8 Getting Started with Administering Oracle Virtual Directory

Oracle Virtual Directory can be administered from both a graphical user interface and a command-line interface. This chapter describes those Oracle Virtual Directory management interfaces, and explains how to start and stop Oracle Virtual Directory.

Note:

This chapter assumes you have installed and configured Oracle Virtual Directory as described in: Oracle Fusion Middleware Quick Installation Guide for Oracle Identity Management.

This chapter includes the following topics:

8.1 Getting Started After Installing 11g Release 1 (11.1.1)

After installing 11g Release 1 (11.1.1), Oracle recommends:

  • Reviewing Appendix A, "Comparing Oracle Virtual Directory 11g Release 1 (11.1.1) and 10g Releases (10.1.4.x)" to understand how fundamental items in Oracle Virtual Directory are implemented in 11g Release 1 (11.1.1) compared to legacy Oracle Virtual Directory 10g Releases (10.1.4.x).

  • Reviewing Appendix B, "Starting and Stopping the Oracle Stack" to understand how to start and stop the components of the Oracle stack in 11g Release 1 (11.1.1).

  • Reviewing Table 8-1 to understand the default URLs for various interfaces that you can use to manage Oracle Virtual Directory in 11g Release 1 (11.1.1):

    Table 8-1 Default URLs for Management Interfaces

    Interface Default URL

    Oracle Directory Services Manager

    http://host:7005/odsm/

    Fusion Middleware Control

    http://host:7001/em/

    Oracle WebLogic Server Administrative Console

    http://host:7001/console/

  • Reviewing Table 8-2 to understand various default ports for Oracle Virtual Directory in 11g Release 1 (11.1.1):

    Table 8-2 Default Ports

    Port Type Default Port

    LDAP

    6501

    LDAPS

    7501

    Admin Port (HTTPS)

    8899

  • Reviewing Table 8-3 to understand various environment variables for Oracle Virtual Directory 11g Release 1 (11.1.1):

    Table 8-3 Environment Variables

    Variable Description

    ORACLE_HOME

    The location of non-writable files in your Oracle Identity Management installation.

    ORACLE_INSTANCE

    The location of writable files in your Oracle Identity Management installation.

    PATH

    Add the following directory locations to your PATH:

    • $ORACLE_HOME/bin

    • $ORACLE_HOME/ldap/bin

    • $ORACLE_INSTANCE/bin

8.2 Basic Tasks for Configuring and Managing Oracle Virtual Directory

The following provides an overview of the steps commonly used to configure and manage a basic Oracle Virtual Directory environment:

  1. Configure Oracle Virtual Directory server by customizing its settings to be specific to your environment. For more information, refer to:

  2. Create and configure adapters for the target data repositories. For more information, refer to:

  3. Configure plug-ins for your environment. For more information, refer to:

  4. Configure Access Control Lists for Oracle Virtual Directory. For more information, refer to:

8.3 Getting Started With Oracle Directory Services Manager

This topic explains how to set up the Oracle Directory Services Manager interface for use with Oracle Virtual Directory and contains the following sections:

8.3.1 Understanding Oracle Directory Services Manager

Oracle Directory Services Manager is the unified browser-based graphical user interface (GUI) for Oracle Virtual Directory and Oracle Internet Directory. Oracle Directory Services Manager simplifies the administration and configuration of Oracle Virtual Directory and Oracle Internet Directory by allowing you to use web-based forms and templates.

Notes:

Only users with Oracle Directory Services Manager Administrator access (usually cn=orcladmin) can log in to Oracle Directory Services Manager.

8.3.1.1 Supported Browsers

For information about supported browsers for Fusion Middleware Control and Oracle Directory Services Manager, refer to the Oracle JDeveloper and Application Development Framework 11g Certification and Support Matrix at:

http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls

8.3.1.2 Using the JAWS Screen Reader with Oracle Directory Services Manager

When you use JAWS with Oracle Directory Services Manager, and a new window pops up, JAWS reads "popup." To read the entire page, enter the keystrokes Insert+b.

