2 Deploying the Connector

The procedure to deploy the connector can be divided into the following stages:

• Preinstallation

• Installation

• Postinstallation

2.1 Preinstallation

Preinstallation for the connector involves performing the procedure described in the following section.

2.1.1 Verifying Deployment Requirements

Before you install the connector, you must ensure that the following deployment requirements are addressed:

• The computer on which you are installing the connector meets the requirements listed in Table 2-1.

  Table 2-1 Certified Deployment Configurations

  Item	Requirement
  Target systems and target system host platforms	The target system can be any one of the following: Microsoft Windows Server 2003 Active Directory installed on Microsoft Windows Server 2003 with SP2 and later service packs (x86 or x64) Microsoft Windows Server 2008 Active Directory installed on Microsoft Windows Server 2008 with SP2 and later service packs (x86 or x64)

  
  

• An instance of Oracle Identity Manager release 9.1.0.0 or later along with the SPML Web service is installed, running, and accessible from the computer hosting the Microsoft Active Directory domain controller on which you want to install the connector.

• The target system host computer must be able to ping the application server host using both IP address and host name.

2.2 Installation

This section discusses the following topics:

• Installing the Connector

• Reconfiguring the Connector

2.2.1 Installing the Connector

To install the connector:

1. On the Microsoft Active Directory host computer, run the installer as follows:

   1. Copy the contents of the installation media to a temporary directory.

   2. In the temporary directory, run the setup.exe file to start the installer.

2. On the Welcome page, click Next.

3. On the next page, click Next.

4. On the Installation Directory page, you can either accept the default installation directory or use the Browse button to specify the directory in which you to want install the connector.

   Figure 2-1 shows the Installation Directory page.

   Figure 2-1 Installation Directory Page (Installation)

   
   Description of "Figure 2-1 Installation Directory Page (Installation)"
   
   

5. Click Next.

   If the installation directory that you specify (in the preceding step) exists, then the installer confirms if you want to overwrite the directory. Otherwise, the installer creates the installation directory.

6. On the Active Directory Configuration Parameters page, which displays the configuration parameters for Microsoft Active Directory, verify the values displayed in all fields.

   If the values displayed on this page do not match the values for your current installation of Microsoft Active Directory, then change these values accordingly. Otherwise, you can proceed to the next step.

   Figure 2-2 shows the Active Directory Configuration Parameters page on which sample values have been specified.

   Figure 2-2 Active Directory Configuration Parameters Page (Installation)

   
   Description of "Figure 2-2 Active Directory Configuration Parameters Page (Installation)"
   
   

   Table 2-2 describes each configuration parameter of Microsoft Active Directory.

   Table 2-2 Microsoft Active Directory Configuration Parameters

   Parameter	Description
   Domain	Enter the domain name for the Microsoft Active Directory domain controller on which the connector is being installed. This value is typically the DNS domain name. Sample value: example.com
   BaseDN	Enter the base DN of Microsoft Active Directory. This is the container where the connector searches for entries with changed passwords. The persistent queue, which is an organizationUnit, will be created within this container. Therefore, the base DN that you specify must be capable of holding organizationalUnit objects. Sample value: DC=example,DC=com
   Port	Enter the port number at which LDAP for Microsoft Active Directory host computer is enabled. Default value: 389
   Host	Enter the IP address (not the host name) of the Microsoft Active Directory host computer. Sample value: 172.20.55.120

   
   

7. Click Next.

8. On the second Active Directory Configuration Parameters page, enter values for the following fields:

   • User: Enter the user name of an account that belongs to the Administrators group.

     You can use any one of the following formats to enter the user name:

     • USER_LOGIN@DOMAIN.COM

     • cn=USER_LOGIN,cn=USERS,dc=DOMAIN,dc=com

     Sample values:

     john_doe@example.com

     cn=admin,cn=Users,dc=example,dc=com

   • User Password: Enter the password of the account that you entered in the User field.

   • Log File Path: Enter the path to the directory where the log files must be generated.

     Default value: INSTALLATION_DIRECTORY\Logs

     INSTALLATION_DIRECTORY is the directory that you specify in Step 4.

     See "Enabling and Disabling Logging" for information about logging.

   Figure 2-3 shows the Microsoft Active Directory Information page on which sample values have been specified.

   Figure 2-3 Second Active Directory Configuration Parameters Page (Installation)

   
   Description of "Figure 2-3 Second Active Directory Configuration Parameters Page (Installation)"
   
   

9. Click Next to proceed with installation.

10. On the Oracle Identity Manager Configuration Parameters page, specify values for the configuration parameters of Oracle Identity Manager.

    Figure 2-4 displays the Oracle Identity Manager Configuration Parameters page on which sample values have been specified.

