| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.2) Part Number E21032-03 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management (Oracle Fusion Applications Edition) 11g Release 1 (11.1.2) Part Number E21032-03 |
|
|
PDF · Mobi · ePub |
This chapter describes how to extend the domain with Oracle Internet Directory (OID) in the enterprise deployment.
This chapter includes the following topics:
Section 7.1, "Identity Store and Policy Store in Oracle Internet Directory"
Section 7.2, "Prerequisites for Configuring Oracle Identity Directory Instances"
Section 7.3, "Configuring the Oracle Internet Directory Instances"
Section 7.5, "Validating the Oracle Internet Directory Instances"
Section 7.7, "Backing up the Oracle Internet Directory Configuration"
You use the Identity Store for storing information about users and groups. You use Policy Store for storing information about security policies and for configuration information. Although you can use a single Oracle Internet Directory instance for storing both the identity and policy information, it is recommended that you use two directory stores.
If you intend to separate your identity and policy information, you must create two highly available instances of Oracle Internet Directory. These instances can coexist on the same nodes or can exist on separate nodes. The data, however, must be stored in two separate databases. If policy information must reside in Oracle Internet Directory, you can place identity information into a different directory, such as Active Directory.
The procedure for installing and configuring the two instances of Oracle Internet Directory is the same. You must, however, point idstore.mycompany.com at one of the instances and policystore.mycompany.com at the other.
Before configuring the Oracle Internet Directory instances on OIDHOST1 and OIDHOST2, ensure that the following tasks have been performed:
Synchronize the time on the individual Oracle Internet Directory nodes using Greenwich Mean Time so that there is a discrepancy of no more than 250 seconds between them.
Note:
If OID Monitor detects a time discrepancy of more than 250 seconds between the two nodes, the OID Monitor on the node that is behind stops all servers on its node. To correct this problem, synchronize the time on the node that is behind in time. The OID Monitor automatically detects the change in the system time and starts the Oracle Internet Directory servers on its node.
Install and upgrade the software on OIDHOST1 and OIDHOST2 as described in Section 4.5.5, "Installing Oracle Identity Management."
If you plan on provisioning the Oracle Internet Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on OIDHOST1 and OIDHOST2 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."
Ensure that the load balancer is configured.
Follow these steps to configure the Oracle Internet Directory components, OIDHOST1 and OIDHOST2 on the directory tier with Oracle Internet Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.
This section contains the following topics:
Section 7.3.1, "Configuring the First Oracle Internet Directory Instance"
Section 7.3.2, "Configuring an Additional Oracle Internet Directory Instance"
Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "389" netstat -an | grep "636"
If the ports are in use (that is, if the command returns output identifying either port), you must free the port.
On UNIX:
Remove the entries for ports 389 and 636 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory on the installation media.
Edit the staticports.ini file that you copied to the temporary directory to assign ports 389 and 636, as follows:
| Port | Value |
|---|---|
|
Non-SSL port for Oracle Internet Directory |
|
|
SSL port for Oracle Internet Directory |
|
Start the Oracle Identity Management 11g Configuration Assistant by running IDM_ORACLE_HOME/bin/config.sh on UNIX or IDM_ORACLE_HOME\bin\config.bat on Windows.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/oid_inst1
Oracle Instance Name: oid_inst1
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the check box next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and then click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.
Click Next.
On the Specify Schema Database screen, select Use Existing Schema and specify the following values:
Connect String: oiddbhost1-vip.mycompany.com:1521:idmdb1^oiddbhost2-vip.mycompany.com:1521:idmdb2@oidedg.mycompany.com
Notes:
The Oracle RAC database connect string information must be provided in the format:
host1:port1:instance1^host2:port2:instance2@servicename
During this installation, it is not required for all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed. It is required that the information provided is complete and accurate. Specifically, the correct host, port, and instance name must be provided for each Oracle RAC instance, and the service name provided must be configured for all the specified Oracle RAC instances.Any incorrect information entered in the Oracle RAC database connect string has to be corrected manually after the installation.
If you are using Oracle Database 11.2, replace the vip addresses and port with the 11.2 SCAN address and port.
User Name: ODS
Password: ****** (enter the password)
Click Next.