8.3.1.3 Understanding Single Sign-On Integration with Oracle Directory Services Manager

You can configure Oracle Directory Services Manager to use Single Sign-On (SSO). When configured with SSO, Oracle Directory Services Manager allows a user who has been authenticated by the SSO server to connect to an SSO-enabled directory without logging in, provided that user has privileges to manage the directory.

Oracle Directory Services Manager maintains a list of Oracle Virtual Directory servers that SSO-authenticated users can manage. To validate whether an SSO-authenticated user has the required privileges to manage Oracle Virtual Directory, Oracle Directory Services Manager maps the SSO-authenticated user to a DN in the Oracle Virtual Directory server.

Oracle Directory Services Manager uses proxy authentication to connect to the directory. The proxy user's DN and password are stored in a secure storage framework called the Credential Store Framework (CSF).

To map an SSO-authenticated user, Oracle Directory Services Manager authenticates to the Oracle Virtual Directory server using the credentials of a user with proxy privileges. Oracle Directory Services Manager then tries to map the SSO-authenticated user's unique identifier to the Oracle Virtual Directory user's unique identifier.

The WLS Administrator configures the proxy user's credentials, unique identifier attribute, and the base DN under which Oracle Directory Services Manager searches for the user, which are stored in the CSF. If Oracle Directory Services Manager gets a valid DN, it maps the SSO-authenticated user to that DN. When the SSO-authenticated user is mapped to a valid DN, Oracle Directory Services Manager uses proxy authentication to connect to the Oracle Virtual Directory server with the SSO-authenticated user's mapped DN.

Note:

SSO-authenticated users must be members of the Oracle Virtual Directory's admin group to manage Oracle Virtual Directory. Even with a valid DN, users cannot manage Oracle Virtual Directory unless they are in the admin group.

The container DN under which Oracle Directory Services Manager searches for a user's DN can be from any adapter configured in Oracle Virtual Directory.

You configure the proxy identity, look-up attribute, user container, and other information by using the Oracle Directory Services Manager Proxy Bind Configuration Screen as described in Configuring SSO Integration.

8.3.2 Configuring SSO Integration

To configure Oracle Directory Services Manager-SSO integration, use the Oracle Directory Services Manager Proxy Bind Configuration Screen, at http://host:port/odsm-config. Log in as the WebLogic administrator.

On this screen, you provide Oracle Directory Services Manager with the set of directory servers that SSO users can manage. This screen lists the Single Sign-On accessible directories.

Use the View list to modify the number and order of the columns. To remove an existing directory, click Remove.

To modify an existing directory, click Modify.

To add a new Single Sign-On accessible directory, click Add.

When you click Modify or Add, the Directory Details screen appears. Proceed as follows:

  1. Select Non-SSL or SSL from the Port Type list.

  2. Select OID or OVD from the Directory Type list.

  3. Provide the following information:

    • Host and Port of the directory.

    • Proxy User's DN and Password: The DN and password that Oracle Directory Services Manager uses for proxy authentication.

    • User Container DN: The DN under which user entries are located in the directory.

    • User Lookup Attribute: A unique attribute for looking up a user's DN in the directory. For example, if the SSO server sends the user's mail ID to Oracle Directory Services Manager as the user's unique identifier, you can configure mail as the user look-up attribute.

  4. Click Validate to verify your directory connection details.

    Oracle Directory Services Manager authenticates to the directory server with the credentials provided.

  5. Click Apply to apply your selections.

    Click Revert to abandon your selections.

  6. Specify the SSO server's Logout URL in the SSO Logout URL text box.

    For example, http://myoamhost.mycompany.com:14100/oam/server/logout is the default Logout URL for the Oracle Access Manager 11g server. If you only configure this field, Oracle Directory Services Manager displays the Login link at the top right corner of the Oracle Directory Services Manager page.

8.3.3 Configuring the SSO Server for Oracle Directory Services Manager Integration

To make SSO-Oracle Directory Services Manager integration work correctly, you must configure specific Oracle Directory Services Manager URLs as protected or unprotected.

Oracle Directory Services Manager's home page must be an unprotected URL. That is, all users must be able to access the Oracle Directory Services Manager home page, including those who have not gone through the SSO authentication process.

