It seems I am working with a number of customers for whom Windows is an important part of their infrastructure. Security is tied in with Windows Active Directory and many services are hosted using Windows Communication Framework. To better understand these customers environment I got myself a Windows 2008 server license and decided to install BPM Suite on a Windows 2008 Server running as a domain controller. This entry outlines the process I used to get it to work.
I didn’t want to dedicate a physical server to running Windows Server so I installed it under Oracle Virtual Box.
My target environment was Windows 2008 Server with Active Directory and DNS roles. This would give me access to the Microsoft security infrastructure and I could use this to make sure I understood how to properly integrate WebLogic and SOA Suite security with Windows security. I wanted to run Oracle under a non-Administrator account, as this is often the way I have to operate on customer sites. This was my first challenge. For very good security reasons the only accounts allowed to log on to a Windows Domain controller are domain administrator accounts. Now I only had resources (and licenses) for a single Windows server so I had to persuade Windows to let me log on with a non-Domain Admin account.
I found this very helpful blog entry on how to log on using a non-domain account - Allow Interactive Logon to Domain Controllers in Windows Server 2008. The key steps from this post are as follows:
If you didn’t get it right then you will get the following error when trying to logon "You cannot log on because the logon method you are using is not allowed on this computer". This means that you correctly created the user but the policy has not been modified correctly.
The best way to acquire the software needed is to go to the BPM download page. If you choose the Microsoft Windows 32bit JVM option you can get a list of all the required components and a link to download them directly from OTN. The only download link I didn’t use was the database download because I opted for an 11.2 database rather than the XE link that is given. The only additional software I added was the 18.104.22.168 BPM feature pack (obtain from Oracle Support as patch #12413651: 22.214.171.124.0 BPM FEATURES PACK) and the OSB software. The BPM feature pack patch is applied with OPatch so I also downloaded the latest OPatch from Oracle support (patch 6880880 for 11.1.0.x releases on Windows 32-bit).
I began by setting the system environment variable ORACLE_HOSTNAME to be the hostname of the my Windows machine. I also added this hostname to the hosts file, mapping it to 127.0.0.1. When launching the installer as a non-Administrator account you will be asked for Administrator credentials in order to install.
I mounted the install software as a VirtualBox shared Folder and told it to auto-mount. Unfortunately this auto-mount in Windows only applied to the current user, so when the software tried to run as administrator it couldn’t find the path. The solution to this was to launch the installer using a UNC path “\\vboxsrv\<SHARE_NAME>\<PATH_TO_INSTALL_FILES>” because the mount point is available to all users, but the auto-mapping is only done at login time for the current user.
When installing the database I made the following choices to make life easier later, in particular I made sure that I had a UTF-8 character set as recommended for SOA Suite.
I set up the environment variable ORACLE_UNQNAME to be the database name, this is provided on the last screen of the Oracle database Configuration Assistant.
Because Virtual Box port forwarding settings are global I changed the DB console listen port (from 1158 using emca) and the database listener port (from 1521 using EM console) before setting up port forwarding for virtual box to the new ports. This required me to re-register the database with the listener and to reconfigure EM.
After changing my ports I had a final task to do before snapshotting my image, I had add a new Windows Firewall rule to open up database ports (EM & listener).
With a working database I was now able to install WebLogic Server. I decided to do a 32-bit install to simplify the process (no need for a separate JDK install). As this was intended to be an all in one machine (developer and server) I accepted the Coherence (needed for SOA Suite) and OEPE (needed for OSB design time tooling) options. After installing I set the oracle user to have full access permissions on the Middleware home I created in C:\app\oracle\product\FMW.
Because I was using a 32-bit JVM I had to provide the “–jreLoc” option to the setup.exe command in order to run the SOA Suite installer (see release notes). The installer correctly found my Middleware Home and installed the SOA/BPM Suite. After installing I set the oracle user to have full access to the new SOA home created in C:\app\oracle\product\FMW\Oracle_SOA and the Oracle common directory (C:\app\oracle\product\FMW\oracle_common).
I ran the RCU from my host OS rather than from within the Windows guest OS. This helps avoid any unnecessary temporary files being created in the virtual machine. I selected the SOA and BPM Infrastructure component and left the prefix at the default DEV. Using DEV makes life easier when you come to create a SOA/BPM doamin because you don’t need to change the username in the domain config wizard. Because this isn’t a production environment I also set all the passwords to be the same, again this will simplify things in the config wizard.
