Complete guide to Oracle IRM (Part 1): Server installation
By Simon Thorpe on Aug 07, 2009
This is the first of many articles I will be writing which walk you through downloading, installing, configuring and using Oracle IRM. From its very creation this technology has been designed to be simple to use from both the end user and the administrators perspective. In these articles I will go step by step, over every detail so you can, by following my instructions, have a fully working IRM system. When well prepared, you should be able to complete this within a few hours. If you have any problems following these steps please leave either a comment or contact me and i'll make an update.
Currently the guide comprises of;
- Part 1: Oracle IRM Server installation
- Part 2: Oracle IRM Management Website installation
- Part 3: Client configuration and basis system testing
- Part 4: Using Windows authentication
This first article will describe attaining the software, preparing the installation environment and installing the server. The installation will be basic with no integration with user repositories and will use basic authentication instead of Windows authentication. The Oracle IRM Server installation document is very detailed and you may wish to have this available.
Windows and database server preparation
Oracle IRM uses a classic client-server architecture. The current 10g release requires that the server is installed on a Windows 2003 server. The 11g release will move the server into the Oracle Fusion Middleware platform allowing it to run on a much wider variety of platforms. But for now, you will need a Windows 2003 server. It is highly advisable to ensure all the latest service packs and patches are also installed. In this article I will be installing the IRM server against an Oracle 11g database, but Microsoft's SQL server is also supported.
Setting up server hostnames
All content protected against an IRM server contains a URL back to the service so that when content is accessed the client software knows where to authenticate the user and then validate rights. Therefore it is worth having a reliable hostname setup even if you are building a test/development server if you can create a record in a DNS server it will be worth it in the long run. In my installation guide I have two hostnames setup, one for the IRM server itself and one for the Management Website i'll be installing later.
These addresses have then been assigned to the local Ethernet interface.
Disabling socket pooling in IISI'm going to run the IRM server on port 80 and also will be running the Oracle IRM Management Website on port 80. Therefore I have bound two IP addresses to the Ethernet interface which will handle my public server requests. However IIS has also been installed and this is currently listening on all available addresses on port 80. To disable this behavior you need to use a tool from Microsoft called httpcfg. It is found in the Windows Server Support Tools.
After installing these tools, run the link to the command prompt and type the following commands replacing the IP address with the one you want the IIS server to listen on. Don't put in the IP address you wish to use for the IRM server, the command below is telling IIS which addresses to listen on.
net stop http /y
httpcfg set iplisten -I 172.22.0.171
net start w3svc
Preparing an Oracle databaseMy installation is going to be done against an Oracle 11g 11.1.07 database. I therefore created a tablespace and then a user who defaults to this table space.
The installation document specifies the rights required by the IRM database user.
Using Oracle, the rights required by the license server during installation are:
CREATE, UPDATE, ALTER and DROP TABLE and create and modify CONSTRAINTs
CREATE and DROP SEQUENCE
CREATE and DROP INDEX
CREATE and DROP PROCEDURE
CREATE and DROP FUNCTION
CREATE and DROP PACKAGE
In the 11g database for the install it is sufficient enough to give the user the RESOURCE role.
The schema itself will be created as part of the IRM server install.
Getting the install files
Download the following zip file and extract to disk.
All the IRM software can be obtained via the Oracle Technology Network.
Installing a 10g Oracle IRM server
Now that we have the OS and database ready, the final step is the IRM server itself. Double click on the MSI installer and you are presented with the following dialog.
Choose custom for the setup type, this will allow you to change the installation folder if you wish.
By default custom will select all components, you can leave this in place. I switched my install location to C:\Oracle\IRMServer but the default is fine.
Choose Advanced for the wizard type, I rarely choose Standalone because I like to use Oracle for my database. The standalone option will create a database in either SQL Server or it will install the small MSDE components.
Next we need to create the ODBC connection on the server. I've already installed the Oracle 11g client software and setup a TNS name pointing to my 126.96.36.199 Oracle database instance. I'm going to create the new ODBC connection from within the installer.