The URL /odsm/odsm-sso.jsp must be protected by the SSO server. When a user clicks the Login link appearing on the top right corner of the home page, Oracle Directory Services Manager redirects the user to /odsm/odsm-sso.jsp. The SSO server challenges the user for a username and password, if the user is not already authenticated. Upon successful authentication, the user is directed back to the Oracle Directory Services Manager home page.

You must configure /odsm/odsm-sso.jsp as a protected URL. In addition you must configure the following URLs as unprotected URLs:

  • /odsm/faces/odsm.jspx

  • /odsm/.../

You can use either Oracle Access Manager 11g or Oracle Access Manager 10g as your SSO provider.

You must configure an Oracle Access Manager server to send the SSO-authenticated user's unique identifier through an HTTP header to Oracle Directory Services Manager. Oracle Directory Services Manager looks for the OAM_REMOTE_USER HTTP header. The Oracle Access Manager server sets the OAM_REMOTE_USER header by default. If this header is not available, Oracle Directory Services Manager looks for the odsm-sso-user-unique-id HTTP header. If Oracle Directory Services Manager cannot find any of these headers, Oracle Directory Services Manager SSO integration will not work.

In addition to sending the user's unique identifier through HTTP header, you can optionally configure Oracle Access Manager to send following HTTP headers:

  • Configure the odsm-sso-user-firstname HTTP header to send the user's first name.

  • Configure the odsm-sso-user-lastname HTTP header to send the user's last name.

If these headers are available, Oracle Directory Services Manager displays the user's first name and last name in the "Logged in as" section located in the top right corner of Oracle Directory Services Manager. If the first name or the last name is not available, Oracle Directory Services Manager displays the user's unique identifier in the "Logged in as" section.

To configure Oracle Access Manager 11g, see "Deploying the OAM 11g SSO Solution" in Oracle Fusion Middleware Security Guide.

To configure Oracle Access Manager 10g, see "Deploying SSO Solutions with OAM 10g" in Oracle Fusion Middleware Security Guide.

8.3.4 Configuring the Oracle HTTP Server for ODSM-SSO Integration

If you are using Oracle HTTP Server to host the SSO server's WebGate agent and as a front end to the WebLogic server hosting Oracle Directory Services Manager, you must configure Oracle HTTP Server's mod_wl_ohs module to forward all requests starting with /odsm to the WebLogic server hosting Oracle Directory Services Manager. The mod_wl_ohs module allows requests to be proxied from Oracle HTTP Server to Oracle WebLogic Server.

To configure mod_wl_ohs, see "Configuring the mod_wl_ohs Module" in Oracle Fusion Middleware Administrator's Guide for Oracle HTTP Server.

8.3.5 Invoking Oracle Directory Services Manager

You can invoke Oracle Directory Services Manager directly or from Oracle Enterprise Manager Fusion Middleware Control.

Notes:

  • If you selected Configure Without a Domain when prompted for a domain while installing Oracle Virtual Directory, Oracle Directory Services Manager will not be available.

  • For information about supported browsers for Fusion Middleware Control and Oracle Directory Services Manager, refer to System Requirements and Supported Platforms for Oracle Fusion Middleware 11gR1, which is linked from: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

  • To invoke Oracle Directory Services Manager directly, enter the following URL into your browser's address field.

    http://host:port/odsm

    In the URL to access Oracle Directory Services Manager,

    • host is the name of the managed server where Oracle Directory Services Manager is running.

    • port is the managed server port number from the WebLogic server.

    You can determine the exact port number by examining the $Fusion_Middleware_Home/Oracle_Identity_Management_domain/servers/wls_ods/data/nodemanager/wls_ods1.url file, where Fusion_Middleware_Home represents the root directory where Fusion Middleware is installed.

  • To invoke Oracle Directory Services Manager from Fusion Middleware Control, select Directory Services Manager from the Oracle Virtual Directory menu in the Oracle Virtual Directory target, then select Data Browser, Schema, Security, or Advanced. (You can connect from the Oracle Internet Directory menu in a similar manner.).

    A new browser window containing the Oracle Directory Services Manager Welcome screen pops up. Connect to the server as described in the next section.

See Also:

"Cannot Invoke Oracle Directory Services Manager" in Appendix D, "Troubleshooting Oracle Virtual Directory."

