9 Configuring Oracle Directory Integration Platform

This chapter explains how to configure Oracle Directory Integration Platform (ODIP).

This chapter discusses the following topics:

9.1 Prerequisites

Ensure the prerequisites are met depending on the component you wish to configure. This section discusses the following topics:

9.1.1 Option 1: ODIP with Oracle Internet Directory

If you want to configure Oracle Directory Integration Platform (ODIP) with Oracle Internet Directory, ensure that Oracle Internet Directory is installed and configured as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software.

9.1.2 Option 2: ODIP with Oracle Directory Server Enterprise Edition (ODSEE)

If you want to configure Oracle Directory Integration Platform (ODIP) with Oracle Directory Server Enterprise Edition (ODSEE) ensure that the following prerequisites are met.

9.1.2.1 Installing Oracle Directory Server Enterprise Edition (ODSEE)

Ensure that Oracle Directory Server Enterprise Edition (ODSEE) is installed, as described in the Oracle Directory Server Enterprise Edition Installation Guide 11g Release 1 (11.1.1.5.0), available at the following link:

http://download.oracle.com/docs/cd/E20295_01/html/821-1218/index.html

9.1.2.2 Setting Up Oracle Directory Server Enterprise Edition (ODSEE)

Follow the steps below for setting Up Oracle Directory Server Enterprise Edition (ODSEE):

Go to <DSEE_HOME>/bin directory and execute the following commands:

  • Create a new ODSEE server instance.

    ./dsadm create <ODSEE instance>

    For Example:

    ./dsadm create /scratch/<userid>/dsee/dseeinstance1/

  • Start the ODSEE server instance.

    ./dsadm start <ODSEE instance>

    For Example:

    ./dsadm start /scratch/<userid>/dsee/dseeinstance1/

  • Create the root suffix.

    ./dsconf create-suffix -h <ODSEE Server> -p <ODSEE port> <SUFFIX_DN>

    where the SUFFIX_DN is the full DN of the new suffix. For a root suffix, the convention is to use the domain-component (dc) naming attribute.

    For Example, to create a suffix for the DN dc=example,dc=com , use this command:

    ./dsconf create-suffix -h localhost -p 1389 dc=example,dc=com

  • Enable changelog.

    ./dsconf set-server-prop -h <ODSEE Server> -p <ODSEE port> retro-cl-enabled:on

    For Example:

    ./dsconf set-server-prop -h localhost -p 1389 retro-cl-enabled:on

  • Restart the ODSEE server instance.

    ./dsadm restart <ODSEE instance>

    For Example:

    ./dsadm restart /scratch/<userid>/dsee/dseeinstance1/

9.2 Configuring ODIP with Oracle Internet Directory (OID)

This section describes how to configure Oracle Directory Integration Platform (ODIP) with Oracle Internet Directory (OID). It includes the following topics:

9.2.1 ODIP with Fusion Middleware Control in a New WebLogic Domain

This topic describes how to configure Oracle Directory Integration Platform (ODIP) with Fusion Middleware Control in a new WebLogic administration domain. It includes the following sections:

9.2.1.1 Appropriate Deployment Environment

The configuration described in this topic is appropriate if there is no WebLogic Administration Server managing other 11g Release 1 (11.1.1) Oracle Directory Services components and Oracle Internet Directory is installed without a domain.

9.2.1.2 Components Deployed

Performing the configuration in this section deploys the following components:

  • WebLogic Managed Server

  • Oracle Directory Integration Platform

  • WebLogic Administration Server

  • Fusion Middleware Control

9.2.1.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server

  • Oracle Internet Directory

  • Oracle Database for Oracle Internet Directory

  • Identity Management - Oracle Internet Directory schema existing in the Oracle Internet Directory database.

9.2.1.4 Procedure

Perform the following steps to configure Oracle Directory Integration Platform with Fusion Middleware Control in a new domain:

  1. Ensure that Oracle Directory Integration Platform is installed, as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software.

    Note:

    If you selected Install and Configure option in the Select Installation Type screen while installing Oracle Identity Management 11g Release 1 (11.1.1.6.0), as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software, the Select Domain screen is displayed.

