Complete guide to Oracle IRM (Part 1): Server installation

This is the first of many articles I will be writing which walk you through downloading, installing, configuring and using Oracle IRM. From its very creation this technology has been designed to be simple to use from both the end user and the administrators perspective. In these articles I will go step by step, over every detail so you can, by following my instructions, have a fully working IRM system. When well prepared, you should be able to complete this within a few hours. If you have any problems following these steps please leave either a comment or contact me and i'll make an update.

Currently the guide comprises of;

 

This first article will describe attaining the software, preparing the installation environment and installing the server. The installation will be basic with no integration with user repositories and will use basic authentication instead of Windows authentication. The Oracle IRM Server installation document is very detailed and you may wish to have this available.

 

Windows and database server preparation


Oracle IRM uses a classic client-server architecture. The current 10g release requires that the server is installed on a Windows 2003 server. The 11g release will move the server into the Oracle Fusion Middleware platform allowing it to run on a much wider variety of platforms. But for now, you will need a Windows 2003 server. It is highly advisable to ensure all the latest service packs and patches are also installed. In this article I will be installing the IRM server against an Oracle 11g database, but Microsoft's SQL server is also supported.

Setting up server hostnames


All content protected against an IRM server contains a URL back to the service so that when content is accessed the client software knows where to authenticate the user and then validate rights. Therefore it is worth having a reliable hostname setup even if you are building a test/development server if you can create a record in a DNS server it will be worth it in the long run. In my installation guide I have two hostnames setup, one for the IRM server itself and one for the Management Website i'll be installing later.



irm.us.oracle.com 172.22.0.172

irmweb.us.oracle.com 172.22.0.171



These addresses have then been assigned to the local Ethernet interface.

Disabling socket pooling in IIS

I'm going to run the IRM server on port 80 and also will be running the Oracle IRM Management Website on port 80. Therefore I have bound two IP addresses to the Ethernet interface which will handle my public server requests. However IIS has also been installed and this is currently listening on all available addresses on port 80. To disable this behavior you need to use a tool from Microsoft called httpcfg. It is found in the Windows Server Support Tools.

 

After installing these tools, run the link to the command prompt and type the following commands replacing the IP address with the one you want the IIS server to listen on. Don't put in the IP address you wish to use for the IRM server, the command below is telling IIS which addresses to listen on.

net stop http /y
httpcfg set iplisten -I 172.22.0.171
net start w3svc

Preparing an Oracle database

My installation is going to be done against an Oracle 11g 11.1.07 database. I therefore created a tablespace and then a user who defaults to this table space.

 

10gIRMServerInstallDBTableSpace.gif

The installation document specifies the rights required by the IRM database user.

Using Oracle, the rights required by the license server during installation are:
CREATE, UPDATE, ALTER and DROP TABLE and create and modify CONSTRAINTs
CREATE and DROP SEQUENCE
CREATE and DROP INDEX
CREATE and DROP PROCEDURE
CREATE and DROP FUNCTION
CREATE and DROP PACKAGE

In the 11g database for the install it is sufficient enough to give the user the RESOURCE role.

10gIRMServerInstallDBUser.gif

The schema itself will be created as part of the IRM server install.

 

Getting the install files


Download the following zip file and extract to disk.

http://www.oracle.com/technology/software/htdocs/devlic.html?url=http://download.oracle.com/otn/content_management/IRM%2010gR3%2020090326%20LicenseServer%20and%20Standard%20Rights%20Model.zip

 

All the IRM software can be obtained via the Oracle Technology Network.

 

Oracle IRM server install files

 

 

Installing a 10g Oracle IRM server


Now that we have the OS and database ready, the final step is the IRM server itself. Double click on the MSI installer and you are presented with the following dialog.

 

 

Oracle IRM server install welcome dialog

 

Choose custom for the setup type, this will allow you to change the installation folder if you wish.

 

Oracle IRM server install setup type

 

By default custom will select all components, you can leave this in place. I switched my install location to C:\Oracle\IRMServer but the default is fine.

 

Oracle IRM server install custom setup

 

Choose Advanced for the wizard type, I rarely choose Standalone because I like to use Oracle for my database. The standalone option will create a database in either SQL Server or it will install the small MSDE components.

 

Oracle IRM server install database wizard type

 

Next we need to create the ODBC connection on the server. I've already installed the Oracle 11g client software and setup a TNS name pointing to my 11.1.0.7 Oracle database instance. I'm going to create the new ODBC connection from within the installer.

 

Oracle IRM server install data source selection

 

Clicking next will launch the relevant ODBC driver configuration dialog. In my case this is the Oracle ODBC Driver Configuration.

 

Oracle IRM server install ODBC configuration

 

I selected the TNS Service Name for my database and entered in the IRM user. Clicking OK took me back to the installation process asking for the following.

 

Oracle IRM server install database authentication

 

Here enter in the database username and password and hit next.

 

Oracle IRM server install database setup

 

The database name field isn't used with an Oracle database install. The prefix allows you to specify 3 letters that will prepend all new objects in the database. Useful if you are having to install against an existing schema.