8.3.6 Connecting to the Server from Oracle Directory Services Manager

When the Oracle Directory Services Manager Welcome screen appears, you can connect to either an Oracle Virtual Directory server or an Oracle Internet Directory server.

This section contains the following topics:

Note:

When connecting to a directory server from Oracle Directory Services Manager, be aware of the following:

  • The directory server must be running to connect to it from Oracle Directory Services Manager.

  • Only users who have Oracle Directory Services Manager Administrator access (usually cn=orcladmin) can log in to Oracle Directory Services Manager.

  • Avoid using multiple windows of the same browser program to simultaneously connect to different directories. Doing so can cause a Target unreachable error.

  • You can use the same Oracle Directory Services Manager component with different browser programs, such as Internet Explorer and Firefox, and connect each to a different directory system component.

  • If you change the browser language setting, you must update the session to use the new setting. To do update the session, either reenter the Oracle Directory Services Manager URL in the URL field and press Enter or quit and restart the browser.

8.3.6.1 Logging in to the Directory Server from Oracle Directory Services Manager

You log in to a directory server's non-SSL port from Oracle Directory Services Manager as follows:

  1. Click Connect to a directory at the top of the Oracle Directory Services Manager Welcome screen to open dialog box containing the following sections:

    • Live Connections–current connections that you can return to.

    • Disconnected Connections–a list of directory servers you have connected to and then disconnected from. Oracle Directory Services Manager saves information about connections that you previously used and lists them, by optional Name or by server, so that you can select them again.

    • New Connections–used to initiate a new connection

    If you are SSO-authenticated, you might see an additional section, refer to "Connecting to an SSO-Enabled Directory as an SSO-Authenticated User" for more information.

  2. Select OID or OVD.

  3. Optionally, enter an alias name in the Name field to identify the connection. This name appears in the list of live connections (as described in 1) to enable you to quickly reconnect to it after ending the current Oracle Directory Services Manager session.

  4. Enter the name of server where Oracle Internet Directory or Oracle Virtual Directory is running in the Name field.

  5. Enter the non-SSL port in the Port field. For Oracle Virtual Directory, enter the non-SSL port for the Admin Listener. For Oracle Internet Directory, enter the non-SSL LDAP port.

  6. Deselect SSL Enabled.

  7. Enter the name of the user who has Oracle Directory Services Manager Administrator access (usually cn=orcladmin) and password.

  8. Select the Start Page you want to go to after logging in.

  9. Click Connect.

After you have logged in to an Oracle Internet Directory or Oracle Virtual Directory server, you can use the navigation tabs to select other pages.

The Oracle Directory Services Manager home pages for Oracle Internet Directory and Oracle Virtual Directory list version information about Oracle Directory Services Manager itself, as well as the directory and adapters. It also lists the existing configured adapters and listeners for Oracle Virtual Directory.

See Also:

"Cannot Invoke Oracle Directory Services Manager" in Appendix D, "Troubleshooting Oracle Virtual Directory."

8.3.6.2 Logging Into the Directory Server from Oracle Directory Services Manager Using SSL

When you log in to the server's SSL port, you follow the procedure in "Logging in to the Directory Server from Oracle Directory Services Manager", except that you specify the SSL port in Step 4 and select SSL Enabled in Step 6. Specifically, you enter the SSL port for the Admin Listener for Oracle Virtual Directory, or you enter the SSL LDAP port for Oracle Internet Directory. Then, after you click Connect in Step 9, you might be presented with a certificate, depending on the type of SSL authentication. The following sections provide information on handling the certificate for each supported SSL authentication type:

8.3.6.2.1 SSL No Authentication

If the directory server is using SSL No Authentication mode, you are not presented with a certificate. SSL No Authentication provides data confidentiality and integrity, but no authentication using X.509 certificates.

8.3.6.2.2 SSL Server Only Authentication

If the directory server is using SSL Server Authentication Only Mode, which is the default for Oracle Virtual Directory, you are presented with the server's certificate when you click Connect in Step 9. After manually verifying the authenticity of the server certificate, you can accept the certificate permanently, accept the certificate for the current session only, or reject the certificate. If you accept the certificate permanently, the certificate is stored in the Oracle Directory Services Manager's Java Key Store (JKS). From then on, you will not be prompted to accept the certificate when you connect to that server using that particular Oracle Directory Services Manager URL. If you accept the certificate only for the current session, you are prompted to accept or reject the certificate every time you connect to the server. If you reject the certificate, Oracle Directory Services Manager closes the connection to the server.