    If you selected Install Software - Do Not Configure option in the Select Installation Type screen while installing Oracle Identity Management 11g Release 1 (11.1.1.6.0), as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software, you must now start the Oracle Identity Management Configuration Wizard. Run <ORACLE_HOME>/bin/config.sh (on UNIX) or <ORACLE_HOME>\bin\config.bat (on Windows) to start the Oracle Identity Management Configuration Wizard. The Select Domain screen is displayed.

  2. On the Select Domain screen, select Create New Domain and enter the following information:

    • Enter the user name for the new domain in the User Name field.

    • Enter the user password for the new domain in the User Password field.

    • Enter the user password again in the Confirm Password field.

    • Enter a name for the new domain in the Domain Name field.

    Click Next. The Specify Installation Location screen appears.

  3. Identify the Homes, Instances, and the WebLogic Server directory by referring to Identifying Installation Directories. After you enter information for each field, click Next. The Specify Security Updates screen appears.

  4. Choose how you want to be notified about security issues:

    • If you want to be notified about security issues through email, enter your email address in the Email field.

    • If you want to be notified about security issues through My Oracle Support (formerly MetaLink), select the My Oracle Support option and enter your My Oracle Support Password.

    • If you do not want to be notified about security issues, leave all fields empty.

    Click Next. The Configure Components screen appears.

  5. Select only Oracle Directory Integration Platform. The Fusion Middleware Control management component is automatically selected for this installation.

    Ensure no other components are selected and click Next. The Configure Ports screen appears.

  6. Choose how you want the Installer to configure ports:

    • Select Auto Port Configuration if you want the Installer to configure ports from a predetermined range.

    • Select Specify Ports using Configuration File if you want the Installer to configure ports using the staticports.ini file. You can click View/Edit File to update the settings in the staticports.ini file.

    Click Next. The Specify OID Details screen appears.

  7. Identify the Oracle Internet Directory for Oracle Directory Integration Platform by entering the following information:

    • Hostname: Enter the hostname or IP address of the Oracle Internet Directory host.

    • Port: Enter the Oracle Internet Directory LDAP SSL port.

    • User Name: Enter the user name of the Oracle Internet Directory Administrator.

    • Password: Enter the password for the user name Oracle Directory Integration Platform will use to connect to Oracle Internet Directory.

    Click Next. The Specify Schema Database screen appears.

  8. Enter the following information about the Oracle Internet Directory schema:

    • Connect String: Enter the database connection information. The connection string must be in the form of hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form of hostname1:port1:instance1^hostname2:port2:instance2@servicename.

    • Password: Enter the password for the ODSSM schema in the Password field.

    Click Next.

  9. The Installation Summary screen appears. Verify the information on this screen. Click Configure to begin the configuration.

  10. The Configuration Progress screen appears. Click Next to continue.

  11. The Installation Complete screen appears. Click Save to save the configuration information to a file, and then click Finish to exit the installer.

9.2.2 Only ODIP in an Existing WebLogic Domain

This topic describes how to configure only Oracle Directory Integration Platform (ODIP) in an existing WebLogic administration domain. It includes the following sections:

9.2.2.1 Appropriate Deployment Environment

The configuration described in this topic is appropriate for the following environments:

An environment that has the following condition: 

  • A WebLogic Administration Server is managing an 11g Release 1 (11.1.1) Oracle Internet Directory component and you want Oracle Directory Integration Platform to join that domain.

An environment that has the following condition: 

  • A WebLogic Administration Server is managing other 11g Release 1 (11.1.1) Oracle Directory Services—but not Oracle Internet Directory, which is installed without a domain.

9.2.2.2 Components Deployed

Performing the configuration in this section deploys the following components:

  • WebLogic Managed Server

  • Oracle Directory Integration Platform

9.2.2.3 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server

  • Oracle Internet Directory

  • Oracle Database for Oracle Internet Directory

  • Identity Management - Oracle Internet Directory schema existing in the Oracle Internet Directory database.

9.2.2.4 Procedure

Perform the following steps to configure only Oracle Directory Integration Platform in an existing domain:

  1. Ensure that Oracle Directory Integration Platform is installed, as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software.

    Note:

    If you selected Install and Configure option in the Select Installation Type screen while installing Oracle Identity Management 11g Release 1 (11.1.1.6.0), as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software, the Select Domain screen is displayed.

