2 Deploying the Password Synchronization Module

This guide covers two scenarios:

• Upgrading an existing instance of the password synchronization module to the current version

  To implement this option, follow the instructions provided in Chapter 3.

• Deploying the password synchronization module

  To implement this option, follow the instructions provided in this chapter.

Deploying the password synchronization module involves performing the following steps:

• Preparing to Install the Password Synchronization Module

• Installing the Password Synchronization Module

• Performing Postinstallation Steps for the Password Synchronization Module

• Configuring the Password Synchronization Module

If you want to use the Strong Password Authentication (Password Complexity) feature of Microsoft Active Directory, then perform the procedure described in the following section:

• Enabling the Strong Password Authentication (Password Complexity) Feature of Microsoft Active Directory

If you want to disable or enable password synchronization, then:

• Disabling and Enabling Password Synchronization

2.1 Preparing to Install the Password Synchronization Module

This section contains the following topics:

• Determining the Release Number of the Connector

• Verifying Deployment Requirements

2.1.1 Determining the Release Number of the Connector

You might have a deployment of an earlier release of the connector. While deploying the current release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:

1. In a temporary directory, extract the contents of the following JAR file:

   ADSYNC_HOME\lib\xliADSync.jar

   Here, ADSYNC_HOME is the directory on the Microsoft Active Directory host computer in which you had installed the connector.

2. Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliADSync.jar file.

   In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.

2.1.2 Verifying Deployment Requirements

Before you install the connector, you must ensure that the following deployment requirements are addressed:

• The computer on which you are installing the connector meets the requirements listed in Table 2-1.

  Table 2-1 Certified Deployment Configurations

  Item	Requirement
  Oracle Identity Manager	Oracle Identity Manager release 9.1.0.1
  Target systems and target system host platforms	Microsoft Windows Server 2003 Active Directory installed on Microsoft Windows Server 2003 with SP1 or later service packs (x86 or x64) Note: Target systems installed on Itanium 64-bit processors are not supported.
  JDK	JDK 1.4.2

  
  

• The target system host computer must be able to ping the application server host using both IP address and host name.

• If you use a firewall between Oracle Identity Manager and Microsoft Active Directory, then open one of the following ports:

  • 636 (outgoing toward Microsoft Active Directory), if SSL is configured

  • 389 (outgoing toward Microsoft Active Directory), if SSL is not configured

  • RMI port (incoming), which you had selected while installing connector

• If Oracle Identity Manager is running on IBM WebSphere Application Server, then you must install IBM WebSphere Application Client and Oracle Identity Manager Design Console on the Microsoft Active Directory host computer.

2.2 Installing the Password Synchronization Module

To install the password synchronization module:

Note:

You must install the password synchronization module on the physical system drive for the Microsoft Active Directory host computer. You must not install the module on a mapped drive.

1. On the Microsoft Active Directory server, start the installer as follows:

   1. The installation files for the password synchronization module are in the following directory on the installation media:

      Directory Servers/Microsoft Active Directory/Microsoft Active Directory Password Sync
      

      Copy the contents of this directory to a temporary directory.

      See Also:

      The "Files and Directories That Comprise the Password Synchronization Module" section for more information about the installation files

   2. In the temporary directory, run the setup_ad.exe file to start the installer.

2. Specify a language.

3. Click Next.

4. On the Target Directory page, you can either accept the default installation directory or specify the path to the directory in which you want install the module. For example, you can specify a path similar to the following:

   C:\OracleProvisioningAD

   Alternatively, you can use the Browse button to navigate to the installation directory.

5. Click Next.

   The installer creates a directory named adsynch inside the installation directory that you specify. Then, it copies the password synchronization module components into the adsynch directory and creates certain directories inside the adsynch directory.

   Note:

   From this point onward, this guide refers to the directory user_specified_install_directory/adsynch as ADSYNC_HOME.

6. On the Application Server page, specify the application server that hosts the Oracle Identity Manager server to which the Active Directory domain controller will connect. Then, click Next.