Refer to "Managing Oracle Directory Services Manager's Key Store" for additional information.

8.3.6.3 Connecting to an SSO-Enabled Directory as an SSO-Authenticated User

If you have already been authenticated by the Single Sign-On server, Oracle Directory Services Manager allows you to connect to SSO-enabled directories without logging in, provided you have an entry in that directory. When you access the Oracle Directory Services Manager Welcome page, if you have an entry in only one SSO-enabled directory, Oracle Directory Services Manager connects you to it. If you have entries in more than one SSO-enabled directory Oracle Directory Services Manager allows you to select a directory you want to connect to, as follows.

Click the small arrow to the right of the label Click to connect to a directory. In this case, the dialog box contains an extra section, listing SSO-enabled directories to which you are authorized to connect. Select the directory you want. Oracle Directory Services Manager connects you without requesting a username or password.

If the port you connected to is an SSL port, you still must perform the appropriate steps in SSL No Authentication or SSL Server Only Authentication.

Note:

SSO-authenticated users must be members of the Oracle Virtual Directory's admin group to manage Oracle Virtual Directory. Even with a valid DN, users cannot manage Oracle Virtual Directory unless they are in the admin group.

The container DN under which Oracle Directory Services Manager searches for a user's DN can be from any adapter configured in Oracle Virtual Directory.

8.3.7 Managing Oracle Directory Services Manager's Key Store

Oracle Directory Services Manager is integrated with the Credential Store Framework, a secure storage framework provided by Oracle. This section explains how to manage Oracle Directory Services Manager's credentials and contains the following topics:

8.3.7.1 Understanding Oracle Directory Services Manager's Key Store

Oracle Directory Services Manager uses a Java Key Store (JKS) to manage its private key, certificate, and trusted certificates. The first time you use Oracle Directory Services Manager, the program creates a Java Key Store file, named odsm.cer, and assigns a random password to the JKS. This JKS file resides in a directory with a name of the form:

DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf

Oracle Directory Services Manager stores this random password in the Credential Store Framework. The WebLogic server administrator can retrieve the Java Key Store password stored in the Credential Store Framework.

Oracle Directory Services Manager also generates a self-signed certificate for itself and stores it in the Java Key Store. This self-signed certificate is valid for 15000 days from the date of generation and it should only be used for testing purposes. For production purposes, you must replace this self-signed certificate with a certificate signed by a Certificate Authority (CA).

Oracle Directory Services Manager does not provide a web-based user interface for managing its keystore. You must manage the keystore by using keytool, a command line tool shipped with the Sun JRE/JDK.

See Also:

For more information, refer to the following publications:

8.3.7.2 Retrieving Oracle Directory Services Manager's Java Key Store Password

To manage Oracle Directory Services Manager's Java Key Store, you must first retrieve Oracle Directory Services Manager's Java Key Store password. The WebLogic administrator can retrieve it using the WebLogic Scripting Tool (WLST) as follows:

  1. Start the WLST shell:

    Note:

    If necessary, type help() for more information about available commands.
    $ORACLE_HOME/common/bin/wlst.sh

  2. After seeing the Welcome screen, enter connect() and provide the username, password, and URL to the Admin Server.

    A message displays confirming a successful connection.

  3. Enter the following listCred() method to retrieve Oracle Directory Services Manager's Java Key Store password:

    listCred( map="ODSMMap", key="ODSMKey.Wallet" )

See Also:

The "Managing Credentials with WLST Commands" section in the Oracle Fusion Middleware Security Guide for more information.

8.3.7.3 Listing the Contents of odsm.cer Java Key Store

After you retrieve the Java Key Store password, you can manage it using the keytool command.

