This guide covers two scenarios:
Upgrading an existing instance of the password synchronization module to the current version
To implement this option, follow the instructions provided in Chapter 3.
Deploying the password synchronization module
To implement this option, follow the instructions provided in this chapter.
Deploying the password synchronization module involves performing the following steps:
If you want to use the Strong Password Authentication (Password Complexity) feature of Microsoft Active Directory, then perform the procedure described in the following section:
If you want to disable or enable password synchronization, then:
This section contains the following topics:
You might have a deployment of an earlier release of the connector. While deploying the current release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
In a temporary directory, extract the contents of the following JAR file:
ADSYNC_HOME\lib\xliADSync.jar
Here, ADSYNC_HOME is the directory on the Microsoft Active Directory host computer in which you had installed the connector.
Open the manifest.mf file in a text editor. The manifest.mf file is one of the files bundled inside the xliADSync.jar file.
In the manifest.mf file, the release number of the connector is displayed as the value of the Version property.
Before you install the connector, you must ensure that the following deployment requirements are addressed:
The computer on which you are installing the connector meets the requirements listed in Table 2-1.
Table 2-1 Certified Deployment Configurations
Item | Requirement |
---|---|
Oracle Identity Manager |
Oracle Identity Manager release 9.1.0.1 |
Microsoft Windows Server 2003 Active Directory installed on Microsoft Windows Server 2003 with SP1 or later service packs (x86 or x64) Note: Target systems installed on Itanium 64-bit processors are not supported. |
|
JDK |
JDK 1.4.2 |
The target system host computer must be able to ping the application server host using both IP address and host name.
If you use a firewall between Oracle Identity Manager and Microsoft Active Directory, then open one of the following ports:
636 (outgoing toward Microsoft Active Directory), if SSL is configured
389 (outgoing toward Microsoft Active Directory), if SSL is not configured
RMI port (incoming), which you had selected while installing connector
If Oracle Identity Manager is running on IBM WebSphere Application Server, then you must install IBM WebSphere Application Client and Oracle Identity Manager Design Console on the Microsoft Active Directory host computer.
To install the password synchronization module:
Note:
You must install the password synchronization module on the physical system drive for the Microsoft Active Directory host computer. You must not install the module on a mapped drive.On the Microsoft Active Directory server, start the installer as follows:
The installation files for the password synchronization module are in the following directory on the installation media:
Directory Servers/Microsoft Active Directory/Microsoft Active Directory Password Sync
Copy the contents of this directory to a temporary directory.
See Also:
The "Files and Directories That Comprise the Password Synchronization Module" section for more information about the installation filesIn the temporary directory, run the setup_ad.exe
file to start the installer.
Specify a language.
Click Next.
On the Target Directory page, you can either accept the default installation directory or specify the path to the directory in which you want install the module. For example, you can specify a path similar to the following:
C:\OracleProvisioningAD
Alternatively, you can use the Browse button to navigate to the installation directory.
Click Next.
The installer creates a directory named adsynch
inside the installation directory that you specify. Then, it copies the password synchronization module components into the adsynch
directory and creates certain directories inside the adsynch
directory.
Note:
From this point onward, this guide refers to the directoryuser_specified_install_directory
/adsynch
as ADSYNC_HOME
.On the Application Server page, specify the application server that hosts the Oracle Identity Manager server to which the Active Directory domain controller will connect. Then, click Next.
Note:
If you specify IBM WebSphere as the application server, then perform the next step. Otherwise, directly proceed to Step 7.On the WebSphere Directory page, specify the path to the directory where the IBM WebSphere Application Client is installed, on the computer where you are installing the module. Then, click Next.
On the JRE page, specify the JRE option that you want to use with the module. The following choices are available:
JRE bundled with Oracle Identity Manager
An existing JRE 1.4.2 installation on the computer where you are installing the password synchronization module. The following table lists the appropriate JRE version for the supported application servers.
For an existing JRE installation, you must specify the path to the installation. Then, click Next.
On the System Administration page, specify the account name and password required to log in to the Oracle Identity Manager server.
The default account for login is xelsysadm.
After specifying the required information, click Next.
On the Application Server Configuration page, specify the following:
The host name or IP address of the application server computer hosting Oracle Identity Manager
The naming port associated with the application server. The following table lists the default naming ports for the supported application servers.
