner applications is
sso.mydomain.com. This is also the external address of the load balancer.
■ There are two identity management infrastructure databases—one at
oid1.mydomain.com, the other at oid2.mydomain.com. The two directory servers located at these nodes constitute a replication group.
■ For replication purposes, oid1.mydomain.com is the master definition site (MDS),
the site from which the replication scripts are run and data is first replicated. oid2.mydomain.com is the remote master site (RMS), the site to which data is replicated.
■ A load balancer is situated in front of the replicated directory servers. This load
balancer is configured for failover, but not for load balancing.
■ The address of the directory server that is published to the single sign-on middle
tiers is oid.mydomain.com. This is also the external address of the directory load balancer.
Configuration Steps
The following steps combine instructions presented in directory replication documentation and"Multiple Single Sign-On Middle Tiers, One Oracle Internet Directory". The latter is a deployment scenario that was presented earlier in this chapter.
1. Choose effective host names for the load balancers serving Oracle Internet
Directory and OracleAS Single Sign-On. In the usage scenario just introduced, this task has already been completed.
2. Install Oracle Internet Directory on oid1.mydomain.com and oid2.mydomain.com; then set these servers up as a replication group. For instructions, seeOracle Internet Directory Administrator’s Guide. These instructions cover both installation and replication. For replication concepts, see also Oracle Internet Directory
Administrator’s Guide.
3. On the directory load balancer, configure one pool of real servers with the addresses oid1.mydomain.com and oid2.mydomain.com. Configure one virtual server with the address oid.mydomain.com. Ensure that the directory load balancer is configured for failover, but not for load balancing. The load balancer should be configured with persistent (stateful) routing.
4. Install the OracleAS infrastructure on the middle tiers sso1.mydomain.com and sso2.mydomain.com, choosing the option "Identity Management." When presented with the component list for this installation type, choose "Single Sign-On." When the Oracle Universal Installer asks you to name the directory server associated with these single sign-on instances, enter oid.mydomain.com.
5. Configure the two Oracle HTTP servers in this scenario to resolve the virtual address of the single sign-on server, sso.mydomain.com, to the real, internal host names, sso1.mydomain.com and sso2.mydomain.com. For instructions, see
"Configure the Oracle HTTP servers on the single sign-on middle tiers" for instructions.
6. Configure the single sign-on server to accept authentication requests from the effective URL of the single sign-on server. This task is effected by running the ssocfg script on one of the single sign-on middle tiers. Using the example provided, the script would be executed in the following way:
Deployment Scenarios Advanced Configurations 9-15 ■ UNIX: $ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com 80 ■ Windows NT/2000: %ORACLE_HOME%\sso\bin\ssocfg.bat http sso.mydomain.com 80
Note that the command example provides the listener protocol, host name, and port number of the load balancer as arguments. Recall that the load balancer address is the effective URL of the single sign-on server. If the load balancer is configured to use SSL, replace non-SSL port80 with SSL port4443 andhttp
withhttps.
After running ssocfg, update the targets.xml file on the single sign-on middle tier. See"Update targets.xml" for instructions.
7. Reregister mod_osso on the single sign-on middle tiers. Follow the steps in
"Reregister mod_osso on the single sign-on middle tiers".
Figure 9–5 Multiple Single Sign-On Middle Tiers with a Replicated Directory
oid1.mydomain.com Identity Management Infrastructure Database 1 Identity Management Infrastructure Database 2 Browser sso1.mydomain.com Single Sign-On Middle Tier sso2.mydomain.com Single Sign-On Middle Tier sso.mydomain.com HTTP Load Balancer HTTP / HTTPS oid.mydomain.com Directory Load Balancer Replication Failover Oracle Internet Directory Server Oracle Internet Directory Server oid2.mydomain.com
Deployment Scenarios