On the Configure OID screen, specify the Realm where you want your company information stored (for example, dc=mycompany,dc=com), enter the Administrator (cn=orcladmin) password, and click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On Linux and UNIX systems, a dialog box appears that prompts you to run the oracleRoot.sh script. Edit the oracleRoot.sh script, changing the line:
fi# This command path is not already provided in the existing root.sh
to two lines, like this:
fi # This command path is not already provided in the existing root.sh
Save the file, then open a window and run the oracleRoot.sh script, as the root user. When prompted:
Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
enter yes.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Internet Directory instance on OIDHOST1, issue these commands:
ldapbind -h oidhost1.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h oidhost1.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
Note:
Ensure that the following environment variables are set before using ldapbind:
ORACLE_HOME (set to IDM_ORACLE_HOME)
ORACLE_INSTANCE
PATH - The following directory locations should be in your PATH:
ORACLE_HOME/bin
ORACLE_HOME/ldap/bin
ORACLE_HOME/ldap/admin
It is recommended that you tune Oracle Internet Directory at this point. See the Oracle Internet Directory chapter in the Oracle Fusion Middleware Performance Guide.
The schema database must be running before you perform this task. Follow these steps to install Oracle Internet Directory on OIDHOST2:
Ensure that ports 389 and 636 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.
On UNIX:
netstat -an | grep "389" netstat -an | grep "636"
If the ports are in use (that is, if the command returns output identifying either port), you must free them.
On UNIX:
Remove the entries for ports 389 and 636 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.
Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.
Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:
| Port | Value |
|---|---|
|
Non-SSL Port for Oracle Internet Directory |
|
|
SSL Port for Oracle Internet Directory |
|
Start the Oracle Identity Management 11g Configuration Assistant by running IDM_ORACLE_HOME/bin/config.sh.
On the Welcome screen, click Next.
On the Select Domain screen, select Configure without a Domain.
Click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Instance Location: /u01/app/oracle/admin/oid_inst2
Oracle Instance Name: oid_inst2
Click Next.
On the Specify Email for Security Updates screen, specify these values:
Email Address: Provide the email address for your My Oracle Support account.
Oracle Support Password: Provide the password for your My Oracle Support account.
Check the check box next to the I wish to receive security updates via My Oracle Support field.
Click Next.
On the Configure Components screen, select Oracle Internet Directory, deselect all the other components, and click Next.
On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.
Click Next.
On the Specify Schema Database screen, select Use Existing Schema and specify the following values:
Connect String: oiddbhost1-vip.mycompany.com:1521:idmdb1^oiddbhost2-vip.mycompany.com:1521:idmdb2@oidedg.mycompany.com
Notes:
The Oracle RAC database connect string information must be provided in the format:
host1:port1:instance1^host2:port2:instance2@servicename
During this installation, it is not required that all the Oracle RAC instances to be up. If one Oracle RAC instance is up, the installation can proceed.
You must provide complete and accurate information. Specifically, you must provide the correct host, port, and instance name for each Oracle RAC instance, and the service name you provide must be configured for all the specified Oracle RAC instances.
Any incorrect information entered in the Oracle RAC database connect string must be corrected manually after the installation.
User Name: ODS
Password: ****** (enter the password)
Click Next.
The ODS Schema in use message appears. The ODS schema chosen is already being used by the existing Oracle Internet Directory instance. Therefore, the new Oracle Internet Directory instance being configured would reuse the same schema.
Choose Yes to continue.
A popup window with this message appears:
"Please ensure that the system time on this Identity Management Node is in sync with the time on other Identity management Nodes that are part of the Oracle Application Server Cluster (Identity Management) configuration. Failure to ensure this may result in unwanted instance failovers, inconsistent operational attributes in directory entries and potential inconsistent behavior of password state policies."
Ensure that the system time between IDMHOST1 and IDMHOST2 is synchronized.
Click OK to continue.
On the Specify OID Admin Password screen, specify the Oracle Internet Directory administration password.
Note:
If you see a message saying that OID is not running, verify that the orcladmin account has not become locked and try again. Do not continue until this message is no longer displayed.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.