 

Oracle IRM server install server details

 

The next dialog asks for a server name, sometimes this is referred to as the server's friendly name. It is a free text string for you to name the server whatever you wish. It gets used in the user interface so the user has a nice and easy to read name for the server. Instead of them being told they can't connect to irmsrv01.domain.com which doesn't mean anything to an end user, they get told they can't connect to the "ABC Corporation Information Rights Server" which is more understandable.

The other section of this dialog asks for a user name and password which will constitute the initial and only account in the server. It is the account that has total control over the server and must be managed appropriately.

 

Oracle IRM server install public interface

 

Now we get into the network settings of the server. First we need to enter in the fully qualified hostname to the IRM service for the public interface. This is a VERY important hostname, every single piece of content secured using Oracle IRM is going to have this hostname inserted into the content. It is how the content knows where to communicate when a user is attempting to gain access.

NEVER use an IP address, even if building a test server, make changes to your hostfile rather than enter an IP in here. Because we prepared the IIS server to listen on a specific IP for port 80, we can now setup the IRM server to listen on a different IP with the same port. Port 80 is a very good choice and the default.

Most production IRM servers sit in the datacenter DMZ and are therefore accessible from the public internet. People are going to be accessing secured content from a wide variety of networks such as hotels, corporate networks, home systems, free WiFi connections etc. Using port 80 drastically reduces problems for client to server communication from this array of networks over which you will have no control. Clicking next takes us to the configuration for the private port.

 

Oracle IRM server install private interface

 

In my installation I am going to leave the default and let it use the same settings as my public port. It can however be very useful to have this interface listen on a different address. The difference between the public and private port is that all requests for authentication and access to content go via the public port, all traffic for administering the server goes via the private port.

This allows you to increase security by allowing the server to accept requests to open content from the public internet but only allow requests to add users, assign rights etc from people connected either to a physical corporate network or from a VPN into the corporate network. This dialog allows the server to listen on a different IP address and therefore be available to a different network segment. But I'm leaving this alone and just clicking on next.

 

Oracle IRM server install API interface

 

This is the final network setting and for the API port. I won't go into any detail on this now but it refers to the low level API and object model that is available in the server. Some low level configuration uses it. If you are building a production system I would advise disabling this port, you can easily enable if needed at a later date. For a development environment I would leave this on.

 

Oracle IRM server install as service

 

Nearing the end of the installation tasks you can choose to install the server as a service. I would advise this and I've only needed to change the account the server is running as when it's communicating to an SQL database using NT auth or it is writing out log files to a location that the local service account has no rights to. Which brings us to the next two dialogs.

 

Oracle IRM server install log location
Oracle IRM server install audit location

 

There are two types of output, server logs and audit logs. Server logs contain information about clients connecting and server operations. Audit logs contain detailed information about people accessing content and making changes to rights on the server. Both of these logs are rolled every 24 hours by default. The default of storing server logs in text format, so you can easily read them, and storing the audit logs in binary format so you can programmatically manipulate them makes sense and so leave them alone for now.

 

Oracle IRM server install ready to start...

 

And at last, hit install to run through the installation process. The installer then copies over files, creates registry keys, runs the SQL to create the database schema and then installs the server (if you asked it to) as a service and attempts to start it. It finishes with the following confirmation.

 

Oracle IRM server install complete

 

Hitting finish will launch an instance of the Oracle IRM Management Console which is a good way to test the validity of the installation.

 

Oracle IRM Management Console - add new server

 

Once the console has started, select "New Server" and enter in the hostname for your server. If it is running on port 80 you don't need to specify the port, if you have it running on another port use the notation "server.domain.com:portnumber" for example, irm.us.oracle.com:8001. Hit next and enter in the account details you specified during the installation.

 

Oracle IRM Management Console - server connection credentials



Once connected you should then be able to see the following aspects of the server. So that's it! A fully working Oracle IRM server, the next step is to install the Management Website and the Standard Rights Model which will be covered in another article.

If you installed the server as a service it will start automatically on boot, note that the database server must be available at this time. If you didn't install as a service you can run the IRM server in a visible console by following the program group in the Start Menu.
Oracle IRM Management Console - Connected to server

 

Comments:

Thank you for the article. I spent a lot of time trying to install IRM server and IRM Management Website on port 80 and has no success. But I'm easily solve this problem by installation IRM server and IRM Management Website on different ports. As I know at this moment at the official IRM documentation there is no information about using IRM Management Website. I hope that you will find time to discover this info in your future articles.

Posted by Evgeniy on August 11, 2009 at 03:54 PM PDT #

Hi Evgeniy The management website is documented in two books: http://download-uk.oracle.com/docs/cd/E10316_01/IRM/MgtWebInstall.pdf and http://download-uk.oracle.com/docs/cd/E10316_01/IRM/Windows_Authentication_extension.pdf

Posted by martin abrahams on August 23, 2009 at 05:12 PM PDT #

Also, using different ports in a real deployment raises the issue of needing to worry about whether firewalls will allow the traffic to flow. If you follow the instructions to enable both the IRM Server and its website to listen on port 80, then you can expect that firewalls will already allow the traffic.

Posted by martin abrahams on August 23, 2009 at 05:15 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today