    Figure 2-4 Oracle Identity Manager Configuration Parameters Page (Installation)

    
    Description of "Figure 2-4 Oracle Identity Manager Configuration Parameters Page (Installation)"
    
    

    Table 2-3 describes each configuration parameter of Oracle Identity Manager.

    Table 2-3 Oracle Identity Manager Configuration Parameters

    Parameter	Description
    Host	Enter the host name (not the IP address) of the computer hosting Oracle Identity Manager. Note: The host name must be accessible from the Microsoft Active Directory host computer. Sample value: oimhost
    Port	Enter the number of the port at which the Oracle Identity Manager SPML Web service is listening. Sample value: 8080
    Administrator Login	Enter the user name of the account that will be used by the connector to login to Oracle Identity Manager during a password synchronization operation. This account must have the permissions required to change the password of OIM Users.
    Administrator Password	Enter the password of the account that will be used by the connector to login to Oracle Identity Manager during a password synchronization operation.
    OIM User Attribute	Enter the Metadata Column Code of the column in the USR table that you want to use to match OIM Users with users in the target system. During password synchronization, the sAMAccountName value of the user whose password is changed is compared against values in this column. Sample value (for predefined OIMUser fields): Users.User ID For user-defined OIMUser fields, you can use the USR_UDF_FIELD_NAME format. Sample Value: USR_UDF_USERNAME See the "Metadata Column Codes" appendix in Oracle Identity Manager API Usage Guide for information about the mapping between the physical column names and metadata column codes.
    OIM Application Server Type	Select the name of the application server that hosts Oracle Identity Manager. Sample value: JBoss
    Use SSL	Select Yes, if you are going to configure SSL communication between Microsoft Active Directory and Oracle Identity Manager. Otherwise, select No. Default value: Yes Note: It is recommended that you configure SSL to secure the transfer of SOAP messages from the target system to Oracle Identity Manager. See "Configuring SSL" for information about enabling SSL.
    Client Certificate Subject Name	Enter a value for this parameter only if Use SSL parameter has been set to Yes and client authentication is required by the application server. Enter a string that identifies the client certificate that must be used for SSL. Sample value: TQL17 Here, TQL17 is the Issued To value in the certificate.

    
    

11. Click Next.

12. On the Configuration Parameter Information page, enter values for the following fields:

    • Time interval after which password synchronization happens with OIM (in minutes): Enter an integer value in this field. This value represents the number of minutes the connector sleeps between processing password change events. The connector goes into the sleep mode after processing all the change events from the in-memory and persistent queues.

      Default value: 1

    • No. of maximum retries to synchronize passwords from AD to OIM: Enter an integer value. This value represents the number of times the connector tries to propagate the password before removing the password change record from the persistent queue.

      Default value: 5

    Figure 2-5 is a screenshot of the Connector Configuration Parameters page on which sample values have been specified.

    Figure 2-5 Configuration Parameters Page (Installation)

    
    Description of "Figure 2-5 Configuration Parameters Page (Installation)"
    
    

13. Click Next.

14. On the Summary Page, verify that the installation directory for the connector is displayed correctly and then click Next to install the connector.

    Note:

    If you want to change the installation directory, then click Back until you reach the Installation Directory page, make the required changes, and then proceed through the installation sequence again.

    Figure 2-6 shows the Summary page.

    Note:

    If you are installing the connector on a 64-bit Microsoft Windows operating system, then before you proceed to the next step, copy the oimadpwdsync10.dll and orclmessages.dll files from the Windows\SysWOW64 directory to the WINDOWS\system32 directory.

    Figure 2-6 Summary Page (Installation)

    
    Description of "Figure 2-6 Summary Page (Installation)"
    
    

15. On the next page, click Next to restart your computer

You must restart the computer to initialize the oimadpwdsync10.dll file. If the oimadpwdsync10.dll file is not initialized, then the connector is not ready for propagating passwords changes from target system to Oracle Identity Manager.

Ensuring that the Connector is Ready for Propagating Passwords

In order to ensure that the connector is ready for propagating password changes from target system to Oracle Identity Manager, you must check if the oimadpwdsync10.dll file has been initialized.

To verify whether the oimadpwdsync10.dll file is initialized:

1. Enable logging for the TIME_STAMPOIMMain.log file by performing the procedure described in "Enabling and Disabling Logging".

2. Check if the TIME_STAMPOIMMain.log file is generated in the path specified in the Log File Path field while performing Step 8 of "Installing the Connector".

   If the TIME_STAMPOIMMain.log file is generated, then the oimadpwdsync10.dll file is initialized. Otherwise, you must reinstall the connector.

2.2.2 Reconfiguring the Connector

During connector installation, you specify a set of values for the configuration parameters of Microsoft Active Directory, Oracle Identity Manager, and the connector. After connector installation, if you want to change the values for any of the configuration parameters, then you must perform the procedure described in this section.