    If you selected Install Software - Do Not Configure option in the Select Installation Type screen while installing Oracle Identity Management 11g Release 1 (11.1.1.6.0), as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software, you must now start the Oracle Identity Management Configuration Wizard. Run <ORACLE_HOME>/bin/config.sh (on UNIX) or <ORACLE_HOME>\bin\config.bat (on Windows) to start the Oracle Identity Management Configuration Wizard. The Select Domain screen is displayed.

  2. On the Select Domain screen, select Extend Existing Domain and enter the following information:

    • Enter the name of the host that contains the domain in the Host Name field.

    • Enter the Oracle WebLogic Server listen port in the Port field.

    • Enter the user name for the domain in the User Name field.

    • Enter the password for the domain user in the User Password field.

    Click Next. The Specify Installation Location screen appears.

  3. Identify the Homes, Instances, and the WebLogic Server directory by referring to Identifying Installation Directories.

    Note:

    To configure Oracle Identity Management components in an existing Oracle WebLogic Server administration domain, each Oracle WebLogic Server Home, Oracle Middleware Home, and Oracle Home directory in the domain must have identical directory paths and names.

    After you enter information for each field, click Next. The Specify Security Updates screen appears.

  4. Choose how you want to be notified about security issues:

    • If you want to be notified about security issues through email, enter your email address in the Email field.

    • If you want to be notified about security issues through My Oracle Support (formerly MetaLink), select the My Oracle Support option and enter your My Oracle Support Password.

    • If you do not want to be notified about security issues, leave all fields empty.

    Click Next. The Configure Components screen appears.

  5. Select only Oracle Directory Integration Platform. Ensure no other components are selected and click Next. The Configure Ports screen appears.

  6. Choose how you want the Installer to configure ports:

    • Select Auto Port Configuration if you want the Installer to configure ports from a predetermined range.

    • Select Specify Ports using Configuration File if you want the Installer to configure ports using the staticports.ini file. You can click View/Edit File to update the settings in the staticports.ini file.

    Click Next. The Specify OID Details screen appears.

  7. Identify the Oracle Internet Directory for Oracle Directory Integration Platform by entering the following information:

    • Hostname: Enter the hostname or IP address of the Oracle Internet Directory host.

    • Port: Enter the Oracle Internet Directory LDAP SSL port.

    • User Name: Enter the user name of the Oracle Internet Directory Administrator.

    • Password: Enter the password for the user name Oracle Directory Integration Platform will use to connect to Oracle Internet Directory.

    Click Next. The Specify Schema Database screen appears.

  8. Enter the following information about the Oracle Internet Directory schema:

    • Connect String: Enter the database connection information. The connection string must be in the form of hostname:port:servicename. For Oracle Real Application Clusters (RAC), the connection string must be in the form of hostname1:port1:instance1^hostname2:port2:instance2@servicename.

    • Password: Enter the password for the ODSSM schema in the Password field.

    Click Next.

  9. The Installation Summary screen appears. Verify the information on this screen. Click Configure to begin the configuration.

  10. The Configuration Progress screen appears. Click Next to continue.

  11. The Installation Complete screen appears. Click Save to save the configuration information to a file, and then click Finish to exit the installer.

9.2.3 Configuring ODIP when OID is Running in SSL Mode 2 - Server Only Authentication

You cannot install and configure Oracle Directory Integration Platform (ODIP) 11g Release 1 (11.1.1) when Oracle Internet Directory (OID) is already installed and running in SSL Mode 2 - Server Only Authentication.

If Oracle Internet Directory is already installed and running in SSL Mode 2 - Server Only Authentication, you must perform the following steps to configure Oracle Directory Integration Platform 11g Release 1 (11.1.1):

  1. Configure Oracle Internet Directory to temporarily run in SSL Mode 1 - No Authentication.

    Refer to the "Configuring Secure Sockets Layer (SSL)" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for complete information.

  2. Install Oracle Directory Integration Platform, as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software.

  3. Configure Oracle Internet Directory to run in SSL Mode 2 - Server Only Authentication again. Refer to the "Configuring Secure Sockets Layer (SSL)" chapter in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

  4. Configure Oracle Directory Integration Platform to run in SSL Mode 2 by referring to the following sections in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management:

9.3 Configuring ODIP with Oracle Unified Directory (OUD)

To configure Oracle Directory Integration Platform (ODIP) with Oracle Unified Directory (OUD), see Part II: Configuring OUD/ODSM/ODIP and Fusion Middleware Control in a New WebLogic Administration Domain.