To list contents of odsm.cer:

  1. Move (cd) to the directory containing the odsm.cer, for example:

    cd DOMAIN/config/fmwconfig/servers/AdminServer/applications/odsm/conf

  2. Use keytool to list the contents of odsm.cer, for example:

    ORACLE_HOME/jdk/jre/bin/keytool -list -keystore odsm.cer \
-storepass "&M)S86)/RB" -v

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: serverselfsigned
Creation date: Dec 26, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Serial number: 495586b6
Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009
Certificate fingerprints:
         MD5:  6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93
         SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0
         Signature algorithm name: SHA1withRSA         Version: 3


*******************************************
*******************************************

Alias name: cn=rootca, o=oracle, c=us (0)
Creation date: Dec 31, 2008
Entry type: trustedCertEntry

Owner: CN=RootCA, O=Oracle, C=US
Issuer: CN=RootCA, O=Oracle, C=US
Serial number: 0
Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050
Certificate fingerprints:
         MD5:  72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B
         SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF
         Signature algorithm name: MD5withRSA
         Version: 1


*******************************************
*******************************************

8.3.7.4 Managing Expired Certificates

All of a user's trusted certificates are stored in the Oracle Directory Services Manager Java Key Store. Because Oracle Directory Services Manager does not provide a web-based user interface for managing the keystore, and cannot automatically remove expired certificates from the JKS, administrators must use keytool to find and delete any expired certificates.

As described in Listing the Contents of odsm.cer Java Key Store, the keytool lists the validity of each certificate, enabling you to find all expired certificates. For example, the following certificate is valid until Saturday, October 31, 09:41:23 PDT 2008.

Alias name: cn=ovd, ou=development, o=MyCompany, l=redwood shores, st=california, c=us (1241455283)
Creation date: May 5, 2008
Entry type: trustedCertEntry
 
Owner: CN=OVD, OU=Development, O=MyCompany, L=Redwood Shores, ST=California,C=US
Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California,C=US
Serial number: 49ff1ab3
Valid from: Mon May 04 09:41:23 PDT 2008 until: Sat Oct 31 09:41:23 PDT 2008
Certificate fingerprints:
MD5: 93:0E:41:5E:95:88:71:BD:8A:49:ED:A9:29:3B:0A:1E
SHA1: 84:C6:75:60:D9:BE:7B:CA:D6:8B:B5:4B:97:E4:20:39:44:82:FE:93
Signature algorithm name: SHA1withRSA
Version: 3

To delete expired certificates, see Deleting Trusted Certificates.

8.3.7.5 Deleting Trusted Certificates

To delete trusted certificates inodsm.cer:

  1. Move (cd) to the directory containing the odsm.cer, for example:

    cd DOMAIN_HOME/config/fmwconfig/servers/AdminServer/

  2. Use keytool to delete the contents of odsm.cer, for example:

    ORACLE_HOME/jdk/jre/bin/keytool -delete -keystore odsm.cer \
-storepass PASSWORD_OBTAINED_FROM_CSF -alias "cn=rootca, o=oracle, c=us (0)"
[Storing odsm.cer]

8.3.8 Configuring Oracle Directory Services Manager Session Timeout

The default session timeout for Oracle Directory Services Manager is 35 minutes. You can change this default value by editing the file web.xml, which resides in DOMAIN_HOME/servers/wls_ods1/tmp/_WL_user/odsm_11.1.1.2.0/randomid/war/WEB-INF. (This assumes your managed server is named wls_ods1. Adjust the pathname if your managed server has a different name.)

The file fragment containing the timeout value looks like this:

<session-config> 
<session-timeout>35</session-timeout> 
</session-config>

After you change the value, restart the managed server or restart Oracle Directory Services Manager through the WebLogic console.

If you edit the file web.xml, keep in mind that the change you make might not be permanent. Oracle Directory Services Manager is deployed from ORACLE_HOME/ldap/odsm/odsm.ear to the WebLogic server. The WebLogic server expands odsm.ear into the DOMAIN_HOME/servers/wls_ods1/tmp/_WL_user/odsm_11.1.1.2.0 directory for performance reasons. This is a temporary cache directory for WebLogic server. If you apply a patch that overwrites ORACLE_HOME/ldap/odsm/odsm.ear, the changes you made to web.xml in the temporary cache directory are also overwritten.

