Thursday Dec 22, 2011

SOA in a Windows World

Installing BPM Suite on Windows Server 2008 Domain Controller under VirtualBox

It seems I am working with a number of customers for whom Windows is an important part of their infrastructure.  Security is tied in with Windows Active Directory and many services are hosted using Windows Communication Framework.  To better understand these customers environment I got myself a Windows 2008 server license and decided to install BPM Suite on a Windows 2008 Server running as a domain controller.  This entry outlines the process I used to get it to work.

The Environment

I didn’t want to dedicate a physical server to running Windows Server so I installed it under Oracle Virtual Box.

My target environment was Windows 2008 Server with Active Directory and DNS roles.  This would give me access to the Microsoft security infrastructure and I could use this to make sure I understood how to properly integrate WebLogic and SOA Suite security with Windows security.  I wanted to run Oracle under a non-Administrator account, as this is often the way I have to operate on customer sites.  This was my first challenge.  For very good security reasons the only accounts allowed to log on to a Windows Domain controller are domain administrator accounts.  Now I only had resources (and licenses) for a single Windows server so I had to persuade Windows to let me log on with a non-Domain Admin account.

Logging On with  a non-Domain Admin Account

I found this very helpful blog entry on how to log on using a non-domain account - Allow Interactive Logon to Domain Controllers in Windows Server 2008.  The key steps from this post are as follows:

  • Create a non-Admin user – I created one called “oracle”.
  • Edit the “Default Domain Controllers” group policy to add the user “oracle” to the “Allow log on locally” policy in Computer Configuration > Policies > Windows Settings >Security Settings > Local Policies > User Rights Assignment:
  • Force a policy update.

If you didn’t get it right then you will get the following error when trying to logon "You cannot log on because the logon method you are using is not allowed on this computer".  This means that you correctly created the user but the policy has not been modified correctly.

Acquiring Software

The best way to acquire the software needed is to go to the BPM download page.  If you choose the Microsoft Windows 32bit JVM option you can get a list of all the required components and a link to download them directly from OTN.  The only download link I didn’t use was the database download because I opted for an 11.2 database rather than the XE link that is given.  The only additional software I added was the 11.1.1.5 BPM feature pack (obtain from Oracle Support as patch #12413651: 11.1.1.5.0 BPM FEATURES PACK) and the OSB software.  The BPM feature pack patch is applied with OPatch so I also downloaded the latest OPatch from Oracle support (patch 6880880 for 11.1.0.x releases on Windows 32-bit).

Installing Oracle Database

I began by setting the system environment variable ORACLE_HOSTNAME to be the hostname of the my Windows machine.  I also added this hostname to the hosts file, mapping it to 127.0.0.1.  When launching the installer as a non-Administrator account you will be asked for Administrator credentials in order to install.

Gotcha with Virtual Box Paths

I mounted the install software as a VirtualBox shared Folder and told it to auto-mount.  Unfortunately this auto-mount in Windows only applied to the current user, so when the software tried to run as administrator it couldn’t find the path.  The solution to this was to launch the installer using a UNC path “\\vboxsrv\<SHARE_NAME>\<PATH_TO_INSTALL_FILES>” because the mount point is available to all users, but the auto-mapping is only done at login time for the current user.

Database Install Options

When installing the database I made the following choices to make life easier later, in particular I made sure that I had a UTF-8 character set as recommended for SOA Suite.

  • Declined Security Updates (this is not a production machine)
  • Created and Configured a Database during install
  • Chose Server Class database to get character set options later
  • Chose single instance database installation
  • Chose advanced install to get character set options later
  • Chose English as my language
  • Chose Enterprise Edition
    • Included Oracle Data Extensions for .NET
  • Set Oracle Base as C:\app\oracle
  • Selected General Purpose/Transaction Processing
  • Changed default database name
  • Configuration Options
    • Accepted default memory management settings
    • Change character set to be AL32UTF8 as required by SOA Suite
    • Unselected “Assert all new security settings” to relax security as this is not a production system
    • Chose to create sample schemas
  • Used database control for database management
  • Use file system for database storage
  • Didn’t enable automated backups (that is what Virtual Box snapshots are for)
  • Used same non-compliant password for all accounts

I set up the environment variable ORACLE_UNQNAME to be the database name, this is provided on the last screen of the Oracle database Configuration Assistant.

Configuring for Virtual Box

Because Virtual Box port forwarding settings are global I changed the DB console listen port (from 1158 using emca) and the database listener port (from 1521 using EM console) before setting up port forwarding for virtual box to the new ports.  This required me to re-register the database with the listener and to reconfigure EM.

Firewall Restrictions

After changing my ports I had a final task to do before snapshotting my image, I had add a new Windows Firewall rule to open up database ports (EM & listener).

Installing WebLogic Server

With a working database I was now able to install WebLogic Server.  I decided to do a 32-bit install to simplify the process (no need for a separate JDK install).  As this was intended to be an all in one machine (developer and server) I accepted the Coherence (needed for SOA Suite) and OEPE (needed for OSB design time tooling) options.  After installing I set the oracle user to have full access permissions on the Middleware home I created in C:\app\oracle\product\FMW.