To reconfigure the connector:

1. On the Microsoft Active Directory host computer, run the setup.exe file located in the temp directory.

2. On the Welcome page, click Next.

3. On the Active Directory Configuration Parameters page, if required, modify values for any or all of the following parameters:

   • Domain

   • BaseDN

   • Port

   • Host

   Figure 2-2 shows the Active Directory Configuration Parameters page on which sample values have been specified.

   Figure 2-7 Active Directory Configuration Parameters (Reconfiguration)

   
   Description of "Figure 2-7 Active Directory Configuration Parameters (Reconfiguration)"
   
   

4. Click Next.

5. On the Oracle Identity Manager Configuration Parameters page, if required, modify values for any or all of the following parameters:

   • Host

   • Port

   • OIM User Attribute

   • OIM Application Server Type

   • Use SSL

   • Client Configuration Subject Name

   Figure 2-4 displays the Oracle Identity Manager Configuration Parameters page on which sample values have been specified.

   Figure 2-8 Oracle Identity Manager Configuration Parameters Page (Reconfiguration)

   
   Description of "Figure 2-8 Oracle Identity Manager Configuration Parameters Page (Reconfiguration)"
   
   

6. Click Next.

7. On the Configuration Parameter Information page, if required, modify values for any or all of the following fields:

   • Time interval after which password synchronization happens with OIM (in minutes)*

   • No. of Maximum retries to synchronize Passwords from AD to OIM*

   Figure 2-5 is a screenshot of the Configuration Parameters page on which sample values have been specified.

   Figure 2-9 Configuration Parameters Page (Reconfiguration)

   
   Description of "Figure 2-9 Configuration Parameters Page (Reconfiguration)"
   
   

8. Click Next to continue with reconfiguring the connector.

9. On the second Active Directory Configuration Parameters page, if you want to modify the value of any field, then you must enter values for all fields displayed on that page. Otherwise, leave all the fields blank and proceed to the next step.

   The following fields are displayed on the Second Active Directory Configuration Parameters page:

   • Active Directory User

   • Active Directory User Password

   • Oracle Identity Manager User

   • Oracle Identity Manager User Password

   Figure 2-10 is a screenshot of the second Active Directory Configuration Parameters page on which sample values have been specified.

   Figure 2-10 Second Active Directory Configuration Parameters Page (Reconfiguration)

   
   Description of "Figure 2-10 Second Active Directory Configuration Parameters Page (Reconfiguration)"
   
   

10. On the Second Active Directory Configuration Parameters page, click Next.

11. On the next page, click Finish to complete the procedure for reconfiguring the connector.

2.3 Postinstallation

The following steps must be performed after the connector is installed:

• Enabling and Disabling Logging

• Configuring the IT Resource for the Target System

• Enabling the Strong Password Authentication (Password Complexity) Feature of Microsoft Active Directory

• Configuring SSL

2.3.1 Enabling and Disabling Logging

Log files contain information about events that occur during password synchronization. You can use the log files to determine the cause of any errors that may occur during password synchronization events.

This connector provides three log files. Each log file name is prefixed with TIME_STAMP, which represents the time at which the log file was created.

The following is the list of log files for this connector and their description:

Note:

You cannot rename the log files. In addition, you cannot specify or change the log level for log files. The default log level is DEBUG.

• TIME_STAMP_PasswordChange.log

  This file stores information about whether the connector is enabled. In the TIME_STAMP_PasswordChange.log file name, TIME_STAMP represents the time at which the log file was created in the YearMonthDayHourMinuteSecondMillisecond format.

  Sample value: 200931801311828_PasswordChange.log

  The TIME_STAMP_PasswordChange.log file is generated every time the oimadpwdsync10.dll file is initialized. The oimadpwdsync10.dll file is initialized when you restart the computer hosting the connector.

• TIME_STAMPOIMMain.log

  This file stores information about events that occur while the password change records stored in the in-memory queue and persistent queue are being processed. In the TIME_STAMPOIMMain.log file name, TIME_STAMP represents the time at which the log file was created in the YearMonthDay format.

  Sample value: 2009318OIMMain.log

  The TIME_STAMPOIMMain.log file is generated every time the password update thread is created.

• TIME_STAMP_adsi_debug.log

  This file stores information about the events that occur from the time the password is changed in Microsoft Active Directory till the time the password change is saved to the in-memory queue. In the TIME_STAMP_adsi_debug.log file name, TIME_STAMP represents the time at which the log file was created in the YearMonthDayHourMinuteSecondMillisecond format.

  Sample value: 2009318212319187_adsi_debug.log

  The TIME_STAMP_adsi_debug.log file is generated every time a password change event occurs.