If the application server for Oracle Identity Manager uses a nondefault naming port, then use that port number and consult your system administrator for additional guidance.
After you specify the required information, click Next.
On the Summary page, verify that the installation directory for the module, which you specify on the Target Directory page, is correctly displayed.
If you need to change the installation directory, click Back until you reach the Target Directory page, make the required changes, and then proceed through the installation sequence again.
When the installation directory is displayed correctly, click Install.
The Complete page displays a message indicating successful installation.
Click Finish to close the installer.
If you are installing the connector on a 64-bit Microsoft Windows operating system, then copy the Adsync.dll
file from the Windows\SysWOW64
directory to the WINDOWS\system32
directory.
Restart the computer.
Caution:
Do not change the Oracle Identity Manager administrator password after you install the password synchronization module. If you change the password after installation, then the password synchronization module would stop working.If you change the password, then you must reinstall the password synchronization module.
The following table lists the installation locations for the key components of the password synchronization module.
File | Description |
---|---|
ADSYNC_HOME\config\xlconfig.xml
|
This file contains all the user-configurable settings for the password synchronization module. Users can edit this file after installing the module. For details, refer to the "Configuring the Password Synchronization Module" section. |
ADSYNC_HOME\lib\xliADSync.jar
|
This JAR file contains the class files required by the Change Password script. |
ADSYNC_HOME\ChangePassword.cmd
|
This script, which is called by adsync.dll in response to a password change, uses the required classpath and command-line parameters to call the ChangePassword class, which is in the xliADSync.jar file. |
ADSYNC_HOME\wsChangePassword.cmd
|
This is the version of the Change Password script that is used by IBM WebSphere. |
ADSYNC_HOME\lib\xliADSync.ear
|
This file contains the class files required by the version of the Change Password script used by IBM WebSphere. |
Windows\system32\Adsync.dll |
If you install the connector on a 32-bit Microsoft Windows operating system, then the Adsync.dll file is registered as a listener for password changes. |
Windows\SysWOW64\Adsync.dll |
If you install the connector on a 64-bit Microsoft Windows operating system, then the Adsync.dll file is registered as a listener for password changes. |
After you install the password synchronization module, perform the following steps:
Copy the following files from the OIM_HOME
/ext
directory to the ADSYNC_HOME
\ext
directory on the computer where you installed the password synchronization module:
javagroups-all.jar
or jgroups-all.jar
oscache-2.0.2-22Jan04.jar
or oscache.jar
Copy all the JAR files from the OIM_Design_Console_installation_dir
/lib
directory on the computer hosting the Oracle Identity Manager Design Console to the ADSYNC_HOME
\lib
directory on the computer where you install the password synchronization module.
Depending on the application server used, perform one of the following steps:
For JBoss Application Server, copy the JBOSS_HOME
/client/jbossall-client.jar
to the ADSYNC_HOME
/ext
directory.
For Oracle WebLogic Server, copy the BEA_HOME
/weblogic81/server/lib/weblogic.jar
into the ADSYNC_HOME
/ext
directory.
For IBM WebSphere, extract and copy the xlDataObjectBeans.jar
file into the ADSYNC_HOME
/lib
directory as follows:
a. Use the following URL to connect to the IBM WebSphere administrative console:
http://localhost:9090/admin
b. Use the Oracle Identity Manager administrator account credentials to log in.
c. Click Applications, and then click Enterprise Applications.
d. Select Xellerate.
e. Click Export.
f. Save the Xellerate.ear
file to a temporary directory.
g. Extract the xlDataObjectBeans.jar
file from the Xellerate.ear
file.
h. Copy the xlDataObjectBeans.jar
file into the ADSYNC_HOME
/lib
directory.
Note:
Ensure that you extract and copy thexlDataObjectBeans.jar
file, not the xlDataObjects.jar
file.For Oracle Application Server, copy the following files into the ADSYNC_HOME
/ext
directory:
ORACLE_HOME/j2ee/home/oc4jclient.jar ORACLE_HOME/j2ee/home/lib/ejb.jar
If you plan to run Oracle Identity Manager on a clustered application server, then:
Establish a trust relationship between the virtual server that represents the Oracle Identity Manager cluster and the computer hosting the Active Directory domain controller on which you install the password synchronization module.