Clicking next will launch the relevant ODBC driver configuration dialog. In my case this is the Oracle ODBC Driver Configuration.
I selected the TNS Service Name for my database and entered in the IRM user. Clicking OK took me back to the installation process asking for the following.
Here enter in the database username and password and hit next.
The database name field isn't used with an Oracle database install. The prefix allows you to specify 3 letters that will prepend all new objects in the database. Useful if you are having to install against an existing schema.
The next dialog asks for a server name, sometimes this is referred to as the server's friendly name. It is a free text string for you to name the server whatever you wish. It gets used in the user interface so the user has a nice and easy to read name for the server. Instead of them being told they can't connect to irmsrv01.domain.com which doesn't mean anything to an end user, they get told they can't connect to the "ABC Corporation Information Rights Server" which is more understandable.
The other section of this dialog asks for a user name and password which will constitute the initial and only account in the server. It is the account that has total control over the server and must be managed appropriately.
Now we get into the network settings of the server. First we need to enter in the fully qualified hostname to the IRM service for the public interface. This is a VERY important hostname, every single piece of content secured using Oracle IRM is going to have this hostname inserted into the content. It is how the content knows where to communicate when a user is attempting to gain access.
NEVER use an IP address, even if building a test server, make changes to your hostfile rather than enter an IP in here. Because we prepared the IIS server to listen on a specific IP for port 80, we can now setup the IRM server to listen on a different IP with the same port. Port 80 is a very good choice and the default.
Most production IRM servers sit in the datacenter DMZ and are therefore accessible from the public internet. People are going to be accessing secured content from a wide variety of networks such as hotels, corporate networks, home systems, free WiFi connections etc. Using port 80 drastically reduces problems for client to server communication from this array of networks over which you will have no control. Clicking next takes us to the configuration for the private port.
In my installation I am going to leave the default and let it use the same settings as my public port. It can however be very useful to have this interface listen on a different address. The difference between the public and private port is that all requests for authentication and access to content go via the public port, all traffic for administering the server goes via the private port.
This allows you to increase security by allowing the server to accept requests to open content from the public internet but only allow requests to add users, assign rights etc from people connected either to a physical corporate network or from a VPN into the corporate network. This dialog allows the server to listen on a different IP address and therefore be available to a different network segment. But I'm leaving this alone and just clicking on next.
This is the final network setting and for the API port. I won't go into any detail on this now but it refers to the low level API and object model that is available in the server. Some low level configuration uses it. If you are building a production system I would advise disabling this port, you can easily enable if needed at a later date. For a development environment I would leave this on.
Nearing the end of the installation tasks you can choose to install the server as a service. I would advise this and I've only needed to change the account the server is running as when it's communicating to an SQL database using NT auth or it is writing out log files to a location that the local service account has no rights to. Which brings us to the next two dialogs.
There are two types of output, server logs and audit logs. Server logs contain information about clients connecting and server operations. Audit logs contain detailed information about people accessing content and making changes to rights on the server. Both of these logs are rolled every 24 hours by default. The default of storing server logs in text format, so you can easily read them, and storing the audit logs in binary format so you can programmatically manipulate them makes sense and so leave them alone for now.
And at last, hit install to run through the installation process. The installer then copies over files, creates registry keys, runs the SQL to create the database schema and then installs the server (if you asked it to) as a service and attempts to start it. It finishes with the following confirmation.
Hitting finish will launch an instance of the Oracle IRM Management Console which is a good way to test the validity of the installation.
Once the console has started, select "New Server" and enter in the hostname for your server. If it is running on port 80 you don't need to specify the port, if you have it running on another port use the notation "server.domain.com:portnumber" for example, irm.us.oracle.com:8001. Hit next and enter in the account details you specified during the installation.
|Once connected you should then be able to see the following aspects of the server. So that's it! A fully working Oracle IRM server, the next step is to install the Management Website and the Standard Rights Model which will be covered in another article.
If you installed the server as a service it will start automatically on boot, note that the database server must be available at this time. If you didn't install as a service you can run the IRM server in a visible console by following the program group in the Start Menu.