To enable or disable logging:

By default, logging is disabled for the password synchronization connector. After connector installation, if you want to enable logging, or disable logging after it has been enabled, then perform the procedure described in this section.

Note:

The procedure described in this section must be performed on the target system host computer.

1. From the Start menu, click Run.

2. In the Run dialog box, type regedit.

3. In the Registry Editor window, on the left navigation pane:

   • If you want to enable or disable logging of events to the TIME_STAMP_PasswordChange.log file, then:

     1. Navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\ADConfig

     2. On the right pane, double-click the Log value.

   • If you want to enable or disable logging of events to the TIME_STAMPOIMMain.log file, then:

     1. Navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\OIMConfig

     2. On the right pane, double-click the OIMLog value.

   • If you want to enable or disable logging of events to the TIME_STAMP_adsi_debug.log file, then:

     1. Navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\oimpwdsync\ADConfig

     2. On the right pane, double-click the Log value.

4. In the Edit String dialog box:

   • If you want to disable logging, then in the Value data field, enter N.

   • If you want to enable logging, then in the Value data field, enter Y.

5. Click OK.

6. If you have enabled or disabled logging of events to the TIME_STAMP_PasswordChange.log file, then restart the computer for the changes to take effect.

2.3.2 Configuring the IT Resource for the Target System

Note:

If you have installed a user management connector release that is earlier than release 9.1.1, then you must set the value of the AD Sync installed parameter to no. For example, if you have installed the user management connector release 9.1.0, then you must set the value of the AD Sync installed parameter to no.

The ADITResource IT resource is created in Oracle Identity Manager when you install the user management connector. The Allow Password Provisioning parameter is a parameter of the user management connector.

If you want to use the target system as the trusted source for passwords, then set the Allow Password Provisioning parameter to no. When you set the value of this parameter to no, the user management connector does not propagate password changes from Oracle Identity Manager to the target system.

If you set the Allow Password Provisioning parameter to yes, then:

• When a Microsoft Active Directory resource is provisioned to an OIM User:

  1. An account is created on Microsoft Active Directory.

  2. The password of the account is detected by the connector and sent to Oracle Identity Manager.

  3. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are the same, no further action is taken.

  4. If password history policy is set, then an exception for the SPML request (sent by the password synchronization connector) is encountered. You can ignore this exception.

• When the password of the Microsoft Active Directory resource is changed on Oracle Identity Manager:

  1. The password is sent to Microsoft Active Directory by the user management connector.

  2. The updated password is detected by the connector and sent to Oracle Identity Manager.

  3. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are the same, no further action is taken.

  4. If password history policy is set, then an exception for the SPML request (sent by the password synchronization connector) is encountered. You can ignore this exception.

• When the password is changed on Microsoft Active Directory:

  1. The updated password is detected by the connector and sent to Oracle Identity Manager.

  2. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are different, the password of the Microsoft Active resource on Oracle Identity Manager is updated.

  3. The updated password is detected by the user management connector and sent to Microsoft Active Directory.

  4. The password of the Microsoft Active Directory is modified, even though this is the same password that was set by the user.

  5. The password of the account is detected by the password synchronization connector and sent to Oracle Identity Manager.

  6. On Oracle Identity Manager, the password is compared with the current password of the Active Directory resource. Because both passwords are the same, no further action is taken.

  7. If password history policy is set on Oracle Identity Manager, then an exception for the SPML request (sent by the password synchronization connector) is encountered. You can ignore this exception.

2.3.2.1 Specifying a Value for the Allow Password Provisioning Parameter

Note:

Perform the procedure described in this section only if the user management connector is installed.

You can specify a value for the Allow Password Provisioning parameter as follows:

1. Log in to the Administrative and User Console.

2. Expand Resource Management.

3. Click Manage IT Resource.

4. In the IT Resource Name field on the Manage IT Resource page, enter ADITResource and then click Search.

5. Click the edit icon for the IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Depending on how you want the user management connector and password synchronization connector to function, enter a value of either yes, or no for the Allow Password Provisioning parameter.

8. If you have installed a user management connector release that is earlier than release 9.1.1, then you must set the value of the AD Sync installed parameter to no.

2.3.3 Enabling the Strong Password Authentication (Password Complexity) Feature of Microsoft Active Directory

Note:

You must use an administrator account to perform the procedures described in this section.

Microsoft Active Directory provides the Strong Password Authentication feature through the implementation of a password filter. To use this password filter along with the connector, follow the instructions for enabling the "Passwords must meet complexity requirements" policy setting by visiting the Microsoft Web site at

http://www.microsoft.com/technet/

After you enable this policy setting, password changes in Microsoft Active Directory are checked against the Strong Password Authentication requirements before they are passed on to the connector.

