Skip Headers
Oracle® Fusion Middleware Application Security Guide
11g Release 1 (11.1.1)

Part Number E10043-11
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

K Adapter Configuration for Identity Virtualization

The identity virtualization feature, described in Section 7.3, "Configuring the Identity Store Service", requires some additional configuration to support a split profile.

This appendix describes how to create and manage the adapters used for split profiles.

K.1 About Split Profiles

The Identity Virtualization feature enables you to query multiple LDAP directories through OPSS. For example, you can fetch data from both Oracle Internet Directory and Microsoft Active Directory in a single query.

The feature supports a "split profile" file, where an application makes use of attributes for a single identity that are stored on two different sources; for example, where the username, password, and employeeID for a single person are stored on Microsoft Active Directory, and that person's employeeID and business role are stored in Oracle Internet Directory.

For example, when a WebCenter application needs to obtain attributes for a single identity from more than one source directory, it uses the split profile to leverage the join functionality of Identity Virtualization. These joins use a standard join adapter. For details, see:

The adapter configuration is stored in adapters.os_xml, but connection details such as host, port and credentials of a back-end directory come from OPSS.

K.2 Configuring a Split Profile

The same user occurs in both identity stores with some attributes in one store and other attributes in the other store. A query on the user record requires data from both stores. The configuration tasks are:

  1. Configure the identity store service with the virtualize property to enable queries against multiple LDAP stores.

    For details, see Section 7.3, "Configuring the Identity Store Service."

  2. Connect to the Weblogic Admin server to run commands to configure the join adapter for the identity stores. For information about the available WLST commands, see "Library Oracle Virtual Directory (LibOVD) Commands" in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

    For details about how to bring up the WLST prompt, see "Getting Started Using Command-Line Tools" in the Oracle Fusion Middleware Administrator's Guide.

    For information about the

  3. Create the join adapter in the primary identity store:

    createJoinAdapter(adapterName="Join Adapter Name",  root="Namespace", primaryAdapter="Primary adapter Name")
    
  4. Add the join rule to the secondary store(s):

    addJoinRule(adapterName="Join Adapter Name", secondary="Secondary Adapter Name", condition="Join Condition")
    

    Note:

    If there is more than one secondary identity store, run the addJoinRule command for each secondary store.

  5. Run the modifyLDAPAdapter command:

    modifyLDAPAdapter(adapterName="AuthenticatorName", attribute="Visible", value="Internal")
    

    Note:

    If there is more than one secondary identity store, run the modifyLDAPAdapter command for each secondary ID store.

Example

In this example the same user occurs in two stores; the first store is Microsoft Active Directory and the second store is Oracle Internet Directory. In the example, we assume that Microsoft Active Directory is the primary store and Oracle Internet Directory is the secondary store.

Note:

When configuring the LDAP connection parameters, the user.create.bases and group.create.bases must correspond to the primary adapter's namespace. For details about the parameters, see Section 7.3.1, "What is Configured?."


Authenticator 1
Authenticator Name: Microsoft Active Directory (AD)
User Base: cn=users,dc=acme,dc=com
Authenticator 2
Authenticator Name: Oracle Internet Directory (OID)
User Base: cn=users,dc=oid,dc=com

The steps to implement the split profile are as follows:

  1. Create the join adapter:

    createJoinAdapter(adapterName="JoinAdapter1", root="dc=acme,dc=com", primaryAdapter="AD")
    

    The adapter name shown here is an example; use an appropriate name in actual usage.

  2. Specify the join rule:

    addJoinRule(adapterName="JoinAdapter1", secondary="OID", condition="uid=cn")
    

    "uid=cn" is the join condition in the above example which indicates that if uid value of a user in Oracle Internet Directory (secondary) matches with cn value of the Microsoft Active Directory user (primary), then the attributes are combined.

    The attribute on the left side of the condition is the attribute in the secondary adapter and the attribute on the right side is the attribute in the primary adapter.

  3. Modify the adapters:

    modifyLDAPAdapter(adapterName="OID", attribute="Visible", value="Internal")
    
    modifyLDAPAdapter(adapterName="AD", attribute="Visible", value="Internal")
    

    The adapter names used here are the actual name of the authenticators. The adapter names in all the primary and secondary parameters also refer to the authenticator name. The join adapter name can be any name you choose.

  4. Restart Weblogic Admin and Managed servers.

K.3 Deleting a Join Rule

You use the removeJoinRule command to remove a join rule from a join adapter.

Syntax

removeJoinRule
adapterName ="adapterName"
secondary="Secondary Adapter associated with the JoinRule"

Example

removeJoinRule(adapterName="JoinAdapter1", secondary="OID")

K.4 Deleting a Join Adapter

You use the deleteAdapter command to delete a join adapter.

Syntax

deleteAdapter(adapterName="name")

Example

deleteAdapter(adapterName="JoinAdapter1")

K.5 Changing Adapter Visibility

You use the modifyLDAPAdapter command to change the visibility of the adapters. For example:

modifyLDAPAdapter(adapterName="AuthenticatorName", attribute="Visible", value="Yes")

K.6 Enabling Access Logging for Identity Virtualization Library

Enabling access logging for Identity Virtualization Library allows you to capture all requests and responses flowing through Identity Virtualization Library, which can be very useful if you are trying to triage performance issues.

To enable access logging for Identity Virtualization Library:

  1. Remove any Identity Virtualization Library loggers that were previously configured in Debug mode. You must remove these loggers to see real performance numbers.

  2. Create a WebLogic logger named oracle.ods.virtualization.accesslog in WebLogic Server with NOTIFICATION level.

  3. Create a WebLogic loghandler, specifying a file name similar to ovd-access.log and associate that log handler to the logger you created in step 2.

    This loghandler logs all Oracle Virtual Directory access log messages into a separate file.

  4. Create a backup of the DOMAIN_HOME/config/fmwconfig/ovd/default/provider.os_xml file, and then add the following XML fragment (if it is not already present):

    <providers ..>
       ...
       <auditLogPublisher>
          <provider name="FMWAuditLogPublisher">
            ...
          </provider>
          <provider name="AccessLogPublisher">
     
    <configClass>oracle.ods.virtualization.config.AccessLogPublisherConfig</configClass>
             <properties>
                <property name="enabled" value="true"/>
             </properties>
          </provider>
       </auditLogPublisher>
       ...
    </providers>
    
  5. Restart the WebLogic Server Admin and Managed servers.

Oracle Virtual Library can now generate the access log in the ovd-access.log file.