8.3.9 Configuring Oracle HTTP Server to Support Oracle Directory Services Manager in an Oracle WebLogic Server Cluster

Perform the following steps to configure Oracle HTTP Server to route Oracle Directory Services Manager requests to multiple Oracle WebLogic Servers in a clustered Oracle WebLogic Server environment:

  1. Create a backup copy of the Oracle HTTP Server's httpd.conf file. The backup copy provides a source to revert back to if you encounter problems after performing this procedure.

  2. Add the following text to the end of the Oracle HTTP Server's httpd.conf file and replace the variable placeholder values with the host names and managed server port numbers specific to your environment. Be sure to use the <Location /odsm/ > as the first line in the entry. Using <Location /odsm/faces > or <Location /odsm/faces/odsm.jspx > can distort the appearance of the Oracle Directory Services Manager interface.

    <Location /odsm/ > 
SetHandler weblogic-handler 
WebLogicCluster host-name-1:managed-server-port,host-name_2:managed_server_port 
</Location>

  3. Stop, then start the Oracle HTTP Server to activate the configuration change.

Note:

Oracle Directory Services Manager loses its connection and displays a session time-out message if the Oracle WebLogic Server in the cluster that it is connected to fails. Oracle Directory Services Manager requests are routed to the secondary Oracle WebLogic Server in the cluster that you identified in the httpd.conf file after you log back in to Oracle Directory Services Manager.

8.4 Getting Started With Fusion Middleware Control

This topic explains how to get started using Oracle Enterprise Manager Fusion Middleware Control with Oracle Virtual Directory. It contains the following sections:

Note:

If Oracle Virtual Directory is configured to listen on privileged ports, ensure OPMN was started as the Oracle Directory Services Manager Administrator before starting, stopping, or restarting Oracle Virtual Directory using Oracle Enterprise Manager Fusion Middleware Control as described in this topic. Refer to Chapter 10, "Managing Oracle Virtual Directory Server Processes" for more information.

8.4.1 Invoking Fusion Middleware Control to Manage Oracle Virtual Directory

Oracle Enterprise Manager Fusion Middleware Control is a graphical user interface that provides a comprehensive systems management platform for Oracle Fusion Middleware. Oracle Enterprise Manager Fusion Middleware Control organizes a wide variety of performance data and administrative functions into distinct, Web-based home pages for the farm, Oracle Fusion Middleware components, middleware system components, and applications.

Oracle Virtual Directory is a target type in Oracle Enterprise Manager Fusion Middleware Control. To use the Oracle Enterprise Manager Fusion Middleware Control interface to manage Oracle Virtual Directory:

  1. Connect to Oracle Enterprise Manager Fusion Middleware Control using a web browser. The URL is of the form:

    https://host:port/em

  2. In the left panel topology tree, expand the farm, then Identity and Access. Alternatively, from the farm home page, expand Fusion Middleware, then Identity and Access. Oracle Virtual Directory components are listed in both places.

    To distinguish one component from another, move the mouse over the component name and view the full name of the component in the tool tip.

  3. Select the Oracle Virtual Directory component you want to manage.

  4. Use the Oracle Virtual Directory menu to select tasks.

You can use the Oracle Virtual Directory menu to navigate to other Oracle Enterprise Manager Fusion Middleware Control pages for Oracle Virtual Directory and to navigate to Oracle Directory Services Manager pages for Oracle Virtual Directory.

See Also:

8.4.2 Starting the Oracle Virtual Directory Server Using Fusion Middleware Control

Perform the following steps to start an Oracle Virtual Directory server that is not running using Oracle Enterprise Manager Fusion Middleware Control. To restart an Oracle Virtual Directory server that is running, refer to Restarting the Oracle Virtual Directory Server Using Fusion Middleware Control.

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target you want to start.

  2. Select Control from the Oracle Virtual Directory menu and then select Start Up. A dialog box appears listing messages and the status of the target.

  3. Click OK on the message dialog box to close it.

8.4.3 Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control

Perform the following steps to stop a running Oracle Virtual Directory server using Oracle Enterprise Manager Fusion Middleware Control:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target you want to stop.

  2. Select Control from the Oracle Virtual Directory menu and then select Shut Down.

  3. Click Yes in the confirmation dialog box to verify you want to stop the Oracle Virtual Directory server. A dialog box appears listing messages and the status of the target.