On Linux and UNIX systems, a dialog box appears that prompts you to run the oracleRoot.sh script. Edit the oracleRoot.sh script, changing the line:
fi# This command path is not already provided in the existing root.sh
to two lines, like this:
fi # This command path is not already provided in the existing root.sh
Save the file, then open a window and run the oracleRoot.sh script, as the root user. When prompted:
Do you want to run oidRoot.sh to configure OID for privileged ports? (yes/no)
enter yes.
On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.
On the Installation Complete screen, click Finish to confirm your choice to exit.
To validate the installation of the Oracle Internet Directory instance on OIDHOST2, issue these commands:
ldapbind -h oidhost2.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h oidhost2.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
Note:
Ensure that the following environment variables are set before using ldapbind:
ORACLE_HOME
ORACLE_INSTANCE
PATH - The following directory locations should be in your PATH:
ORACLE_HOME/bin
ORACLE_HOME/ldap/bin
ORACLE_HOME/ldap/admin
Follow the steps in this section to complete the configuration of the Oracle Internet Directory instances.
This section contains the following topics:
Section 7.4.1, "Registering Oracle Internet Directory with the WebLogic Server Domain"
Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain,"
Section 7.4.5, "Considering Oracle Internet Directory Password Policies"
All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Internet Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.
To register the Oracle Internet Directory instances installed on OIDHOST1 and OIDHOST2, follow these steps:
Set the ORACLE_HOME variable. For example, on OIDHOST1 and OIDHOST2, issue this command:
export ORACLE_HOME=IDM_ORACLE_HOME
Set the ORACLE_INSTANCE variable. For example:
On OIDHOST1, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst1
On OIDHOST2, issue this command:
export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst2
Execute the opmnctl registerinstance command on both OIDHOST1 and OIDHOST2:
ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName -adminPort WLSPort -adminUsername adminUserName
For example, on OIDHOST1 and OIDHOST2:
ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost ADMINVHN -adminPort 7001 -adminUsername weblogic
The command requires login to WebLogic Administration Server (idmhost1.mycompany.com)
Username: weblogic
Password: *******
Note:
For additional details on registering Oracle Internet Directory components with a WebLogic Server domain, see the "Registering an Oracle Instance or Component with the WebLogic Server" section in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Update the Enterprise Manager Repository URL using the emctl utility with the switchOMS flag. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.
Syntax:
./emctl switchOMS ReposURL.
For Example:
./emctl switchOMS http://ADMINVHN:7001/em/upload
Output:
./emctl switchOMS http://ADMINVHN.mycompany.com:7001/em/upload Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved. SwitchOMS succeeded.
Wait a few minutes for the agents to reload. Then validate if the agents on OIDHOST1 and OIDHOST2 are configured properly to monitor their respective targets. Follow these steps to complete this task:
Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://ADMINVHN.mycompany.com:7001/em.
Log in as the weblogic user.
From the Domain Home Page navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets.
Validate that the host name in Agent URL under the Agent column matches the host name under the Host column. In case of a mismatch, follow these steps to correct the issue:
Click the configure link to go to the Configure Target Page.
On the Configure Target Page, click Change Agent and choose the correct agent for the host.
Update the WebLogic monitoring user name and the WebLogic monitoring password.
Update the WebLogic monitoring user name and the WebLogic monitoring password. Enter weblogic as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.
Click OK to save your changes.
Perform this task after you have registered Oracle Internet Directory with Oracle WebLogic Server.
External domains communicate with the Identity Management domain using SSL Server Authentication Only Mode. To enable the Identity Management domain to support this SSL mode, you must generate a certificate and store it in the Policy Store. This adds an extra layer of security, ensuring that only those domains with access to the security certificate can communicate with the domain. The domain level certificate is generated once per domain.
Note:
Using the following approach for SSL configuration requires an LDAP server to be available as a central repository and also available as a demoCA. If you are deploying separate instances for Identity Store and Policy Store, you can use the Policy Store Oracle Internet Directory as the store for the SSL repository.
Prior to running this command ensure that:
Oracle Identity Management is installed on IDMHOST1.
Oracle Identity and Access Management is installed on IDMHOST1.
If you are using Windows, you have installed a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com.