9.4 Configuring ODIP with Oracle Directory Server Enterprise Edition (ODSEE)

This section describes how to configure Oracle Directory Integration Platform (ODIP) with Oracle Directory Server Enterprise Edition (ODSEE). It includes the following topics:

9.4.1 ODIP with ODSEE in an Existing WebLogic Domain

This topic describes how to configure Oracle Directory Integration Platform (ODIP) with Oracle Directory Server Enterprise Edition (ODSEE) in an existing WebLogic administration domain. It includes the following sections:

9.4.1.1 Components Deployed

Performing the configuration in this section deploys only Oracle Directory Integration Platform.

9.4.1.2 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server

  • Oracle Directory Server Enterprise Edition (ODSEE)

9.4.1.3 Procedure

Perform the following steps to configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition (ODSEE) in an existing WebLogic administration domain.

  1. Ensure that all the prerequisites are met as described in Option 2: ODIP with Oracle Directory Server Enterprise Edition (ODSEE).

  2. Ensure that Oracle Directory Integration Platform is installed using Install Software - Do Not Configure option, as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software.

  3. Run the <MW_HOME>/oracle_common/bin/config.sh script (on UNIX) or <MW_HOME>\oracle_common\bin\config.cmd (on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  4. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.

  5. On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you want to configure Oracle Directory Integration Platform (ODIP) with Oracle Directory Server Enterprise Edition (ODSEE). Click Next. The Select Extension Source screen appears.

  6. On the Select Extension Source screen, select the Oracle Enterprise Manager - 11.1.1.0 [oracle_common] and Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1] domain configuration option.

    Note:

    When you select Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1] option, Oracle Identity Management - 11.1.1.2.0 [Oracle_IDM1] is also selected by default.

    Click Next. The Specify Domain Name and Location screen appears.

  7. The Specify Domain Name and Location screen automatically selects the application location. Click Next. The Select Optional Configuration screen appears.

  8. On the Select Optional Configuration screen, select Managed Servers, Clusters, and Machines option. Click Next. The Configure Managed Servers screen appears.

  9. On the Configure Managed Servers screen, specify the Managed Server name. Click Next.

  10. On the Configure Clusters screen, configure Clusters as required. Click Next.

  11. On the Configure Machines screen, select the Machine or Unix Machine tab. Click on Add and specify the machine name. Click Next.

  12. If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.

  13. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

  14. Click Done, once the domain is extended.

    Your existing domain is extended to support Oracle Directory Integration Platform.

9.4.2 ODIP and ODSEE in a New WebLogic Domain

This topic describes how to configure Oracle Directory Integration Platform (ODIP) and Oracle Directory Server Enterprise Edition (ODSEE) in a new WebLogic administration domain. It includes the following sections:

9.4.2.1 Components Deployed

Performing the configuration in this section deploys only Oracle Directory Integration Platform.

9.4.2.2 Dependencies

The configuration in this section depends on the following:

  • Oracle WebLogic Server

  • Oracle Directory Server Enterprise Edition (ODSEE)

9.4.2.3 Procedure

Perform the following steps to configure Oracle Directory Integration Platform and Oracle Directory Server Enterprise Edition (ODSEE) in a new WebLogic administration domain.

  1. Ensure that all the prerequisites are met as described in Option 2: ODIP with Oracle Directory Server Enterprise Edition (ODSEE).

  2. Ensure that Oracle Directory Integration Platform is installed, as described in Installing and Configuring Oracle Identity Management 11g Release 1 (11.1.1.6.0) Software.

  3. Run the <MW_HOME>/oracle_common/bin/config.sh script (on UNIX) or <MW_HOME>\oracle_common\bin\config.cmd (on Windows). The Oracle Fusion Middleware Configuration Wizard appears.

  4. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

  5. On the Select Domain Source screen, select Generate a domain configured automatically to support the following products: option. Select the following domain configuration options:

    • Oracle Enterprise Manager - 11.1.1.0 [oracle_common]

    • Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1]

      Note:

      When you select Oracle Enterprise Manager - 11.1.1.0 [oracle_common] and Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1], Oracle Identity Management - 11.1.1.2.0 [Oracle_IDM1] and Oracle JRF 11.1.1.0 [oracle_common] is also selected by default.