   Note:

   If you specify IBM WebSphere as the application server, then perform the next step. Otherwise, directly proceed to Step 7.

7. On the WebSphere Directory page, specify the path to the directory where the IBM WebSphere Application Client is installed, on the computer where you are installing the module. Then, click Next.

8. On the JRE page, specify the JRE option that you want to use with the module. The following choices are available:

   • JRE bundled with Oracle Identity Manager

   • An existing JRE 1.4.2 installation on the computer where you are installing the password synchronization module. The following table lists the appropriate JRE version for the supported application servers.

   Application Server	Required JRE	Comments
   JBoss Application Server	Sun JRE 1.4.2_09 or later	However, all versions of Sun JRE 1.5 are not supported.
   Oracle WebLogic Server	Sun JRE 1.4.2_09 or later	However, all versions of Sun JRE 1.5 are not supported.
   IBM WebSphere	IBM JRE 1.4.2_x	Available as part of the IBM WebSphere Application Client installation that is compatible with IBM WebSphere on the server on which Oracle Identity Manager is installed
   Oracle Application Server	SunJRE 1.4.2_09 or later	However, all versions of Sun JRE 1.5 are not supported.

   
   

   For an existing JRE installation, you must specify the path to the installation. Then, click Next.

9. On the System Administration page, specify the account name and password required to log in to the Oracle Identity Manager server.

   The default account for login is xelsysadm.

   After specifying the required information, click Next.

10. On the Application Server Configuration page, specify the following:

    • The host name or IP address of the application server computer hosting Oracle Identity Manager

    • The naming port associated with the application server. The following table lists the default naming ports for the supported application servers.

      Application Server	Default Naming Port
      JBoss Application Server	1099
      Oracle WebLogic Server	7001
      IBM WebSphere	2809
      Oracle Application Server	12401

      
      

    If the application server for Oracle Identity Manager uses a nondefault naming port, then use that port number and consult your system administrator for additional guidance.

    After you specify the required information, click Next.

11. On the Summary page, verify that the installation directory for the module, which you specify on the Target Directory page, is correctly displayed.

    If you need to change the installation directory, click Back until you reach the Target Directory page, make the required changes, and then proceed through the installation sequence again.

    When the installation directory is displayed correctly, click Install.

12. The Complete page displays a message indicating successful installation.

    Click Finish to close the installer.

13. If you are installing the connector on a 64-bit Microsoft Windows operating system, then copy the Adsync.dll file from the Windows\SysWOW64 directory to the WINDOWS\system32 directory.

14. Restart the computer.

Caution:

Do not change the Oracle Identity Manager administrator password after you install the password synchronization module. If you change the password after installation, then the password synchronization module would stop working.

If you change the password, then you must reinstall the password synchronization module.

2.2.1 Files Copied During Password Synchronization Module Installation

The following table lists the installation locations for the key components of the password synchronization module.

File	Description
ADSYNC_HOME\config\xlconfig.xml	This file contains all the user-configurable settings for the password synchronization module. Users can edit this file after installing the module. For details, refer to the "Configuring the Password Synchronization Module" section.
ADSYNC_HOME\lib\xliADSync.jar	This JAR file contains the class files required by the Change Password script.
ADSYNC_HOME\ChangePassword.cmd	This script, which is called by adsync.dll in response to a password change, uses the required classpath and command-line parameters to call the ChangePassword class, which is in the xliADSync.jar file.
ADSYNC_HOME\wsChangePassword.cmd	This is the version of the Change Password script that is used by IBM WebSphere.
ADSYNC_HOME\lib\xliADSync.ear	This file contains the class files required by the version of the Change Password script used by IBM WebSphere.
Windows\system32\Adsync.dll	If you install the connector on a 32-bit Microsoft Windows operating system, then the Adsync.dll file is registered as a listener for password changes.
Windows\SysWOW64\Adsync.dll	If you install the connector on a 64-bit Microsoft Windows operating system, then the Adsync.dll file is registered as a listener for password changes.

