This chapter discusses the Oracle Directory Integration Platform and explains how to configure and manage it. It contains these topics:
Operational Information About the Oracle Directory Integration Platform
Viewing Oracle Directory Integration Platform Status and Registration Information
Managing Oracle Directory Integration Platform Using Fusion Middleware Control
Starting and Stopping Oracle Directory Integration Platform Using WLST
Managing Oracle Directory Integration Platform Using manageDIPServerConfig
Configuring Oracle Directory Integration Platform for SSL Mode 2 Server-Only Authentication
Managing the SSL Certificates of Back-End Directories and Connected Directories
Oracle Directory Integration Platform in a High Availability Scenario
Managing Oracle Directory Integration Platform in a Replicated Environment
See Also:
"Oracle Directory Integration Platform" for a summary of the functions performed by the Oracle Directory Integration Platform
Note:
For security reasons, Oracle recommends that you run the Oracle Directory Integration Platform on the same host as the Oracle back-end directory. If you run Oracle Directory Integration Platform and the Oracle back-end directory on different hosts, Oracle recommends running them using SSL.
This section introduces structural and operational information about the Oracle Directory Integration Platform and contains these topics:
In Oracle Directory Integration Platform, you can create two types of profiles: a directory synchronization profile and a directory provisioning profile. A directory synchronization profile describes how synchronization is carried out between the Oracle back-end directory and a connected directory. You can create two types of directory synchronization profiles: an import profile and an export profile. An import profile imports changes from a connected directory to the Oracle back-end directory while an export profile exports changes from the Oracle back-end directory to a connected directory. A directory provisioning profile describes the nature of provisioning-related notifications that Oracle Directory Integration Platform sends to the directory-enabled applications. Sometimes a provisioning profile is also configured to notify the Oracle back-end directory about the changes happening in the application's data source. Multiple profiles can be used at the same time.
Each type of profile is special kind of directory integration profile, which is an entry in the Oracle back-end directory that describes how Oracle Directory Integration Platform communicates with external systems and what is communicated.
In a multimaster Oracle back-end directory environment, changes to directory synchronization profiles on one Oracle back-end directory node must be replicated or copied to any secondary nodes. This allows a directory synchronization profile to execute on a secondary node in the event of a problem on the primary node.
In a multimaster Oracle Universal Directory or Oracle Directory Server Enterprise Edition environment, if a suffix containing DIP meta-data is chosen for replication, the profiles are automatically replicated.
In a multimaster Oracle Internet Directory replication environment, however, changes to directory synchronization profiles on one Oracle Internet Directory node are not automatically replicated on other Oracle Internet Directory nodes. For this reason, you must copy the profiles on the primary node to any secondary nodes. For instructions, see the following section.
Note:
The value assigned to the orcllastapplicedchangenumber attribute in a directory synchronization profile is local to the Oracle Internet Directory node where the profile is located. This means that if you copy a directory synchronization profile from one Oracle Internet Directory node to another, the correct state of synchronization or event propagation will not be preserved.
If you copy the profiles on the primary node to any secondary nodes, update the lastchangenumber attribute with the value from the target node, as follows. This step needs to be done once after the profile is set up.
This update is required if your Oracle back-end directory is Oracle Internet Directory. If your Oracle back-end directory is either Oracle Unified Directory or Oracle Directory Server Enterprise Edition, this step is only required if you copy the suffix containing DIP metadata from a primary node to secondary nodes instead of using replication.
Disable the synchronization profile.
Get the value of the lastchangenumber attribute on the target node using the ldapsearch command.
Use ldapsearch to get the LDIF dump of the profile entry.
Use ldapadd to add the profile to the other Oracle back-end directory instance.
Use the updatechgnum operation of the manageSyncProfiles command to update the lastchangenumber attribute in the export profile you copied to the target node with the value you obtained in Step 2.
Enable the synchronization profile.
In a default multimaster Oracle Internet Directory replication environment, the Oracle Directory Integration Platform is installed in the same location as the primary Oracle Internet Directory. If the primary node fails, event propagation stops for all profiles located on the node. Although the events are queued and not lost while the primary node is stopped, the events will not be propagated to any applications that expect them. To ensure that events continue to be propagated even when the primary node is down, you must copy the version 1.0 and version 2.0 directory provisioning profiles to other secondary nodes in a multimaster Oracle Internet Directory environment. Version 3.0 directory provisioning profiles are automatically replicated.