2.3.4 Configuring SSL

Note:

It is strongly recommended that you configure SSL communication between the connector and Oracle Identity Manager in your production environment.

However, the configuration of secure client operation (using SSL at the server) affects all clients. This means that if you use SSL to secure Oracle Identity Manager communication with the connector, then the Oracle Identity Manager Design Console and any other custom clients must also communicate with Oracle Identity Manager using SSL.

To secure the propagation of passwords from Microsoft Active Directory to Oracle Identity Manager, you must configure SSL. The procedure that you must follow depends on the application server on which Oracle Identity Manager is running:

See Also:

The "Configuring SSL" section of Oracle Identity Manager Connector Guide for Microsoft Active Directory User Management for information about configuring SSL to secure data transfer from Oracle Identity Manager to Microsoft Active Directory

• Configuring SSL on IBM WebSphere Application Server

• Configuring SSL on JBoss Application Server

• Configuring SSL on Oracle Application Server

• Configuring SSL on Oracle WebLogic Server

2.3.4.1 Configuring SSL on IBM WebSphere Application Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on IBM WebSphere Application Server:

• Exporting the Certificate

• Importing the Certificate

• Additional Configuration Steps

2.3.4.1.1 Exporting the Certificate

Note:

The procedure described in this section must be performed on the IBM WebSphere Application Server host computer.

To export the IBM WebSphere Application Server certificate:

1. In a terminal window, change to the WEBSPHERE_HOME\AppServer\java\jre\bin directory.

2. Run the following command:

   keytool -export -alias default -file CERT_FILE_NAME -keypass DEFAULT_TRUST_STORE_PASSWORD -keystore DEFAULT_IDENTITY_STORE -storepass DEFAULT_IDENTITY_STORE_PASSWORD -storetype pkcs12 -provider com.ibm.crypto.provider.IBMJCE
   

   In this command:

   • CERT_FILE_NAME is the complete path and name of the certificate file.

   • DEFAULT_TRUST_STORE_PASSWORD is the password of the default trust store trust.p12.

   • DEFAULT_IDENTITY_STORE is the complete path and name of the default identity store key.p12.

   • DEFAULT_IDENTITY_STORE_PASSWORD is the password of the default identity store key.p12.

   The following is a sample command:

   keytool -export -alias default -file C:\mycertificates\websp.cer -keypass WebAS -keystore C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv06\etc\key.p12 -storepass WebAS -storetype pkcs12 -provider com.ibm.crypto.provider.IBMJCE
   

   When you run the command, the application server certificate is generated in the WEBSPHERE_HOME\AppServer\java\jre\bin directory.

2.3.4.1.2 Importing the Certificate

Note:

The procedure described in this section must be performed on the Microsoft Active Directory host computer.

To import the application server certificate:

1. Copy the certificate (exported in "Exporting the Certificate") to any directory on the Microsoft Active Directory host computer.

2. Click Start and then click Run.

3. Enter the following command, and then click OK:

   mmc

   The Microsoft Management Console is displayed.

4. From the File menu, select Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add.

6. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

7. In the certificates snap-in dialog box, select Computer account, and then click Next.

8. In the Select Computer dialog box, accept the defaults, and then click Finish.

9. In the Add Standalone Snap-in dialog box, click Close.

10. In the Add/Remove Snap-in dialog box, click OK.

11. In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.

12. Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

    The Certificate Import Wizard is displayed.

13. On the Welcome to the Certificate Import Wizard page, click Next.

14. On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.

15. Click Next.

16. On the Certificate Store page, select Place all certificates in the following store, and click Next.

17. On the Completing the Certificate Import Wizard, click Finish.

    A message indicating that the import was successful is displayed.

18. Click OK to close the Certificate Import Wizard dialog box.

2.3.4.1.3 Additional Configuration Steps

Note:

The procedure described in this section must be performed on the IBM WebSphere Client host computer.

You must extract and copy the xlDataObjectBeans.jar file located in the OIM_DC_HOME\xlclient\ext directory to the WEBSPHERE_HOME\profiles\PROFILE_NAME\installedApps\NODE_NAME\OIM-xell-WS.ear\spmlws.war\WEB-INF\lib directory.

Here:

• OIM_DC_HOME is the directory in which you install the Oracle Identity Manager Design Console

• WEBSPHERE_HOME is the home directory of WebSphere

• PROFILE_NAME is the name of the application server profile being used

• NODE_NAME is the name of the node which the application server profile uses

2.3.4.2 Configuring SSL on JBoss Application Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on JBoss application server:

• Generating Keys

• Signing the Certificate

• Exporting the Certificate

  Note:

  The procedure described in the preceding sections must be performed on the JBoss Application Server host computer.

• Importing the Certificate

  Note:

  The procedure described in the preceding section must be performed on the Microsoft Active Directory host computer.