Installing SOA/BPM Suite

Because I was using a 32-bit JVM I had to provide the “–jreLoc” option to the setup.exe command in order to run the SOA Suite installer (see release notes).  The installer correctly found my Middleware Home and installed the SOA/BPM Suite.  After installing I set the oracle user to have full access to the new SOA home created in C:\app\oracle\product\FMW\Oracle_SOA and the Oracle common directory (C:\app\oracle\product\FMW\oracle_common).

Running Repository Creation Utility

I ran the RCU from my host OS rather than from within the Windows guest OS.  This helps avoid any unnecessary temporary files being created in the virtual machine.  I selected the SOA and BPM Infrastructure component and left the prefix at the default DEV.  Using DEV makes life easier when you come to create a SOA/BPM doamin because you don’t need to change the username in the domain config wizard.  Because this isn’t a production environment I also set all the passwords to be the same, again this will simplify things in the config wizard.

Adding BPM Feature Pack

With SOA installed I updated it to include the BPM feature pack.

Installing OPatch Update

First I needed to apply patch 6880880 to get the latest OPatch.  The patch can be applied to any Oracle home and I chose to apply it to the oracle_common home, it seemed to make more sense there rather than the Oracle_SOA home.  To apply the patch I moved the original OPatch directory to OPatch.orig and then unzipped the patch in the oracle_common directory which created a new OPatch directory for me.  Before applying the feature set patch I opened a command prompt and set the ORACLE_HOME environment variable to the Oracle_SOA home and added the new OPatch directory to the path.  I then tested the new OPatch by running the command “opatch lsinventory” which showed me the SOA Suite install version.

Fixing a Path Problem

OPatch uses  setupCCR.exe which has a dependency on msvc71.dll.  Unfortunately this DLL is not on the path so by default the call to setupCCR fails with an error “This application failed to start because MSVCR71.dll was not found”.  To fix this I found a helpful blog entry that led me to create a new key in the registry at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsfot\Windows\CurrentVersion\App Paths\setupCCR.exe” with the default value set to “<MW_HOME>\utils\ccr\bin\setupCCR.exe”.  I added a String value to this key with a name of “Path” and a value of “<Oracle_Common_Home>\oui\lib\win32”.  This registers the setupCCR application with Windows and adds a custom path entry for this application so that it can find the MSVCR71 DLL.

Patching oracle_common Home

I then applied the BPM feature pack patch to oracle_common by

  • Setting ORACLE_HOME environment variable to the oracle_common directory
  • Creating a temporary directory “PATCH_TOP”
  • Unzipping the following files from the patch into PATCH_TOP
    • p12413651_ORACOMMON_111150_Generic.zip
    • p12319055_111150_Generic.zip
    • p12614083_111150_Generic.zip
  • From the PATCH_TOP directory run the command “<Oracle_Common_Home>\OPatch\opatch napply”
    • Note I didn’t provide the inventory pointer parameter (invPtrLoc) because I had a global inventory that was found just fine by OPatch and I didn’t have a local inventory as the patch readme seems to expect.
  • Deleting the PATCH_TOP directory

After successful completion of this “opatch lsinventory” showed that 3 patches had been applied to the oracle_common home.

Patching Oracle_SOA Home

I applied the BPM feature pack patch to Oracle_SOA by

  • Setting ORACLE_HOME environment variable to the Oracle_SOA directory
  • Creating a temporary directory “PATCH_TOP”
  • Unzipping the following file from the patch into PATCH_TOP
    • p12413651_SOA_111150_Generic.zip
  • From the PATCH_TOP directory run the command “<Oracle_Common_Home>\OPatch\opatch napply”
    • Note again I didn’t provide the inventory pointer parameter (invPtrLoc) because I had a global inventory that was found just fine by OPatch and I didn’t have a local inventory as the patch readme seems to expect.
  • Deleting the PATCH_TOP directory

After successful completion of this “opatch lsinventory” showed that 1 patch had been applied to the Oracle_SOA home.

Updating the Database Schemas

    Having updated the software I needed to update the database schemas which I did as follows:

    • Setting ORACLE_HOME environment variable to the Oracle_SOA directory
    • Setting Java_HOME to <MW_HOME>\jdk160_24
    • Running “psa -dbType Oracle -dbConnectString  //<DBHostname>:<ListenerPort>/<DBServiceName> -dbaUserName sys –schemaUserName DEV_SOAINFRA
      • Note that again I elided the invLocPtr parameter

    Because I had not yet created a domain I didn’t have to follow the post installation steps outlined in the Post-Installation Instructions.