Note:
Directory provisioning profiles should be copied from the primary node to any secondary nodes only immediately after an application is installed and before any user changes are made in Oracle Internet Directory.
To copy the directory provisioning profiles from a primary node to any secondary nodes, use the update operation of the manageSyncProfiles command.
See Also:
The Oracle Directory Integration Platform chapter of Oracle Identity Management User Reference for more information on the manageSyncProfiles command.
This topic explains how to view Oracle Directory Integration Platform status and registration information and contains the following sections:
Viewing the Status of Oracle Directory Integration Platform Using the dipStatus Utility
Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility
The dipStatus utility, located in the ORACLE_HOME/bin directory, allows you to check the status of Oracle Directory Integration Platform and whether or not it is registered.
Notes:
Best security practice is to provide a password only in response to a prompt from the command.
You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands.
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-help]
Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
Oracle WebLogic Server login ID.
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.
Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus from a script, you can redirect input from a file containing the Oracle WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12
Provides usage help for the command.
To view registration information for the Oracle Directory Integration Platform component using the ldapsearch utility, perform a base search on its entry. For example:
ldapsearch -h oid_host -p port -D cn=orcladmin -q -s base -b "cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=Products,cn=OracleContext" objectclass=*
Note:
You will be prompted for the password.
This example search returns the following:
Dn: cn=odisrv,cn=Registered Instances,cn=Directory Integration
Platform,cn=Products,cn=OracleContext
userpassword: {SHA}+vk5wSvnVoXCBCRyBWJnH0S33zc=
orclaci: access to entry by self (add,delete,browse,proxy); access to attr=(*) by
self (search,read,write,compare)
orclversion: 3.0
cn: odisrv
objectclass: orclodiserver; top;
authpassword;oid: {SASL/MD5}2NOnGTWkSP9c1w7R/o9Djw==
{SASL/MD5-DN}ezUTC3k7rSL41ZxdxhlXxw==;{SASL/MD5-U}kEQcl+/AZEXVukeA5YPnog==
This section describes how to use Oracle Enterprise Manager Fusion Middleware Control to manage Oracle Directory Integration Platform. It contains these topics:
Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
Starting Oracle Directory Integration Platform with Fusion Middleware Control
Stopping Oracle Directory Integration Platform with Fusion Middleware Control
Managing the Oracle Directory Integration Platform Server Configuration
Managing Oracle Directory Integration Platform Logging Using Fusion Middleware Control
Auditing Oracle Directory Integration Platform Using Fusion Middleware Control
To view runtime information for the Oracle Directory Integration Platform component using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that you want to view runtime information for. Oracle Enterprise Manager Fusion Middleware Control opens the Oracle Directory Integration Platform home page, which includes the following information:
Synchronization Profiles: Summary of the configured synchronization profiles.
Provisioning Profiles: Summary of the configured provisioning profiles.
Resource Usage: Charts showing percentages of CPU and Memory being utilized on the Oracle Directory Integration Platform host.
Tip:
To return to the Oracle Directory Integration Platform home page after navigating to other Oracle Directory Integration Platform pages in Oracle Enterprise Manager Fusion Middleware Control, click Home on the DIP Server menu.
To start Oracle Directory Integration Platform by using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that you want to start.
Click the DIP Server menu, point to Control, and then click Start.
To stop Oracle Directory Integration Platform by using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that you want to stop.
Click the DIP Server menu, point to Control, and then click Stop.
When the confirmation dialog appears, click Yes.
To configure the Oracle Directory Integration Platform Server Refresh Interval and settings for the connection to the Oracle back-end directory using Oracle Enterprise Manager Fusion Middleware Control:
Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
Log in to Oracle Enterprise Manager Fusion Middleware Control. Oracle Enterprise Manager Fusion Middleware Controls opens the Home Page.
In the navigation panel on the left, click or expand the Identity and Access entry and then select the DIP component that you want to manage.
Click the DIP Server menu, point to Administration, and then click Server Properties.
The DIP Server Configuration page appears.
The following list describes the fields and options on the DIP Server Configuration page:
Server Refresh Interval (sec): The time interval (amount of time in seconds) that controls how often the Oracle Directory Integration Platform server refreshes profile configuration details.