• Configuring the server.xml File

  Note:

  The procedure described in the preceding sections must be performed on the JBoss Application Server host computer.

2.3.4.2.1 Generating Keys

Generate keys by using the keytool command. The following keytool command generates an identity keystore. jbossserver.jks:

keytool -genkey -alias PRIVATE_KEY_ALIAS -keyalg RSA -keysize 1024 -dname DN_VALUE -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks

In this command:

• PRIVATE_KEY_ALIAS is the alias that you want to use for the private key.

• PRIVATE_KEY_PASSWORD is the password that you want to use for the private key.

• DN_VALUE is the distinguished name (DN) for your organization.

  The common name (CN) value in the DN must be the host name of the Oracle Identity Manager server.

• IDENTITY_STORE_FILE is the identity store that you want to use.

• IDENTITY_STORE_FILE_PASSWORD is the password of the identity store that you want to use.

The following is a sample command:

keytool -genkey -alias serverjboss -keyalg RSA -keysize 1024 -dname "CN=myhost" -keypass welcome -keystore E:\jboss-4.0.3SP1\server\jbossserver.jks -storepass welcome -storetype jks

2.3.4.2.2 Signing the Certificate

Use the following keytool command to sign the certificate that you created:

keytool -selfcert -alias PRIVATE_KEY_ALIAS -sigalg MD5withRSA -validity 2000 -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENITTY_STORE_FILE_PASSWORD

Note:

It is recommended that you use trusted certificate authorities, for example, VeriSign or Thawte, for signing certificates.

The following is a sample command:

keytool -selfcert -alias serverjboss -sigalg MD5withRSA -validity 2000 -keypass welcome -keystore  E:\jboss-4.0.3SP1\server\jbossserver.jks -storepass welcome

2.3.4.2.3 Exporting the Certificate

Use the following keytool command to export the certificate from the identity keystore to a file:

keytool -export -alias PRIVATE_KEY_ALIAS -file CERT_FILE_NAME -keypass PRIVATE_KEY_PASSWORD -keystore IDENITTY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks -provider sun.security.provider.Sun

In this command, replace CERT_FILE_NAME with the name that you want to use for the certificate file.

The following is a sample command:

keytool -export -alias serverjboss -file E:\jboss-4.0.3SP1\server\jbossserver.cert -keypass welcome -keystore E:\jboss-4.0.3SP1\server\jbossserver.jks -storepass welcome -storetype jks -provider sun.security.provider.Sun

2.3.4.2.4 Importing the Certificate

To import the application server certificate:

1. Copy the certificate (exported in "Exporting the Certificate") to any directory on the Microsoft Active Directory host computer.

2. Click Start and then click Run.

3. Enter the following command, and then click OK:

   mmc

   The Microsoft Management Console is displayed.

4. From the File menu, select Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add.

6. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

7. In the certificates snap-in dialog box, select Computer account, and then click Next.

8. In the Select Computer dialog box, accept the defaults, and then click Finish.

9. In the Add Standalone Snap-in dialog box, click Close.

10. In the Add/Remove Snap-in dialog box, click OK.

11. In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.

12. Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

    The Certificate Import Wizard is displayed.

13. On the Welcome to the Certificate Import Wizard page, click Next.

14. On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.

15. Click Next.

16. On the Certificate Store page, select Place all certificates in the following store, and click Next.

17. On the Completing the Certificate Import Wizard, click Finish.

    A message indicating that the import was successful is displayed.

18. Click OK to close the Certificate Import Wizard dialog box.

2.3.4.2.5 Configuring the server.xml File

Copy the following entry to the server.xml file located in the OIM_HOME\jboss-4.0.3SP1\server\default\deploy\jbossweb-tomcat55.sar directory:

<Connector port="8443" address="${jboss.bind.address}"
           maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
           emptySessionPath="true"
           scheme="https" secure="true" clientAuth="false"
              sslProtocol="TLS" 
           keystoreFile="E:\jboss-4.0.3SP1\server\jbossserver.jks"
           keystorePass="welcome"
           truststoreFile="E:\jboss-4.0.3SP1\server\jbossserver.jks"
           truststorePass="welcome"/>

After you have performed the preceding steps, restart the server for the changes to take effect.

2.3.4.3 Configuring SSL on Oracle Application Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on Oracle Application Server.

• Enabling SSL for HTTP Communication to Oracle HTTP Server

• Exporting the Certificate

• Importing the Certificate

2.3.4.3.1 Enabling SSL for HTTP Communication to Oracle HTTP Server

By default, the Oracle HTTP Server is configured with SSL and the SSL certificate store is located at ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\. The listen parameter in the ORACLE_HOME\Apache\Apache\conf\ssl.conf file points to the SSL port being used by the Oracle HTTP Server.