    Creating a BPM Development Domain

    I wanted to create a development domain.  So I ran config from <Oracle_Common_Home>\common\bin selecting the following:

    • Create a New Domain
    • Domain Sources
      • Oracle BPM Suite for developers – 11.1.1.0
        • This will give me an Admin server with BPM deployed in it.
      • Oracle Enterprise Manager – 11.1.1.0
      • Oracle Business Activity Monitoring – 11.1.1.0
        • Adds a managed BAM server.
    • I changed the domain name and set the location of the domains and applications directories to be under C:\app\oracle\MWConfig
      • This removes the domain config from the user_projects directory and keeps it separate from the installed software.
    • Chose Development Mode and Sun JDK rather than JRockit
    • Selected all Schema and set password, service name, host name and port.
      • Note when testing the test for SOA Infra will fail because it is looking for version 11.1.1.5.0 but the BPM feature pack incremented it to 11.1.1.5.1.  If the reason for the failure is “no rows were returned from the test SQL statement” then you can continue and select OK when warned that “The JDBC configuration test did not fully complete”.  This is covered in Oracle Support note 1386179.1.
    • Selected Optional Configuration for Administration Server and Managed Servers so that I could change the listening ports.
      • Set Admin Server Listen port to 7011 to avoid clashes with other Admin Servers in other guest OS.
      • Set bam_server Listen port to 9011 to avoid clashes with other managed servers in other guest OS.
      • Changed the name of the LocalMachine to reflect hostname of machine I was installing on.
      • Changed the node manager listen port to 5566 to avoid clashes with other Node Managers in other guest OS.

    Having created my domain I then created a boot.properties file for the bam_server.

    Configuring Node Manager

    With the domain created I set up Node Manager to use start scripts by running setNMProps.cmd from <oracle_common>\common\bin.

    I then edited the <MW_Home>\wlserver_10.3\common\nodemanager\nodemanager.properties file and added the following property:

    • ListenPort=5566

    Firewall Policy Updates

    I had to add the Admin Server, BAM Server and Node Manager ports to the Windows firewall policy to allow access to those ports from outside the Windows server.

    Set Node Manager to Start as a Windows Service

    I wanted node manager to automatically run on the machine as a Windows service so I first edited the <MW_HOME>\wlserver_10.3\server\bin\installNodeMgrSvc.cmd and changed the port to 5566.  Then I ran the command as Administrator to register the service.  The service is automatically registered for automatic startup.

    Set Admin Server to Start as a Windows Service

    I also wanted the Admin Server to run as a Windows service.  There is a blog entry about how to do this using the installSvc command but I found it much easier to use NSSM. To use this I did the following:

    • Downloaded NSSM and put the 64-bit version in my MWConfig directory.
      • Once you start using NSSM the Services you create will point to the location from which you ran NSSM so don’t move it after installing a service!
    • Created a simple script to start the admin server and redirect its standard out and standard error to a log file (I redirected to the “%DOMAIN_HOME%\servers\AdminServer\logs\AdminServer.out” because this is the location that would be used if the AdminServer were started by the node manager.

        @REM Point to Domain Directory
        set DOMAIN_HOME=C:\app\oracle\MWConfig\domains\bp_domain
        @REM Point to Admin Server logs directory
        set LOGS_DIR=%DOMAIN_HOME%\servers\AdminServer\logs
        @REM Redirect WebLogic stdout and stderr
        set JAVA_OPTIONS=-Dweblogic.Stdout="%LOGS_DIR%\AdminServer.out" -Dweblogic.Stderr="%LOGS_DIR%\AdminServer.out"
        @REM Start Admin Server
        call %DOMAIN_HOME%\startWebLogic.cmd

    • Registered the script as a Windows service using NSSM
      • nssm install “Oracle WebLogic AdminServer” “C:\app\oracle\MWConfig\startAdminServer.cmd”

    Note that when you redirect WebLogic stdout and stderr as I have done it does not get the first few lines of output, so test your script from the command line before registering it as a service.

    By default the AdminServer will be restarted if it fails, allowing you to bounce the Admin Server without having to log on to the Windows machine.

    Configuring for Virtual Box

    Having created the domain and configured Node Manager I enabled port forwarding in VirtualBox to expose the Admin Server (port 7011), BAM Server (port 9011) and the Node Manager (port 5566).

    Testing It

    All that is left is to start the node manager as a service, start the Admin server as a service, start the BAM server from the WebLogic console and make sure that things work as expected.  In this case all seemed fine.  When I shut down the machine and then restarted everything came up as expected!

    Conclusion

    The steps above create a SOA/BPM installation running under Windows Server 2008 that is automatically started when Windows Server starts.  The log files can be accessed and read by a non-admin user so the status of the environment can be checked.  Additional managed servers can be started from the Admin console because we have node manager installed.  The database, database listener, database control, node manager and Admin Server all start up as Windows services when the server is started avoiding the need for an Administrator to start them.

    About

    Musings on Fusion Middleware and SOA Picture of Antony Antony works with customers across the US and Canada in implementing SOA and other Fusion Middleware solutions. Antony is the co-author of the SOA Suite 11g Developers Cookbook, the SOA Suite 11g Developers Guide and the SOA Suite Developers Guide.

    Search

    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today