OID Connection Settings / OUD Connection Settings / ODSEE Connection Settings: Enter the host name and port of the Oracle back-end directory where you want to save the Oracle Directory Integration Platform configuration.
OID connect SSL Mode / OUD connect SSL Mode / ODSEE connect SSL Mode: Specify the mode Directory Integration Platform uses to connect to the Oracle back-end directory.
Note:
For Oracle Internet Directory, you cannot specify no-SSL (mode 0) as the mode Directory Integration Platform uses to connect to the Oracle back-end directory using Oracle Enterprise Manager Fusion Middleware Control.
For Oracle Unified Directory and Oracle Directory Server Enterprise Edition, you can specify no-SSL (mode 0).
The supported options are:
No-auth (mode 1): Directory Integration Platform connects to the Oracle back-end directory using only SSL encryption.
This option is only available if Oracle Internet Directory is your Oracle back-end directory. It is not available if Oracle Unified Directory or Oracle Directory Server Enterprise Edition is your Oracle back-end directory.
Server Only (mode 2): Directory Integration Platform connects to and is authenticated only by the Oracle back-end directory.
Note:
If you select the Server Only (mode 2) option, you must configure Oracle Directory Integration Platform for SSL Mode 2 server-only authentication from the command line. Refer to "Configuring Oracle Directory Integration Platform for SSL Mode 2 Server-Only Authentication" for more information.
Optionally, click Test Connection to test the connection to the target Oracle back-end directory.
Make the desired changes and click the Apply button.
Oracle Enterprise Manager Fusion Middleware Control allows you to list, search, and configure log files across Oracle Fusion Middleware components. You can view log files from Oracle Enterprise Manager Fusion Middleware Control or download log files and view them using another tool. You can also list and search log files using the WLST command-line tool.
See Also:
The Oracle Fusion Middleware Administrator's Guide for complete information on logging using Oracle Enterprise Manager Fusion Middleware Control.
Oracle Directory Integration Platform utilizes the Common Audit Framework of the Oracle Application Server 11g infrastructure for compliance, monitoring, and analytics purposes. Using Oracle Enterprise Manager Fusion Middleware Control, you can view, search, and manage audit data and event settings for Oracle Directory Integration Platform. Refer to the Oracle Fusion Middleware Application Security Guide for complete information on auditing.
You can start and stop Oracle Directory Integration Platform from the command line using the WebLogic Scripting Tool (WLST) by connecting to the WebLogic Admin Server and executing the startApplication("DIP") and stopApplication("DIP") commands.
See:
The Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command line tool.
The Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information WLST command tool syntax.
The Manage DIP Server Configuration utility, manageDIPServerConfig, allows you to manage the Oracle Directory Integration Platform server configuration. The manageDIPServerConfig utility is located in the ORACLE_HOME/bin directory.
Notes:
Best security practice is to provide a password only in response to a prompt from the command.
You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
manageDIPServerConfig {get | set} -h HOST -p PORT -D wlsuser -attribute {sslmode |
refreshinterval | quartzthreadcount | quartzdbretryinterval | oidhostport |
keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE]
[-value ATTRIBUTE_VALUE] [-help]
Operation to perform.
get: Displays the current value of the config parameter in DIP configuration file
set: Updates the value of the config parameter in DIP configuration file.
Oracle WebLogic Server host where Oracle Directory Integration Platform is deployed
Listen port of Oracle WebLogic Managed Server where Oracle Directory Integration Platform application is deployed.
Oracle WebLogic Server login ID.
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument. A best security practice is to provide a password only in response to a prompt from the command. If you must execute manageDIPServerConfig from a script, you can redirect input from a file containing the Oracle WebLogic Server login password. Use file permissions to protect the file and delete it when it is no longer necessary.
Identifies the attribute that manageDIPServerConfig performs the operation on. The following is a list and description of the attributes manageDIPServerConfig can perform operations on:
sslmode: The SSL mode Oracle Directory Integration Platform uses to connect to the Oracle back-end directory. Supported values are 1 and 2. Use 1 to connect to the Oracle back-end directory using SSL Mode 1 (No Authentication). (SSL Mode 1 is only supported if Oracle Internet Directory is your Oracle back-end directory.) Use 2 to connect to the Oracle back-end directory using SSL Mode 2 (Server Only Authentication).
refreshinterval: The time interval (amount of time in seconds) that controls how often the Oracle Directory Integration Platform server refreshes profile configuration details.
quartzthreadcount: Controls how many profiles can be scheduled in parallel. The default value is 15. If you have more than 15 profiles, increase the quartzthreadcount attribute accordingly.
quartzdbretryinterval: Controls how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the Oracle back-end directory database.
oidhostport: Identifies the host and port of the Oracle back-end directory associated with Oracle Directory Integration Platform. Specify values for the oidhostport attribute in the form of host:port.
keystorelocation: Specifies the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the value for the keystorelocation attribute, be sure you use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).