A custom wallet and certificate should be created for the Oracle HTTP Server.

Creating Custom Wallet and Certificate for Oracle HTTP Server

Perform the following steps to create a custom wallet and certificate for Oracle HTTP Server:

1. To create a custom wallet, run the following command:

   orapki wallet create -wallet WALLET_LOCATION -auto_login
   

   In this command, WALLET_LOCATION is the path to the directory where the wallet is created.

2. To add a self-signed certificate to the wallet, run the following command:

   orapki wallet add -wallet WALLET_LOCATION -dn CN=HOSt_NAME -keysize 2048 -self_signed -validity 3650
   

   When prompted, enter the Wallet password.

   This creates a self-signed certificate with a validity of 3650 days. The distinguished name of the subject is CN=HOST_NAME. Here HOST_NAME is the host name of the machine. The key size for the certificate is 2048 bits.

   Note:

   Ensure that you obtain the certificate from an appropriate Certificate Authority.

3. To export the self-signed certificate, run the following command:

   orapki wallet export -wallet WALLET_LOCATION -dn 'CN=HOST_NAME' -cert WALLET_LOCATION/b64certificate.txt
   

   In this command, the value of HOST_NAME must be same as the value of HOST_NAME specified in Step 2.

4. Edit the ssl.conf file located in the ORACLE_HOME/Apache/Apache/conf/ as follows:

   1. In a text editor, open the ssl.conf file and find the following entry:

      SSLWallet file:
      

   2. Enter WALLET_LOCATION (specified in Step 1) as the value of the SSLWallet file: entry.

      The following is a sample value of the SSLWallet file: entry:

      SSLWallet file:/home/testoc4j/OIM9102/product/10.1.3.1/OracleAS_1/Apache/Apache/conf/ssl.wlt/default
      

   3. Save and close the updated ssl.conf file.

5. Restart Oracle Application Server.

2.3.4.3.2 Exporting the Certificate

To export the application server certificate from the WALLET_LOCATION directory that you specified in Step 1 of "Creating Custom Wallet and Certificate for Oracle HTTP Server", perform the following steps after you have started Oracle Wallet Manager:

Note:

the default Oracle wallet directory is ORACLE_HOME\Apache\Apache\conf\ssl.wlt\default\ewallet.p12

1. Depending on the operating system used, perform one of the following steps to start Oracle Wallet Manager:

   • For Microsoft Windows, click Start, Programs, ORACLE-HOME_NAME, Integrated Management Tools, and Wallet Manager.

   • For UNIX, in a terminal window, change to the ORACLE_HOME/bin directory and then enter the owm command.

2. Open the WALLET_LOCATION directory by using Oracle Wallet Manager.

3. Enter the wallet password (that you specified in Step 2 of "Creating Custom Wallet and Certificate for Oracle HTTP Server") as the store password when prompted.

4. Right-click Certificate (Ready) and click Export User Certificate.

5. Enter server.cert as the file name and save the file.

   The connector uses this certificate to trust Oracle Application Server.

   See Also:

   The "Secure Sockets Layer" section in Oracle Application Server Administrator's Guide for more information about Oracle Wallet Manager

2.3.4.3.3 Importing the Certificate

To import the application server certificate:

1. Copy the certificate (exported in Step 3 of "Creating Custom Wallet and Certificate for Oracle HTTP Server") to any directory on the Microsoft Active Directory host computer.

2. Click Start and then click Run.

3. Enter the following command, and then click OK:

   mmc

   The Microsoft Management Console is displayed.

4. From the File menu, select Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add.

6. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

7. In the certificates snap-in dialog box, select Computer account, and then click Next.

8. In the Select Computer dialog box, accept the defaults, and then click Finish.

9. In the Add Standalone Snap-in dialog box, click Close.

10. In the Add/Remove Snap-in dialog box, click OK.

11. In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.

12. Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

    The Certificate Import Wizard is displayed.

13. On the Welcome to the Certificate Import Wizard page, click Next.

14. On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.

15. Click Next.

16. On the Certificate Store page, select Place all certificates in the following store, and click Next.

17. On the Completing the Certificate Import Wizard, click Finish.

    A message indicating that the import was successful is displayed.

18. Click OK to close the Certificate Import Wizard dialog box.

2.3.4.4 Configuring SSL on Oracle WebLogic Server

The following sections provide information about enabling SSL communication when Oracle Identity Manager is running on Oracle WebLogic Server:

• Generating Keys

• Signing the Certificate

• Exporting the Certificate

• Configuring Custom Identity Keystore in WebLogic Server

  Note:

  The procedure described in the preceding sections must be performed on the Oracle WebLogic Server host computer.