2.3 Performing Postinstallation Steps for the Password Synchronization Module

After you install the password synchronization module, perform the following steps:

1. Copy the following files from the OIM_HOME/ext directory to the ADSYNC_HOME\ext directory on the computer where you installed the password synchronization module:

   • javagroups-all.jar or jgroups-all.jar

   • oscache-2.0.2-22Jan04.jar or oscache.jar

2. Copy all the JAR files from the OIM_Design_Console_installation_dir/lib directory on the computer hosting the Oracle Identity Manager Design Console to the ADSYNC_HOME\lib directory on the computer where you install the password synchronization module.

3. Depending on the application server used, perform one of the following steps:

   • For JBoss Application Server, copy the JBOSS_HOME/client/jbossall-client.jar to the ADSYNC_HOME/ext directory.

   • For Oracle WebLogic Server, copy the BEA_HOME/weblogic81/server/lib/weblogic.jar into the ADSYNC_HOME/ext directory.

   • For IBM WebSphere, extract and copy the xlDataObjectBeans.jar file into the ADSYNC_HOME/lib directory as follows:

     a. Use the following URL to connect to the IBM WebSphere administrative console:

     http://localhost:9090/admin
     

     b. Use the Oracle Identity Manager administrator account credentials to log in.

     c. Click Applications, and then click Enterprise Applications.

     d. Select Xellerate.

     e. Click Export.

     f. Save the Xellerate.ear file to a temporary directory.

     g. Extract the xlDataObjectBeans.jar file from the Xellerate.ear file.

     h. Copy the xlDataObjectBeans.jar file into the ADSYNC_HOME/lib directory.

     Note:

     Ensure that you extract and copy the xlDataObjectBeans.jar file, not the xlDataObjects.jar file.

   • For Oracle Application Server, copy the following files into the ADSYNC_HOME/ext directory:

     ORACLE_HOME/j2ee/home/oc4jclient.jar
     ORACLE_HOME/j2ee/home/lib/ejb.jar
     

4. If you plan to run Oracle Identity Manager on a clustered application server, then:

   1. Establish a trust relationship between the virtual server that represents the Oracle Identity Manager cluster and the computer hosting the Active Directory domain controller on which you install the password synchronization module.

   2. Add the host name of the virtual server to the hosts file of the computer hosting the Active Directory domain controller on which you install the password synchronization module.

   3. Edit the xlconfig.xml file associated with the password synchronization module you install. This file is located in the ADSYNC_HOME/config directory.

      In the xlconfig.xml file, change the value of the <java.naming.provider.url> tag to the fully qualified host name of the virtual server.

      Note:

      Each instance of the xlconfig.xml file is in the config directory. This directory is in the root installation directory for the component with which the configuration file is associated. For example, the path of the xlconfig.xml file associated with the password synchronization module is as follows:

      ADSYNC_HOME\config
      

      After you update the value of the <java.naming.provider.url> tag in the xlconfig.xml file associated with the password synchronization module, save and close the file.

5. In the IT resource for Microsoft Active Directory, set the value of the AD Sync installed (yes/no) parameter to yes.

   See Oracle Identity Manager Design Console Guide for detailed information about modifying values of IT resource parameters.

   Note:

   If you set the value of this parameter to no, then you must also disable password synchronization. See "Disabling and Enabling Password Synchronization" for more information.

2.4 Configuring the Password Synchronization Module

After you complete installation of the password synchronization module, you can configure it by editing the xlconfig.xml file, which is located in the ADSYNC_HOME\config directory.

To configure the parameters in the xlconfig.xml file, first open the file by using any text editor. The following table lists the elements you can configure within the <ADsync> tag in the xlconfig.xml file.