With SOA installed I updated it to include the BPM feature pack.
First I needed to apply patch 6880880 to get the latest OPatch. The patch can be applied to any Oracle home and I chose to apply it to the oracle_common home, it seemed to make more sense there rather than the Oracle_SOA home. To apply the patch I moved the original OPatch directory to OPatch.orig and then unzipped the patch in the oracle_common directory which created a new OPatch directory for me. Before applying the feature set patch I opened a command prompt and set the ORACLE_HOME environment variable to the Oracle_SOA home and added the new OPatch directory to the path. I then tested the new OPatch by running the command “opatch lsinventory” which showed me the SOA Suite install version.
OPatch uses setupCCR.exe which has a dependency on msvc71.dll. Unfortunately this DLL is not on the path so by default the call to setupCCR fails with an error “This application failed to start because MSVCR71.dll was not found”. To fix this I found a helpful blog entry that led me to create a new key in the registry at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsfot\Windows\CurrentVersion\App Paths\setupCCR.exe” with the default value set to “<MW_HOME>\utils\ccr\bin\setupCCR.exe”. I added a String value to this key with a name of “Path” and a value of “<Oracle_Common_Home>\oui\lib\win32”. This registers the setupCCR application with Windows and adds a custom path entry for this application so that it can find the MSVCR71 DLL.
I then applied the BPM feature pack patch to oracle_common by
After successful completion of this “opatch lsinventory” showed that 3 patches had been applied to the oracle_common home.
I applied the BPM feature pack patch to Oracle_SOA by
After successful completion of this “opatch lsinventory” showed that 1 patch had been applied to the Oracle_SOA home.
Having updated the software I needed to update the database schemas which I did as follows:
Because I had not yet created a domain I didn’t have to follow the post installation steps outlined in the Post-Installation Instructions.
I wanted to create a development domain. So I ran config from <Oracle_Common_Home>\common\bin selecting the following:
Having created my domain I then created a boot.properties file for the bam_server.
With the domain created I set up Node Manager to use start scripts by running setNMProps.cmd from <oracle_common>\common\bin.
I then edited the <MW_Home>\wlserver_10.3\common\nodemanager\nodemanager.properties file and added the following property:
I had to add the Admin Server, BAM Server and Node Manager ports to the Windows firewall policy to allow access to those ports from outside the Windows server.
I wanted node manager to automatically run on the machine as a Windows service so I first edited the <MW_HOME>\wlserver_10.3\server\bin\installNodeMgrSvc.cmd and changed the port to 5566. Then I ran the command as Administrator to register the service. The service is automatically registered for automatic startup.
I also wanted the Admin Server to run as a Windows service. There is a blog entry about how to do this using the installSvc command but I found it much easier to use NSSM. To use this I did the following:
@REM Point to Domain Directory
@REM Point to Admin Server logs directory
@REM Redirect WebLogic stdout and stderr
set JAVA_OPTIONS=-Dweblogic.Stdout="%LOGS_DIR%\AdminServer.out" -Dweblogic.Stderr="%LOGS_DIR%\AdminServer.out"
@REM Start Admin Server
Note that when you redirect WebLogic stdout and stderr as I have done it does not get the first few lines of output, so test your script from the command line before registering it as a service.
By default the AdminServer will be restarted if it fails, allowing you to bounce the Admin Server without having to log on to the Windows machine.
Having created the domain and configured Node Manager I enabled port forwarding in VirtualBox to expose the Admin Server (port 7011), BAM Server (port 9011) and the Node Manager (port 5566).
All that is left is to start the node manager as a service, start the Admin server as a service, start the BAM server from the WebLogic console and make sure that things work as expected. In this case all seemed fine. When I shut down the machine and then restarted everything came up as expected!
The steps above create a SOA/BPM installation running under Windows Server 2008 that is automatically started when Windows Server starts. The log files can be accessed and read by a non-admin user so the status of the environment can be checked. Additional managed servers can be started from the Admin console because we have node manager installed. The database, database listener, database control, node manager and Admin Server all start up as Windows services when the server is started avoiding the need for an Administrator to start them.