Note:
When using Cygwin, ensure that you use the "/" character in path names when exporting a variable. For example:
export ORACLE_HOME=c:/oracle/idm
To generate a certificate for the IDMDomain execute the following commands on IDMHOST1.
Set the ORACLE_HOME and JAVA_HOME variables. For example, issue this command:
export ORACLE_HOME=IDM_ORACLE_HOME
export PATH=$JAVA_HOME/bin:$PATH
Generate the certificate using the SSLGenCA command which is located in ORACLE_COMMON_HOME/bin
For example:
cd ORACLE_COMMON_HOME/bin
./SSLGenCA.sh
When the command executes supply the following information:
LDAP host Name: policystore.mycompany.com.
Note:
It is recommended that you use the Policy Store directory, not the Identity Store.
LDAP Port: 389
Admin User: cn=orcladmin
password: admin_password
LDAP sslDomain where your CA will be stored: IDMDomain
Password to protect your CA wallet: wallet_password
Confirmed password for your CA wallet: wallet_password
Sample output:
SSL Certificate Authority Generation Script: Release 11.1.1.4.0 - Production Copyright (c) 2010 Oracle. All rights reserved. ************************************************************************ *********** This tool will generate a self-signed CA wallet ************ *********** and store it in a central LDAP directory ************ *********** for IDM and FA SSL set up and provisioning ************ ************************************************************************ >>>Enter the LDAP hostname [slc00xx.mycompany.com]: policystore.mycompany.com >>>Enter the LDAP port [3060]: 389 >>>Enter the admin user [cn=orcladmin] >>>Enter password for cn=orcladmin: >>>Enter the LDAP sslDomain where your CA will be stored [idm]: IDMDomain >>>Enter a password to protect your CA wallet: >>>Enter confirmed password for your CA wallet: Generate a new CA Wallet... Create SSL Domains Container for cn=IDMDomain,cn=sslDomains... Storing the newly generated CA to the LDAP... Set up ACL to protect the CA wallet... >>>The newly generated CA is stored in LDAP entry cn=demoCA,cn=IDMDomain,cn=sslDomains successfully.
This script performs the following tasks:
Creates a Demo Signing CA wallet for use in the domain.
Extracts the public Demo CA Certificate from the CA wallet.
Uploads the wallet and the certificate to LDAP and stores them in the entry: cn=demoCA,Deployment_SSL_Domain
Creates an access group in LDAP: cn=SSLDomains,cn=IDMDomain,cn=demoCA and grants that group administrative privileges to the parent container. All other entities are denied access. Add users to the group to give access. The Demo CA Certificate is now available for download by an anonymous or authenticated user.
The Demo CA Wallet password is stored locally in an obfuscated wallet for future use. Its path is: ORACLE_HOME/credCA/castore
As administrator, you must secure this wallet so that only SSL administrators can read it.
The best place to locate the Certificate is in the Policy Store.
If you plan to enable SSL Server Authentication Only Mode for your domain and have created a domain level SSL certificate as described in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain," you must perform the following to ensure that your Oracle Internet Directory instances are capable of accepting requests using this mode. You must configure each Oracle Internet Directory instance independently.
Prior to running this command ensure that:
Oracle Internet Directory is installed.
Oracle Identity Management is installed on IDMHOST1
Site certificate has been generated as described in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain."
If you are using Windows, you have installed a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com.
To enable Oracle Internet Directory to communicate using SSL Server Authentication Mode, perform the following steps on OIDHOST1 and OIDHOST2:
Note:
When you perform this operation, only the Oracle Internet Directory instance you are working on should be running.
Set the ORACLE_HOME, ORACLE_INSTANCE and JAVA_HOME variables. For example, on OIDHOST1, issue this command
export ORACLE_HOME=IDM_ORACLE_HOME export ORACLE_INSTANCE=/u01/app/oracle/admin/oid_inst1 export JAVA_HOME=MW_HOME/jrockit_version export PATH=$JAVA_HOME/bin:$PATH
To enable SSL Server Authentication use the tool SSLServerConfig which is located in:
ORACLE_COMMON_HOME/bin
For example
$ORACLE_COMMON_HOME/bin/SSLServerConfig.sh -component oid
When prompted, enter the following information:
LDAP Hostname: Central LDAP host, for example: policystore.mycompany.com
LDAP port: LDAP port, for example: 389
Admin user DN: cn=orcladmin
Password: administrator_password
sslDomain for the CA: IDMDomain Oracle recommends that the SSLDomain name be the same as the Weblogic domain name to make reference easier.