Add the host name of the virtual server to the hosts
file of the computer hosting the Active Directory domain controller on which you install the password synchronization module.
Edit the xlconfig.xml
file associated with the password synchronization module you install. This file is located in the ADSYNC_HOME
/config
directory.
In the xlconfig.xml
file, change the value of the <java.naming.provider.url>
tag to the fully qualified host name of the virtual server.
Note:
Each instance of thexlconfig.xml
file is in the config
directory. This directory is in the root installation directory for the component with which the configuration file is associated. For example, the path of the xlconfig.xml
file associated with the password synchronization module is as follows:
ADSYNC_HOME\config
After you update the value of the <java.naming.provider.url>
tag in the xlconfig.xml
file associated with the password synchronization module, save and close the file.
In the IT resource for Microsoft Active Directory, set the value of the AD Sync installed (yes/no)
parameter to yes
.
See Oracle Identity Manager Design Console Guide for detailed information about modifying values of IT resource parameters.
Note:
If you set the value of this parameter to no, then you must also disable password synchronization. See "Disabling and Enabling Password Synchronization" for more information.After you complete installation of the password synchronization module, you can configure it by editing the xlconfig.xml
file, which is located in the ADSYNC_HOME
\config
directory.
To configure the parameters in the xlconfig.xml
file, first open the file by using any text editor. The following table lists the elements you can configure within the <ADsync>
tag in the xlconfig.xml
file.
Tag Within the <ADSync> Tag | Description |
---|---|
<UserMatch> |
The MatchingMethod parameter specifies how Oracle Identity Manager matches an Oracle Identity Manager user to the Active Directory ID passed to the adsync.dll file. The first of the following three options is the default. Use it when all the login IDs in Oracle Identity Manager match all the Active Directory user IDs. When the login IDs in Oracle Identity Manager and the Active Directory IDs do not match, then use one of the remaining options.
|
<Result> |
This optional configuration element specifies where the result of the password change operation must be logged (apart from the adsync.log file). Values for the following parameters are provided as tags within the <Result> tag:
|
<Installed> |
Use the <Installed> tag to specify whether the Microsoft Active Directory connector has been installed. If you have installed that connector, then specify true as the value of the <Installed> tag. Otherwise, specify false .
For example:
<ADConnectorConfig>
<Installed>true</Installed>
<OIMUserUDF></OIMUserUDF>
</ADConnectorConfig>
|
<OIMUserUDF> |
Use the <OIMUserUDF> tag to specify the name of the USR table column that holds is used as flag to track password changes from Oracle Identity Manager to the target system and vice versa. See "How Password Synchronization Works" for more information about this flag. The USR_UDF_PWDCHANGEDINDICATION field is used as the default. If you have created a different UDF, then specify the name of that UDF as the value of this field.
For example:
<ADConnectorConfig>
<Installed>true</Installed>
<OIMUserUDF> USR_UDF_PWDCHANGEDINDICATION </OIMUserUDF>
</ADConnectorConfig>
|
<Disabled> |
See "Disabling and Enabling Password Synchronization" for information about this tag. |
After you make the required changes to the user-configurable tags in the xlconfig.xml
file, save and close the file.
Note:
This is an optional step of the procedure.However, the configuration of secure client operation (using SSL at the server) affects all clients. This means that if you use SSL to secure Oracle Identity Manager communication with the password synchronization module, then the Oracle Identity Manager Design Console and any other custom clients must also communicate with Oracle Identity Manager using SSL.
You can configure SSL to secure the transfer of password information from Microsoft Active Directory to Oracle Identity Manager. The procedure that you must follow depends on the application server on which Oracle Identity Manager is installed:
See Also:
The "Step 8: Configuring SSL" section on page 2-14 of Oracle Identity Manager Connector Guide for Microsoft Active Directory for information about configuring SSL to secure data transfer from Oracle Identity Manager to Microsoft Active Directory.Configuring the Password Synchronization Module for SSL Communication on JBoss Application Server
Configuring the Password Synchronization Module for SSL Communication on Oracle WebLogic Server
After you configure the password synchronization module and the Design Console for SSL communication, you must check if SSL has been enabled for these clients by performing the following procedure:
Validating SSL Communication for the Password Synchronization Module and the Design Console
To configure password synchronization module for SSL communication on JBoss Application Server:
To export the Oracle Identity Manager Server certificate, in a terminal window, change to the OIM_home
/config
directory and then enter the following command:
Note:
You create thexlserver.cer
file by performing Step 2 of the procedure described in the "Configuring the Design Console for SSL Communication on JBoss Application Server" section. If you have already created the xlserver.cer
file, then you can skip Step 1.