    Click Next. The Specify Domain Name and Location screen appears.

  6. On the Specify Domain Name and Location screen, enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next. The Configure Administrator User Name and Password screen is displayed.

  7. Configure a user name and a password for the administrator. The default user name is weblogic. Click Next. The Configure Server Start Mode and JDK screen is displayed.

  8. Choose JRockit SDK 1.6.0_24 and Production Mode in the Configure Server Start Mode and JDK screen. Click Next. The Select Optional Configuration Screen is displayed.

  9. On the Select Optional Configuration screen, select Managed Servers, Clusters, and Machines option. Click Next. The Configure Managed Servers screen appears.

  10. On the Configure Managed Servers screen, specify the Managed Server name. Click Next.

  11. On the Configure Clusters screen, configure Clusters as required. Click Next.

  12. On the Configure Machines screen, select the Machine or Unix Machine tab. Click on Add and specify the machine name. Click Next.

  13. If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.

  14. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

  15. Click Done, once the domain is created successfully.

    A new WebLogic domain to support Oracle Directory Integration Platform is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

9.4.3 Post-Configuration Steps

After configuring Oracle Directory Integration Platform, perform the following tasks:

  1. Run the <MW_HOME>/oracle_common/common/bin/setNMProps.sh script (on UNIX) or <MW_HOME>\oracle_common\common\bin\setNMProps.cmd (on Windows).

  2. Start the Administration Server, Node Manager and Managed Server as described in Starting the Stack.

  3. Set the WL_HOME and ORACLE_HOME environment variables and execute <ORACLE_HOME>/bin/dipConfigurator. Provide the following information when prompted for input.

    • WebLogic host, port, username and password details.

    • Oracle Directory Server Enterprise Edition (ODSEE) host, port, username and password details.

    • Specify the suffix under which DIP metadata is to be stored.

  4. Verify the Oracle Directory Integration Platform(ODIP) installation and configuration. For more information, see Verifying ODIP.

  5. The dipConfigurator will set the below ACIs for the specified metadata suffix. But for the other suffixes, set the below ACIs for the containers in OUD, in order to write the changes imported from the other sources:

    dn: <Container DN>
    changetype:modify
    add: aci
    aci: (target="ldap:///<Container DN>")(version 3.0; acl "Anonymous read-search
    access"; allow (read,add,delete,search,write,compare,proxy) 
    groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration
    Platform,<metadata suffix>"; allow
    (read,add,delete,search,write,compare,proxy)  
    groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration
    Platform,<metadata suffix>"; )
    -
    add: aci
    aci: (targetattr="*")(version 3.0; acl "Anonymous read-search access"; allow
    (search,read,write,compare,add)
    groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration
    Platform,<metadata suffix>"; allow (search,read,write,compare,add)
    groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration
    Platform,<metadata suffix>";)
    

Note:

ODIP configuration can be recreated any number of times if ODIP configuration is deleted or corrupted. However, if there are any sync profiles that already exists, the connected directory password of the existing profiles needs to be reset after executing dipConfigurator.

For recreating the ODIP configuration, re-run step 3 and step 4.

9.5 Verifying ODIP

Verify the Oracle Directory Integration Platform (ODIP) installation using the dipStatus command, which is located in the $ORACLE_HOME/bin/ directory.

Note:

You must set the WL_HOME and ORACLE_HOME environment variables before executing the dipStatus command.

The following is the syntax for the dipStatus command:

$ORACLE_HOME/bin/dipStatus -h HOST -p PORT -D wlsuser [-help]
  • -h | -host identifies the Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.

  • -p | -port identifies the listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.

  • -D | -wlsuser identifies the Oracle WebLogic Server login ID.

Note:

You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.

Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus from a script, you can redirect input from a file containing the Oracle WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.

9.6 Getting Started with ODIP After Installation

After you install Oracle Directory Integration Platform (ODIP), no additional configuration is needed. The next step is to create synchronization profiles.

The Oracle Fusion Middleware Integration Guide for Oracle Identity Management explains how to manage Oracle Directory Integration Platform. For information about creating synchronization profiles using Oracle Enterprise Manager Fusion Middleware Control Console, refer to the "Managing Synchronization Profiles Using Fusion Middleware Control" section in that guide.