Tag Within the <ADSync> Tag	Description
<UserMatch>	The MatchingMethod parameter specifies how Oracle Identity Manager matches an Oracle Identity Manager user to the Active Directory ID passed to the adsync.dll file. The first of the following three options is the default. Use it when all the login IDs in Oracle Identity Manager match all the Active Directory user IDs. When the login IDs in Oracle Identity Manager and the Active Directory IDs do not match, then use one of the remaining options. UserID: The Active Directory user ID matches the Oracle Identity Manager user login. UDF: The Active Directory user ID matches the UDF specified in the <FieldName> attribute. ResourceField: The Active Directory user ID matches the <FieldName> attribute in the process form of the Oracle Identity Manager user to whom a resource object specified by the <ResourceObject> attribute is provisioned.
<Result>	This optional configuration element specifies where the result of the password change operation must be logged (apart from the adsync.log file). Values for the following parameters are provided as tags within the <Result> tag: UpdateUDF: Set to True or False to update a status field in the Users form. FieldName: Specify a field name when the UpdateUDF tag is set to True. For example, FieldName can be USR_UDF_STATUS. FailureValue: This string goes into the status field if the password reset operation fails. SuccessValue: This string goes into the status field if the password reset operation succeeds. AppendTimeStamp: Set this to True or False to append a timestamp to the string in the status field.
<Installed>	Use the <Installed> tag to specify whether the Microsoft Active Directory connector has been installed. If you have installed that connector, then specify true as the value of the <Installed> tag. Otherwise, specify false. For example: <ADConnectorConfig> <Installed>true</Installed> <OIMUserUDF></OIMUserUDF> </ADConnectorConfig>
<OIMUserUDF>	Use the <OIMUserUDF> tag to specify the name of the USR table column that holds is used as flag to track password changes from Oracle Identity Manager to the target system and vice versa. See "How Password Synchronization Works" for more information about this flag. The USR_UDF_PWDCHANGEDINDICATION field is used as the default. If you have created a different UDF, then specify the name of that UDF as the value of this field. For example: <ADConnectorConfig> <Installed>true</Installed> <OIMUserUDF> USR_UDF_PWDCHANGEDINDICATION </OIMUserUDF> </ADConnectorConfig>
<Disabled>	See "Disabling and Enabling Password Synchronization" for information about this tag.

After you make the required changes to the user-configurable tags in the xlconfig.xml file, save and close the file.

2.5 Step 6: Configuring the Password Synchronization Module for SSL Communication

Note:

This is an optional step of the procedure.

However, the configuration of secure client operation (using SSL at the server) affects all clients. This means that if you use SSL to secure Oracle Identity Manager communication with the password synchronization module, then the Oracle Identity Manager Design Console and any other custom clients must also communicate with Oracle Identity Manager using SSL.

You can configure SSL to secure the transfer of password information from Microsoft Active Directory to Oracle Identity Manager. The procedure that you must follow depends on the application server on which Oracle Identity Manager is installed:

See Also:

The "Step 8: Configuring SSL" section on page 2-14 of Oracle Identity Manager Connector Guide for Microsoft Active Directory for information about configuring SSL to secure data transfer from Oracle Identity Manager to Microsoft Active Directory.

• Configuring the Password Synchronization Module for SSL Communication on JBoss Application Server

• Configuring the Password Synchronization Module for SSL Communication on Oracle WebLogic Server

After you configure the password synchronization module and the Design Console for SSL communication, you must check if SSL has been enabled for these clients by performing the following procedure:

• Validating SSL Communication for the Password Synchronization Module and the Design Console

2.5.1 Configuring the Password Synchronization Module for SSL Communication on JBoss Application Server

To configure password synchronization module for SSL communication on JBoss Application Server:

1. To export the Oracle Identity Manager Server certificate, in a terminal window, change to the OIM_home/config directory and then enter the following command:

   Note:

   You create the xlserver.cer file by performing Step 2 of the procedure described in the "Configuring the Design Console for SSL Communication on JBoss Application Server" section. If you have already created the xlserver.cer file, then you can skip Step 1.

   JAVA_HOME/bin/keytool -export -file xlserver.cer -keystore .xlkeystore -storepass xellerate -alias xell
   

   A file named xlserver.cer is created in the config directory. This is the Oracle Identity Manager certificate file.