  4. Click OK on the message dialog box to close it.

8.4.4 Restarting the Oracle Virtual Directory Server Using Fusion Middleware Control

Perform the following steps to restart an Oracle Virtual Directory server that is currently running using Oracle Enterprise Manager Fusion Middleware Control.

Note:

Restarting an Oracle Virtual Directory that is running reloads all the server configurations from the file system. Restarting an Oracle Virtual Directory that is running does not stop the server process.

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Control Directory target you want to restart.

  2. Select Control from the Oracle Virtual Directory menu and then select Restart.

  3. Click Yes in the confirmation dialog box to verify you want to restart the Oracle Virtual Directory server. A dialog box appears listing messages and the status of the target.

  4. Click OK on the message dialog box to close it.

8.4.5 Monitoring Oracle Virtual Directory Using Fusion Middleware Control Metrics

You can use Oracle Enterprise Manager Fusion Middleware Control to view multiple types of metrics for the Oracle Virtual Directory server. The Oracle Virtual Directory server must be running to view its metrics using Oracle Enterprise Manager Fusion Middleware Control. You can access the metrics from the following locations in Oracle Enterprise Manager Fusion Middleware Control:

  • The Oracle Virtual Directory Home page

  • The Oracle Virtual Directory Performance Summary page

Home Page

To view the metrics on the Oracle Directory Home page, log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target for which you want metrics. The Home page appears displaying the statistics.

Table 8-4 lists the statistics that are available on the Oracle Virtual Directory Home page:

Table 8-4 Metrics Available on the Home Page

Subject Metric

Current Load

  • Open Connections: number of clients connected to Oracle Virtual Directory server.

  • Distinct Connected Users: number of unique users connected to Oracle Virtual Directory server.

  • Distinct Connected IP Addresses: number of unique IP addresses connected to Oracle Virtual Directory server.

Resource Usage

  • Percent of CPU being utilized on the Oracle Virtual Directory host

  • Percent of memory being utilized on the Oracle Virtual Directory host

Average Response Time and Operations

  • Average time to complete an LDAP search request.

  • Number of LDAP search requests.

Listeners

Displays a table of configured Oracle Virtual Directory Listeners, including:

  • Listener name

  • Whether the Listener is enabled or disabled

  • Listener type

  • Port the listener listens on

Adapters

Displays a table of configured Oracle Virtual Directory Adapters, including:

  • Adapter name

  • Whether the adapter is enabled or disabled

  • Adapter type

  • Number of searches performed by the adapter

  • Total number of operations performed by the adapter

Performance Summary Page

The Performance Summary page enables you to choose a variety of metrics to display in a time based context. You can customize the metrics displayed on the Performance Summary page using the Metric Palette. Refer to the Oracle Fusion Middleware Administrator's Guide for more information on using the Metric Palette.

To view the metrics on the Performance Summary page:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target for which you want metrics.

  2. Select Monitoring and then Performance Summary from the Oracle Virtual Directory menu. The Performance Summary page appears.

Refer to Table D-1 for a list and description of the metrics that are available on the Performance Summary page.

8.5 Getting Started with WLST for Oracle Virtual Directory

You can use the WebLogic Scripting Tool (WLST) as the interface to perform several Oracle Virtual Directory administration and management tasks. While there are several tasks and procedures in this document that explain how to use WLST, you should refer to the following documents for complete information:

Important:

After you install Oracle Virtual Directory or after you restart the Oracle WebLogic Server, you must execute the WLST load() method before you execute any other WLST command.

Additionally, Oracle recommends executing the WLST load() method before executing any WLST command on the Oracle Virtual Directory MBean. Executing the load() method refreshes the MBean to the current configuration.

8.6 LDAP Tools Usage

The LDAP tools (ldapadd, ldapdelete, ldapbind, and so on) for Oracle Virtual Directory have been modified to prevent exposing passwords. Use the -q option instead of the -w option for user passwords, and use the -Q option instead of the -P option for wallet passwords. Commands prompt you for the password when you use the -q and -Q options.

You can disable the -w and -P password options by setting the LDAP_PASSWORD_PROMPTONLY environment variable to TRUE or 1. Set this environment variable whenever possible.