Executes the command in SSL mode.
Note:
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
The full path to the keystore.
The type of the keystore identified by -keystorePath. For example: -keystorePath jks or -keystorePath PKCS12
The value to set for the attribute This parameter is required with the set operation.
Provides usage help for the command.
manageDIPServerConfig get -h myhost.mycompany.com -p 7005 -D login_ID \
-attr sslmode
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D login_ID \
-attr sslmode -val 2
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D login_ID \ -attr oidhostport -value OID_host:OID_SSL_port
For instructions about how to configure DIP for SSL authentication with directories other than Oracle Internet Directory, see Section 4.6.3. Otherwise, before configuring Oracle Directory Integration Platform to use SSL mode in Section 4.6.2, ensure that the Oracle back-end directory is configured for SSL Server-Auth authentication in Section 4.6.1.
Note:
The following information describes SSL configuration for a single component. If you are configuring SSL for multiple components, you can use the Oracle SSL Automation Tool, which enables you to configure SSL for multiple components using a domain-specific CA.
Refer to the Oracle Fusion Middleware Administrator's Guide for complete information about the Oracle SSL Automation Tool.
Complete the following steps before configuring the Oracle Directory Integration Platform software to use SSL mode. If you have already configured the Oracle Internet Directory software for SSL authentication, skip this section and proceed to Section 4.6.2.
Oracle recommends creating a new OID component and configuring it for SSL server-authentication mode instead of changing the default configuration of oid1.
Create a new Oracle Internet Directory component.
Follow the steps in the "Creating an Oracle Internet Directory Component by Using opmnctl" section, which is located in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Name the new Oracle Internet Directory component oid2 (or something similar).
Configure SSL for the new Oracle Internet Directory component (oid2).
Follow the steps in the "Configuring SSL by Using Fusion Middleware Control" section, which is located in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
This procedure describes how to configure the Oracle Directory Integration Platform for SSL authentication with Oracle Internet Directory. For instructions about how to configure Oracle Directory Integration Platform for SSL authentication with other directories, see Section 4.6.3, "To Configure Oracle Directory Integration Platform for SSL Authentication With Directories Other Than OID,".
Before you begin, verify that Oracle Internet Directory is configured for SSL Server-Auth authentication. If necessary, complete the steps in Section 4.6.1 before attempting the steps in this section.
Run the following command to export the trusted certificate from the Oracle Internet Directory wallet.
orapki wallet export -wallet Path_to_OID_wallet -dn Subject_DN_of_trusted_certificate -cert path_to_certificate_file
The Oracle Internet Directory wallet is available in the following location when created using the Fusion Middleware user interface: $ORACLE_INSTANCE/OID/admin/wallet_name
For example:
orapki wallet export
-wallet /home/Middleware/asinst_1/OID/admin/oidwallet
-dn "cn=ldap.oracle.com"
-cert /home/Middleware/asinst_1/OID/admin/oidcert.txt
Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.
keytool -importcert -trustcacerts -alias Some_alias_name
-file-keystore path_to_keystore
For example:
keytool -importcert -trustcacerts -alias OID2
-file /home/Middleware/asinst_1/OID/admin/oidcert.txt -keystore /home/Middleware/dip.jks
The system will prompt for a keystore password. Type a new password for this keystore.
Notes:
If you use the -keystore option and the keystore does not exist, keytool creates the keystore.
Run the following command to update the Java Keystore location in Oracle Directory Integration Platform.
manageDIPServerConfig set -attr keystorelocation full_path_to_keystore
-val-h weblogic_host -p weblogic_managed_server_port -wlsuser weblogic_user
Note:
full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).
For example:
manageDIPServerConfig set -attr keystorelocation
-val /home/Middleware/dip.jks -h host -p 7005
-wlsuser weblogic
The system will prompt for the WebLogic password.
