Wednesday, November 08, 2006

High Availability Identity Management Install (10gAS)

The installation guides tell you that you must have your load balancer resolve via dns or in the host file. The guides don't mention that if you have a metadata repository on a separate box, then the load balancer must resolve from that box as well. If it doesn't, you will get the following error in InstallActions.log:

SQL> Connected.

SQL> Creating OID entries for SSO
Error code : 1

Error message: User-Defined Exception

LDAP error : ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.

ERROR: deleting application entry

Error code: 1

Error message: User-Defined Exception

ERROR: creating SSO users and groups in OID

PL/SQL procedure successfully completed.

6 comments:

Anonymous said...

Great Anton!!! You resolved my problem!!

Anonymous said...

This looked promising to me. I am currently facing this problem and adding load balancer entries to MetaDataRepository /etc/hosts didn't resolve the issue. Here is my scenario:

We are using RedHat LVS as loadbalancer:

Configured a virtual host for non-ssl oid with port 3000 and 3100 for ssl. Another virtual host for sso is configured with port 8000. SSO config assistant failed exactly with the same error you mentioned. I've added virtual host names for oid,sso and actual host name for IM1 on remote MetaDataRepository host. But, still get the same error. Can you suggest anything else?

Thanks for your help.

Anton Nielsen said...

Can you provide exactly what you did? You need to have dns (or etc/hosts) entries for each virtual host name. When you ping or do an nslookup from the database machine, it needs to resolve to the correct IP address. Just what is "correct" may vary. It probably should be the load balancer. If you want to see if the load balancer is really the issue, though, you could have the logical name of the load balancer with the physical IP address of the actual OID server.

The other thing to consider is that if the database machine is on the same subnet as the OID machine, you might need to SNAT requests on the Load Balancer from that subnet. This can get complicated, but those are the things to start with. Of course, if you click on the C2 Consulting link, you can get some dedicated help on this :)

Anton

Anonymous said...

Thanks for response Anton:

Here is what I did:

It's all happening between 4 servers, 3 Linux and 1 HP

one Linux is being used as loadbalancer with LVS configuration.

Two other will be used as Identity, webcahche, portal cluster.

MetadatRepository has been created on a newly created 10g database on HP box.

Following Oracle notes 359715.1 and 359726.1 for IM clustering. I am on 1st (IM1) configuration where installer failed at SSO configuration assistant level.

All entries are made to DNS and /etc/hosts on each server

The work I've done on loadbalancer is adding following virual servers
1. for sso with port 8000
2. for oid with port 3100 for non-ssl
3. for odi with port 3000 for ssl
4. for published virutal host with 7778 port
5. virtual entry for node1 and node2

Added iptables as below

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1:148]
:OUTPUT ACCEPT [1:148]
-A OUTPUT -d virtual_ip_node1 -p tcp -m tcp --dport 22 -j DNAT --to-destination real_server_ip:22
-A OUTPUT -d virtual_oid_ssl_ip -p tcp -m tcp --dport 3000 -j DNAT --to-destination real_server_ip:3000
-A OUTPUT -d virtual_oid_nonssl_ip -p tcp -m tcp --dport 3100 -j DNAT --to-destination real_server_ip:3100
-A OUTPUT -d virtual_sso_ip -p tcp -m tcp --dport 8000 -j DNAT --to-destination real_server_ip:8000
-A OUTPUT -d published_virtual_ip -p tcp -m tcp --dport 7778 -j DNAT --to-destination real_server_ip:7778
-A OUTPUT -d published_virtual_ip -p tcp -m tcp --dport 9401 -j DNAT --to-destination real_server_ip:9401
-A OUTPUT -d virtual_sso_ip -p tcp -m tcp --dport 7778 -j DNAT --to-destination real_server_ip:7778
-A OUTPUT -d virtual_sso_ip -p tcp -m tcp --dport 9401 -j DNAT --to-destination real_server_ip:9401
COMMIT

Anton Nielsen said...

Just to see where the problem is, try bypassing the load balancer from the database tier. To do this, edit the etc/hosts file and add (or change) the line with the load balancer name

<oid box IP address> <load balancer name>

If this works then it is a problem with the load balancer configuration. I can help with that, but it is a little beyond what I typically do in this blog.

If that does not solve the problem we would need to do a little more troubleshooting.

Anton

Rob said...

Thanks. This helped me out a lot!
Rob