2. Copy the xlserver.cer file from the OIM_home/config directory to the ADSYNC_HOME\java\lib\security directory on the Microsoft Active Directory server.

3. On the Microsoft Active Directory server, change to the directory into which you copy the xlserver.cer file, and then enter the following command to import the certificate:

   keytool -import -alias alias -file xlserver.cer -keystore my_cacerts -storepass password -trustcacerts
   

   In this command:

   • alias is the alias for the certificate (for example, the server name)

   • my_cacerts is the full path and name of the certificate store (the default is cacerts)

     The actual certificate store location is JBOSS_HOME/jre/lib/security/cacerts.

   • password is the keystore password

     Note: changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.

4. In the command window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.

After you configure the password synchronization module for SSL communication, you must ensure that all other clients of Oracle Identity Manager, such as the Design Console, are configured for SSL communication.

See Also:

Oracle Identity Manager Design Console Guide for information about configuring the Design Console for SSL communication

2.5.2 Configuring the Password Synchronization Module for SSL Communication on Oracle WebLogic Server

To configure the password synchronization module for SSL communication on Oracle WebLogic Server:

1. Open the Oracle WebLogic Server console.

2. Generate a signed certificate as follows:

   1. In a terminal window, navigate to the following directory:

      JDK_used_by_WebLogic/jre/lib/security
      

   2. Enter the following command to generate the certificate:

      keytool –genkey -alias private_key_alias -keyalg RSA -keysize 1024 -dname "DN_value" -keypass private_key_password -keystore identity_store_file -storepass identity_store_file_password
      

      In this command:

      • private_key_alias is the alias that you want to use for the private key

      • private_key_password is the password that you want to use for the private key

      • DN_value is the distinguished name (DN) for your organization

        The CN value in the DN must be the host name or IP address of the Oracle Identity Manager server. You can get the CN value from the ADSYNC_HOME\config\xlconfig.xml file. For example, suppose the value of the <java.naming.provider.url> tag is as follows:

        t3://oimserver:7001
        

        Then, the DN that you enter in the command must contain CN=oimserver.

      • identity_store_file is the identity store that you want to use

      • identity_store_file_password is the password of the identity store that you want to use

      The following is a sample command:

      keytool –genkey -alias adpwmod -keyalg RSA -keysize 1024 -dname "CN=oimserver, OU=Identity, O=Acme Widgets Corp,L=RedwoodShores, S=California, C=US" -keypass adpw_pass -keystore idstore.jks -storepass idstorepass
      

   3. Enter the following command to sign the certificate:

      keytool -selfcert -alias private_key_alias -sigalg MD5withRSA -validity 2000 -keypass private_key_password -keystore identity_store_file -storepass identity_store_file_password
      

   4. Enter the following command to export the certificate

      keytool -export -alias private_key_alias -file cert_file_name -keypass private_key_password -keystore identity_store_file -storepass identity_store_file_password
      

      In this command, replace cert_file_name with the name that you want to use for the certificate file. For example, you can use adsslcert.pem as the name of the file.

3. Enable the SSL listening port of Oracle WebLogic Server as follows:

   1. Expand Servers, and then click the name of the server that you want to use.

   2. Click Configuration, and then click General.

   3. On the General tab, select the SSL Listen Port Enabled check box.

      The default SSL port, 7002, is enabled.

   4. Click Apply.

4. Configure the keystore in Oracle WebLogic Server as follows:

   1. On the Keystores & SSL tab, specify the following values:

      Custom Identity Keystore: Specify the name and location of the keystore that you want to use. The following is the default keystore:

      WebLogic_home/server/lib/DemoIdentity.jks
      

      Type: Specify the type of the keystore.

      Passphrase and Confirm Passphrase: Specify the password for the keystore.

   2. Click Change.

   3. From the Keystores list, select Custom Identity And Java Standard Trust.

   4. Specify the following values:

      • Custom Identity Key Store File Name: Enter the complete location of the identity store file, identity_store_file, that you generate in Step 2.