JAVA_HOME/bin/keytool -export -file xlserver.cer -keystore .xlkeystore -storepass xellerate -alias xell
A file named xlserver.cer
is created in the config
directory. This is the Oracle Identity Manager certificate file.
Copy the xlserver.cer
file from the OIM_home
/config
directory to the ADSYNC_HOME
\java\lib\security
directory on the Microsoft Active Directory server.
On the Microsoft Active Directory server, change to the directory into which you copy the xlserver.cer
file, and then enter the following command to import the certificate:
keytool -import -alias alias -file xlserver.cer -keystore my_cacerts -storepass password -trustcacerts
In this command:
alias
is the alias for the certificate (for example, the server name)
my_cacerts
is the full path and name of the certificate store (the default is cacerts
)
The actual certificate store location is JBOSS_HOME
/jre/lib/security/cacerts
.
password
is the keystore password
Note: changeit
is the default password for the cacerts
file stored in the Sun JVM. This may change depending on the JVM that you are using.
In the command window, when you are prompted to specify whether or not you want to trust this certificate, enter YES
.
After you configure the password synchronization module for SSL communication, you must ensure that all other clients of Oracle Identity Manager, such as the Design Console, are configured for SSL communication.
See Also:
Oracle Identity Manager Design Console Guide for information about configuring the Design Console for SSL communicationTo configure the password synchronization module for SSL communication on Oracle WebLogic Server:
Open the Oracle WebLogic Server console.
Generate a signed certificate as follows:
In a terminal window, navigate to the following directory:
JDK_used_by_WebLogic/jre/lib/security
Enter the following command to generate the certificate:
keytool –genkey -alias private_key_alias -keyalg RSA -keysize 1024 -dname "DN_value" -keypass private_key_password -keystore identity_store_file -storepass identity_store_file_password
In this command:
private_key_alias
is the alias that you want to use for the private key
private_key_password
is the password that you want to use for the private key
DN_value
is the distinguished name (DN) for your organization
The CN value in the DN must be the host name or IP address of the Oracle Identity Manager server. You can get the CN value from the ADSYNC_HOME
\config\xlconfig.xml
file. For example, suppose the value of the <java.naming.provider.url>
tag is as follows:
t3://oimserver:7001
Then, the DN that you enter in the command must contain CN=oimserver.
identity_store_file
is the identity store that you want to use
identity_store_file_password
is the password of the identity store that you want to use
The following is a sample command:
keytool –genkey -alias adpwmod -keyalg RSA -keysize 1024 -dname "CN=oimserver, OU=Identity, O=Acme Widgets Corp,L=RedwoodShores, S=California, C=US" -keypass adpw_pass -keystore idstore.jks -storepass idstorepass
Enter the following command to sign the certificate:
keytool -selfcert -alias private_key_alias -sigalg MD5withRSA -validity 2000 -keypass private_key_password -keystore identity_store_file -storepass identity_store_file_password
Enter the following command to export the certificate
keytool -export -alias private_key_alias -file cert_file_name -keypass private_key_password -keystore identity_store_file -storepass identity_store_file_password
In this command, replace cert_file_name
with the name that you want to use for the certificate file. For example, you can use adsslcert.pem
as the name of the file.
Enable the SSL listening port of Oracle WebLogic Server as follows:
Expand Servers, and then click the name of the server that you want to use.
Click Configuration, and then click General.
On the General tab, select the SSL Listen Port Enabled check box.
The default SSL port, 7002, is enabled.
Click Apply.
Configure the keystore in Oracle WebLogic Server as follows:
On the Keystores & SSL tab, specify the following values:
Custom Identity Keystore: Specify the name and location of the keystore that you want to use. The following is the default keystore:
WebLogic_home/server/lib/DemoIdentity.jks
Type: Specify the type of the keystore.