Password to protect your SSL wallet/keystore: password_for_local_keystore
Enter confirmed password for your SSL wallet/keystore: password_for_local_keystore
Password for the CA wallet: certificate_password. This is the one created in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain."
Country Name 2 letter code: Two letter country code, such as US
State or Province Name: State or province, for example: California
Locality Name: Enter the name of your city, for example: RedwoodCity
Organization Name: Company name, for example: mycompany
Organizational Unit Name: Leave at the default
Common Name: Name of this host, for example: OIDHOST1.mycompany.com
OID component name: Name of your Oracle Instance, for example: oid1. If you need to determine what your OID component name is, execute the command:
ORACLE_INSTANCE/bin/opmnctl status
WebLogic admin host: Host running the WebLogic Administration Server, for example:. adminvhn.mycompany.com
WebLogic admin port: WebLogic Administration Server port, for example: 7001
WebLogic admin user: Name of your WebLogic administration user, for example: weblogic
WebLogic password: password.
AS instance name: Name of the Oracle instance you entered in Section 7.3.1, "Configuring the First Oracle Internet Directory Instance"and Section 7.3.2, "Configuring an Additional Oracle Internet Directory Instance," Step 7, for example: oid1_inst1.
SSL wallet name for OID component [oid_wallet1]: Accept the default
Do you want to restart your OID component: Yes
Do you want to test your SSL setup? Yes
SSL Port of your OID Server: 636
Sample output:
Server SSL Automation Script: Release 11.1.1.4.0 - Production Copyright (c) 2010 Oracle. All rights reserved. Downloading the CA wallet from the central LDAP location... >>>Enter the LDAP Hostname [slc00dra.mycompany.com]: policystore.mycompany.com >>>Enter the LDAP port [3060]: 389 >>>Enter an admin user DN [cn=orcladmin] >>>Enter password for cn=orcladmin: >>>Enter the sslDomain for the CA [idm]: IDMDomain >>>Enter a password to protect your SSL wallet/keystore: >>>Enter confirmed password for your SSL wallet/keystore: >>>Enter password for the CA wallet: >>>Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... >>>Searching the LDAP for the CA userpkcs12 ... Invoking OID SSL Server Configuration Script... Enter attribute values for your certificate DN >>>Country Name 2 letter code [US]: >>>State or Province Name [California]: >>>Locality Name(eg, city) []:Redwood >>>Organization Name (eg, company) [mycompany]: >>>Organizational Unit Name (eg, section) [oid-20110524015634]: >>>Common Name (eg, hostName.domainName.com) [slc00xxx.mycompany.com]: The subject DN is cn=slc00dra.mycompany.com,ou=oid-20110524015634,l=Redwood,st=California,c=US Creating an Oracle SSL Wallet for oid instance... /u01/app/oracle/product/fmw/IDM/../oracle_common/bin >>>Enter your OID component name: [oid1] >>>Enter the weblogic admin server host [slc00xxx.mycompany.com] mdrv1 >>>Enter the weblogic admin port: [7001] >>>Enter the weblogic admin user: [weblogic] >>>Enter weblogic password: >>>Enter your AS instance name:[asinst_1] oid1 >>>Enter an SSL wallet name for OID component [oid_wallet1] Checking the existence of oid_wallet1 in the OID server... Configuring the newly generated Oracle Wallet with your OID component... Do you want to restart your OID component?[y/n]y Do you want to test your SSL set up?[y/n]y >>>Please enter your OID ssl port:[3131] 636 Please enter the OID hostname:[slc00dra.mycompany.com] policystore.mycompany.com >>>Invoking /u01/app/oracle/product/fmw/IDM/bin/ldapbind -h policystore.mycompany.com -p 636 -U 2 -D cn=orcladmin ... Bind successful Your oid1 SSL server has been set up successfully
Confirm that the script has been successful.