Run the following commands to create a CSF credential and update the Java Keystore password:
Open the WLST prompt by running the following command:
$ORACLE_HOME/common/bin/wlst.sh
Connect to the WebLogic Admin Server:
connect('Weblogic_User', 'Weblogic_password',Weblogic_Host:Weblogic_AdminServer_Port
't3://')
Create the credential and update the Java Keystore password:
createCred(map="dip", key="jksKey", user="jksuser", password="JKS_password_created_previously_in_step_2")
Log in to the Fusion Middleware user interface and update the Oracle Directory Integration Platform SSL configuration.
Choose DIP > Server Properties, then set SSL Mode to 2 and the port value to the Oracle Internet Directory SSL port.
Restart the Oracle WebLogic managed server.
Oracle Directory Integration Platform will now connect to Oracle Internet Directory in SSL Server authentication mode.
This section describes how to configure Oracle Directory Integration Platform for SSL authentication with non-OID directories, including Oracle Directory Server Enterprise Edition (previously Sun Java System Directory Server), and Oracle Universal Directory (OUD).
Export the trusted certificate from the directory and save it to a file.
Import the trusted certificate from the directory into the Java Keystore (JKS).
keytool -importcert -trustcacerts -alias Some_alias_name
-file-keystore path_to_keystore
For example:
keytool -importcert -trustcacerts -alias sunone
-file /home/Middleware/sunone.cert -keystore /home/Middleware/dip.jks
Notes:
If you use the -keystore option and the keystore does not exist, keytool creates the keystore.
During profile creation, select the SSL option and provide the third-party directory SSL port.
The Oracle Directory Integration Platform can use SSL to connect the Oracle back-end directory and connected directories. When using SSL with no authentication to connect to the Oracle back-end directory, no certificate is required. However, when connecting to the Oracle back-end directory using SSL with server authentication, you need a trust-point certificate to connect to the LDAP server. The Oracle Directory Integration Platform expects the certificate to be in a Java Keystore (JKS).
You can use the manageDIPServerConfig command with the keystorelocation argument to manage the keystore location and you can use the WLST Credential Store commands with map="dip" and key="jksKey" to manage the keystore password.
See Also:
"Managing Oracle Directory Integration Platform Using manageDIPServerConfig" for more information about the manageDIPServerConfig command.
Oracle Fusion Middleware Administrator's Guide for more information about managing keystores using WLST.
You can use the keytool utility in the $JAVA_HOME/bin directory to detect and remove expired certificates for Oracle Directory Integration Platform.
To list the valid dates for a trusted certificate in the keystore, execute the keytool utility as follows:
$JAVA_HOME/bin/keytool -list -v -keystore PATH_TO_KEYSTORE
To delete a trusted certificate from the keystore, execute the keytool utility as follows:
$JAVA_HOME/bin/keytool -delete -alias mycert -keystore PATH_TO_KEYSTORE
Note:
You will be prompted for the password to the keystore while executing these commands.
For general information about certificate expiration, see Chapter 7, "Managing Keystores, Wallets, and Certificates," of the Oracle Fusion Middleware Administrator's Guide.
In a high availability architecture, Oracle Directory Integration Platform is deployed on a Oracle WebLogic Cluster that has at least two servers as a part of the cluster. The Oracle WebLogic Server starts, stops and monitors Oracle Directory Integration Platform in the cluster. By default, Oracle Directory Integration Platform leverages the high availability features of the underlying Oracle WebLogic Clusters. In case of hardware or other failures, session state is available to other cluster nodes that can resume the work of the failed node.
In a high availability environment, Node Manager is configured to monitor the Oracle WebLogic Servers. In case of failure, Node Manager restarts the Oracle WebLogic Server. If Node Manager cannot restart the server, then the front-ending load balancing router detects failure of a WebLogic instance in the Cluster and routes traffic to surviving instances.
When the Oracle back-end directory is deployed in an active-active high availability configuration, all the Oracle back-end directory instances belonging to the cluster share the same database. Any changes made to Oracle Directory Integration Platform on one Oracle back-end directory node would automatically be propagated to all the Oracle back-end directory instances in the cluster.
See:
Oracle Fusion Middleware High Availability Guide for complete information on Oracle Directory Integration Platform in a high availability scenario.
For provisioning and synchronization, the replicated directory is different from the master directory. Any profiles created in the original directory need to be re-created in the new directory, and all configurations must be performed as in the original directory.