Passphrase and Confirm Passphrase: Specify the password for the keystore.
Click Change.
From the Keystores list, select Custom Identity And Java Standard Trust.
Specify the following values:
Custom Identity Key Store File Name: Enter the complete location of the identity store file, identity_store_file
, that you generate in Step 2.
For example:
c:\bea814\jdk142_05\jre\lib\security\idstore.jks
Custom Identity Key Store Type: Specify the type of the keystore (JKS
).
Custom Identity Key Store Pass Phrase and Confirm Custom Identity Key Store Pass Phrase: Enter the identity store file password, identity_store_file_password
Click Continue.
Specify the following values:
Private Key Alias: Enter the alias that you have created for the identity keystore, private_key_alias
.
Passphrase and Confirm Passphrase: Enter the private key password, private_key_password
.
Click Continue, and then click Finish.
Restart Oracle WebLogic Server for the changes to take effect.
After you configure Oracle WebLogic Server for SSL, configure the password synchronization module for SSL communication as follows:
Copy the certificate file from the JDK_used_by_WebLogic
/jre/lib/security
directory to the JRE configured with the password synchronization module. This certificate file is created when you perform Step 2.d of the earlier procedure.
For example, if you are using the JRE bundled with the module, then copy the certificate file into the <ADSYNC_HOME>
/java/lib/security
directory.
Change to the directory into which you copy the certificate file, and then enter the following command to import the certificate:
keytool -import -alias private_key_alias -file cert_file_name -keystore my_cacerts -storepass password -trustcacerts
In this command:
alias
is the alias for the certificate (for example, the server name)
my_cacerts
is the full path and name of the certificate store (the default is cacerts)
The actual certificate store location is as follows:
JBOSS_HOME/java/jre/lib/security/cacerts
password
is the keystore password
Note: changeit
is the default password for the cacerts
file stored in the Sun JVM. This may change depending on the JVM that you are using.
In the command window, when you are prompted to specify whether or not you want to trust this certificate, enter YES
.
Copy the WebLogic_home
/license.bea
file into the ADSYNC_HOME
directory.
Add the ADSYNC_HOME
directory path to the CLASSPATH
environment variable.
To do this, you first enter a semicolon (;) at the end of the existing value of the CLASSPATH
and then enter the ADSYNC_HOME
directory path.
In the ADSYNC_HOME
\config\xlconfig.xml
file, search for the <java.naming.provider.url>
tag and change the protocol value to t3s
and the port value to the SSL port number.
For Example:
<java.naming.provider.url>t3s://solqe4:7002</java.naming.provider.url>
Copy the BEA_HOME
/weblogic81/server/lib/wlcipher.jar
file to the <ADSYNC_HOME>
\ext
directory.
Open the ADSYNC_HOME
\classpath.bat
file and add the following at the end of the file:
;.\ext\wlcipher.jar
Note:
Perform the procedure described in this section only if you want to use the Strong Password Authentication (Password Complexity) feature of Microsoft Active Directory.Microsoft Active Directory provides the Strong Password Authentication feature through the implementation of a password filter. If you want to use this password filter along with the password synchronization module, then follow the instructions on the Microsoft Web site for enabling the "Passwords must meet complexity requirements" policy setting. After you enable this policy setting, password changes in Microsoft Active Directory are checked against the Strong Password Authentication requirements before they are passed on to the password synchronization module.
If you want to temporarily disable password synchronization, then:
Search for the following lines in the XML file:
<ADSyncConfig> <Disabled>no</Disabled> </ADSyncConfig>
Change the value of the Disabled
element to yes
. For example:
<ADSyncConfig>
<Disabled>yes</Disabled>
</ADSyncConfig>
In the IT resource for Microsoft Active Directory, set the value of the AD Sync installed (yes/no)
parameter to no
.
To reenable password synchronization:
Change the value of the Disabled
element to no
. For example:
<ADSyncConfig>
<Disabled>no</Disabled>
</ADSyncConfig>
In the IT resource for Microsoft Active Directory, set the value of the AD Sync installed (yes/no)
parameter to yes
.