20.8 Reassociating WebLogic Server with LDAP

After installing and configuring Oracle Authorization Policy Manager, you must reassociate Oracle WebLogic Server with LDAP as follows:

  1. Ensure that the WebLogic Administration Server is up and running. For information about starting the WebLogic Administration Server, see Starting or Stopping the Oracle Stack.

  2. Use an LDAP browser or client, such as JXplorer, to add a new node on the LDAP server that Oracle WebLogic Server is going to associate with:

    1. On the File menu in your LDAP browser, click Connect to connect to your LDAP server. The Open LDAP/DSML Connection screen appears.

      Figure 20-1 Connecting to an LDAP Server LD

      Surrounding text describes Figure 20-1 .
    2. In the Host text box, enter the host name of your LDAP server.

    3. In the Port text box, enter the port number.

    4. On the Level drop-down list, choose the User + Password option.

    5. In the User DN text box, enter the base distinguished name of the directory to which you want to connect.

    6. In the Password text box, enter the password. Click OK. If the connection is successful, a list of entries in the Directory Information Tree is displayed in the left navigation pane.

    7. Select the parent entry. From the Edit menu, choose New. The Set Entry Object Classes screen appears.

    8. Select the Suggest Classes check box if you want to view the compulsory object classes for the new entry.

    9. Verify that the Distinguished Name of the parent entry in the Parent DN text box is correct.

    10. In the Enter RDN text box, enter the Relative Distinguished Name of the new entry. For example, to add apm_test_name to the new entry, enter cn=apm_test_name. JXplorer displays the compulsory object classes for the new entry in the Selected Classes pane. Click OK.

    11. If the information about the new entry is correct, click Submit.

  3. Change the association of Oracle WebLogic Server to the new node by using WebLogic Scripting Tool (WLST) or Enterprise Manager:

    Using WLST

    1. At the command prompt, change your present working directory to the <Middleware_Home>/oracle_common/common/bin directory.

    2. Run the wlst.sh script.

    3. At the WLS prompt, use the WLST command reassociateSecurityStore as follows:

      wls> reassociateSecurityStore(domain="domainName", admin="cnSpecification", password="passWord", ldapurl="hostAndPort", servertype="ldapSrvrType", jpsroot="cnSpecification" [,join="trueOrfalse"])


      Argument Description
      domain Specifies the name of the domain where the reassociation occurs.
      admin Specifies the user name of the administrator on the LDAP server. The format is cn=usrName.
      password Specifies the password for the administrator on the LDAP server.
      ldapurl Specifies the Uniform Resource Identifier (URI) of the LDAP server. The format is ldap//:host:port.
      servertype Specifies the type of the target LDAP server. The only valid types are Oracle Internet Directory and Oracle Virtual Directory.
      jpsroot Specifies the root node in the target LDAP repository under which all data is migrated. The format is cn=nodeName.
      join Specifies whether the domain shares a policy store specified in another domain.

      -Optional. This flag is set to true when an existing policy store in another domain is shared. It is set to false otherwise.

      Using this argument allows multiple WebLogic domains to point to the same logical policy store.

      Example Usage

      reassociateSecurityStore(domain="myDomain", admin="cn=adminName", password="myPass", ldapurl="ldap(s)://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode")

      If you want a domain other than myDomain, such as yourDomain, to share the policy store in myDomain, then you must run the command as follows:

      reassociateSecurityStore(domain="yourDomain", admin="cn=adminName", password="myPass", ldapurl="ldap(s)://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode", join="true")

    Using Enterprise Manager

    1. Log in to Oracle Enterprise Manager.

    2. Navigate to your WebLogic domain.

    3. Right-click and choose Security > Security Provider Configuration.

    4. Click Change Association.

    5. On the Set Security Provider page, in the LDAP Server Details section, select the LDAP server type, host name, port number, connection string, and password.

    6. In the LDAP Root Node Details section, enter a distinguished name for the JPS root.

    7. Select the Create New Domain option if you want to create a new policy and credential domain on LDAP.


      To join a specified existing domain, do not select the Create New Domain option.
    8. In the Domain Name text box, enter a name for the domain.

    9. Click OK.


After the reassociation, CredentialStore, SystemPolicy and apm are migrated to the node. You can verify them through an LDAP management tool, such as JXplorer.