        For example:

        c:\bea814\jdk142_05\jre\lib\security\idstore.jks
        

      • Custom Identity Key Store Type: Specify the type of the keystore (JKS).

      • Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase: Enter the identity store file password, identity_store_file_password

   5. Click Continue.

   6. Specify the following values:

      Private Key Alias: Enter the alias that you have created for the identity keystore, private_key_alias.

      Passphrase and Confirm Passphrase: Enter the private key password, private_key_password.

   7. Click Continue, and then click Finish.

5. Restart Oracle WebLogic Server for the changes to take effect.

After you configure Oracle WebLogic Server for SSL, configure the password synchronization module for SSL communication as follows:

1. Copy the certificate file from the JDK_used_by_WebLogic/jre/lib/security directory to the JRE configured with the password synchronization module. This certificate file is created when you perform Step 2.d of the earlier procedure.

   For example, if you are using the JRE bundled with the module, then copy the certificate file into the <ADSYNC_HOME>/java/lib/security directory.

2. Change to the directory into which you copy the certificate file, and then enter the following command to import the certificate:

   keytool -import -alias private_key_alias -file cert_file_name -keystore my_cacerts -storepass password -trustcacerts
   

   In this command:

   • alias is the alias for the certificate (for example, the server name)

   • my_cacerts is the full path and name of the certificate store (the default is cacerts)

     The actual certificate store location is as follows:

     JBOSS_HOME/java/jre/lib/security/cacerts
     

   • password is the keystore password

     Note: changeit is the default password for the cacerts file stored in the Sun JVM. This may change depending on the JVM that you are using.

3. In the command window, when you are prompted to specify whether or not you want to trust this certificate, enter YES.

4. Copy the WebLogic_home/license.bea file into the ADSYNC_HOME directory.

5. Add the ADSYNC_HOME directory path to the CLASSPATH environment variable.

   To do this, you first enter a semicolon (;) at the end of the existing value of the CLASSPATH and then enter the ADSYNC_HOME directory path.

6. In the ADSYNC_HOME\config\xlconfig.xml file, search for the <java.naming.provider.url> tag and change the protocol value to t3s and the port value to the SSL port number.

   For Example:

   <java.naming.provider.url>t3s://solqe4:7002</java.naming.provider.url>
   

7. Copy the BEA_HOME/weblogic81/server/lib/wlcipher.jar file to the <ADSYNC_HOME>\ext directory.

8. Open the ADSYNC_HOME\classpath.bat file and add the following at the end of the file:

   ;.\ext\wlcipher.jar
   

2.6 Enabling the Strong Password Authentication (Password Complexity) Feature of Microsoft Active Directory

Note:

Perform the procedure described in this section only if you want to use the Strong Password Authentication (Password Complexity) feature of Microsoft Active Directory.

Microsoft Active Directory provides the Strong Password Authentication feature through the implementation of a password filter. If you want to use this password filter along with the password synchronization module, then follow the instructions on the Microsoft Web site for enabling the "Passwords must meet complexity requirements" policy setting. After you enable this policy setting, password changes in Microsoft Active Directory are checked against the Strong Password Authentication requirements before they are passed on to the password synchronization module.

2.7 Disabling and Enabling Password Synchronization

If you want to temporarily disable password synchronization, then:

1. Search for the following lines in the XML file:

   <ADSyncConfig>
    <Disabled>no</Disabled>
   </ADSyncConfig>
   

2. Change the value of the Disabled element to yes. For example:

   <ADSyncConfig>
    <Disabled>yes</Disabled>
   </ADSyncConfig>
   

3. In the IT resource for Microsoft Active Directory, set the value of the AD Sync installed (yes/no) parameter to no.

To reenable password synchronization:

1. Change the value of the Disabled element to no. For example:

   <ADSyncConfig>
    <Disabled>no</Disabled>
   </ADSyncConfig>
   

2. In the IT resource for Microsoft Active Directory, set the value of the AD Sync installed (yes/no) parameter to yes.