Repeat all the steps in this section, Section 7.4.3, "Configuring Oracle Internet Directory to Accept Server Authentication Mode SSL Connections," for each Oracle Internet Directory instance.
You can manually verify that the SSL connection has been set up correctly by generating a wallet and then using that wallet to access Oracle Internet Directory. Proceed as follows:
Execute the command
./SSLClientConfig.sh -component cacert
providing the following inputs:
LDAP host name: Name of the Oracle Internet Directory server containing the Domain Certificate
LDAP port: Port used to access Oracle Internet Directory, for example: 389
LDAP User: Oracle Internet Directory admin user, for example: cn=orcladmin
Password: Oracle Internet Directory admin user password
SSL Domain for CA: This is the value you entered in Section 7.4.2.2, "Generating the Certificate," for example, IDMDomain.
Password for truststore: This is the password you want to assign to your wallet.
When the command executes, it generates wallets in the directory IDM_ORACLE_HOME/rootCA/keystores/common
Now that you have a wallet, you can test that authentication is working by executing the command:
ldapbind -h oidhost1.mycompany.com -p 636 -U 2 -D cn=orcladmin -q -W "file:IDM_ORACLE_HOME/rootCA/keystores/common" -Q
You will be prompted for your Oracle Internet Directory password and for the wallet password. If the bind is successful, the SSL connection has been set up correctly.
By default, Oracle Internet Directory passwords expire in 120 days. Users who do not reset their passwords before expiration can no longer authenticate to Oracle Internet Directory. This includes administrative users, such as oimLDAPuser, oamsoftwareuser, and oamadminuser. Your Identity Management environment cannot work properly unless these users can authenticate. See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about changing Oracle Internet Directory password policies.
To validate the Oracle Internet Directory instances, ensure that you can connect to each Oracle Internet Directory instance and the load balancing router using these commands:
Note:
Ensure that the following environment variables are set before using ldapbind:
ORACLE_HOME (set to IDM_ORACLE_HOME)
ORACLE_INSTANCE
PATH - The following directory locations should be in your PATH:
ORACLE_HOME/bin
ORACLE_HOME/ldap/bin
ORACLE_HOME/ldap/admin
ldapbind -h oidhost1.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h oidhost1.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1 ldapbind -h oidhost2.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h oidhost2.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1 ldapbind -h policystore.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h policystore.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
If your Identity Store is also in Oracle Internet Directory then check:
ldapbind -h idstore.mycompany.com -p 389 -D "cn=orcladmin" -q ldapbind -h idstore.mycompany.com -p 636 -D "cn=orcladmin" -q -U 1
Note:
The -q option prompts the user for a password. LDAP tools have been modified to disable the options -w password and -P password when the environment variable LDAP_PASSWORD_PROMPTONLY is set to TRUE or 1. Use this feature whenever possible.
After you deploy Oracle Internet Directory, you must tune it as described in Oracle Fusion Middleware Performance Guide. (You might find it easier to tune Oracle Internet Directory after installing ODSM.)
In particular, set the following values when deploying Oracle Identity Management for Fusion Applications:
| Attribute | Value |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It is an Oracle best practices recommendation to create a backup file after successfully completing the installation and configuration of each tier or at a logical point. Create a backup of the installation after verifying that the install so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. After the enterprise deployment setup is complete, the regular deployment-specific Backup and Recovery process can be initiated. More details are described in the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to Oracle Database Backup and Recovery User's Guide.
To back up the installation to this point, follow these steps:
Back up the Oracle Internet Directory instances in the directory tier:
Shut down the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:
ORACLE_INSTANCE/bin/opmnctl stopall
Create a backup of the Middleware home on the directory tier. On Linux, as the root user, type:
tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
Create a backup of the Instance home on the directory tier as the root user:
tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
Start up the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:
ORACLE_INSTANCE/bin/opmnctl startall
Perform a full database backup (either a hot or cold backup). Oracle recommends that you use Oracle Recovery Manager.
Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory. On Linux, type:
IDMHOST1> tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver
Note:
Create backups on all machines in the directory tier by following the steps shown in this section.
For more information about backing up the directory tier configuration, see Section 19.4, "Performing Backups and Recoveries."
|
 Copyright © 2004, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|