• Importing the Certificate

  Note:

  The procedure described in the preceding section must be performed on the Microsoft Active Directory host computer.

2.3.4.4.1 Generating Keys

Generate private/public certificate pairs by using the keytool command provided. The following command creates an identity keystore:

keytool –genkey -alias PRIVATE_KEY_ALIAS -keyalg RSA -keysize 1024 -dname DN_VALUE -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks

In this command:

• PRIVATE_KEY_ALIAS is the alias that you want to use for the private key.

• PRIVATE_KEY_PASSWORD is the password that you want to use for the private key.

• DN_VALUE is the distinguished name (DN) for your organization.

  The common name (CN) value in the DN must be the host name of the Oracle Identity Manager server.

• IDENTITY_STORE_FILE is the identity store that you want to use.

• IDENTITY_STORE_FILE_PASSWORD is the password of the identity store that you want to use.

The following is a sample command that creates an identity key store (support.jks):

keytool –genkey -alias support -keyalg RSA -keysize 1024 -dname "CN=oimserver" -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support -storetype jks

2.3.4.4.2 Signing the Certificate

Use the following command to sign the certificate that you created.

keytool -selfcert -alias PRIVATE_KEY_ALIAS -sigalg MD5withRSA -validity2000 -keypass PRIVATE_KEY_PASSWORD -keystore IDENTITY_STORE_FILE -storepass IDENITTY_STORE_FILE_PASSWORD -storetype jks

Note:

It is recommended that you use trusted certificate authorities, for example, VeriSign or Thawte, for signing certificates.

The following is a sample command:

keytool -selfcert -alias support -sigalg MD5withRSA -validity 2000 -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support -storetype jks

2.3.4.4.3 Exporting the Certificate

Use the following command to export the certificate from the identity keystore to a file:

keytool -export -alias PRIVATE_KEY_ALIAS -file CERT_FILE_NAME -keypass PRIVATE_KEY_PASSWORD -keystore IDENITTY_STORE_FILE -storepass IDENTITY_STORE_FILE_PASSWORD -storetype jks -provider sun.security.provider.Sun

In this command, replace CERT_FILE_NAME with the complete path and name of the certificate file.

The following is a sample command:

keytool -export -alias support -file C:\bea\user_projects\domains\oim\supportcert.pem -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support -storetype jks -provider sun.security.provider.Sun

2.3.4.4.4 Configuring Custom Identity Keystore in WebLogic Server

To configure the custom identity keystore:

1. In the WebLogic Server Administration Console, click Servers, Configuration, and then click General.

2. Select SSL listen port enabled. The default port is 7002.

3. In the Administrative Console, click Servers.

4. On the Configuration tab, click the server name in the Name column of the table.

5. On the Keystores tab:

   1. In the Change Center section, click Lock & Edit to enable modification to the settings on the page.

   2. From the Keystores box, select Custom Identity and Custom Trust, and then click Continue.

   3. In the Custom Identity Keystore and Custom Trust Keystore fields, enter C:\bea\user_projects\domains\oim\support.jks as the custom identity keystore file name.

   4. In the Custom Identity Keystore Type field, enter JKS.

   5. In the Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase fields, enter the password of the custom identity keystore.

6. On the SSL tab:

   1. In the Change Center section, click Lock & Edit to enable modification to the settings on the page.

   2. From the Identity and Trust Location box, select Keystores.

   3. In the Private Key Alias field, enter support as the private key alias.

   4. In the Private Key Passphrase and Confirm Private Key Passphrase fields, enter the password, for example, support.

7. Restart the server for the changes to take effect.

Note:

For a clustered installation, repeat all the steps for each of the participating nodes in the cluster, and then restart the cluster.

2.3.4.4.5 Importing the Certificate

To import the application server certificate:

1. Copy the certificate (exported in "Exporting the Certificate") to any directory on the Microsoft Active Directory host computer.

2. Click Start and then click Run.

3. Enter the following command, and then click OK:

   mmc

   The Microsoft Management Console is displayed.

4. From the File menu, select Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add.

6. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

7. In the certificates snap-in dialog box, select Computer account, and then click Next.

8. In the Select Computer dialog box, accept the defaults, and then click Finish.

9. In the Add Standalone Snap-in dialog box, click Close.

10. In the Add/Remove Snap-in dialog box, click OK.

11. In the Console Root window, on the left pane, expand Certificates (Local Computer) under the Console Root folder.

12. Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then click Import.

    The Certificate Import Wizard is displayed.

13. On the Welcome to the Certificate Import Wizard page, click Next.

14. On the File to Import page, you can either specify the path to the directory in which you copied the exported certificate, or use the Browse button to specify the directory in which you copied the exported certificate.

15. Click Next.

16. On the Certificate Store page, select Place all certificates in the following store, and click Next.

17. On the Completing the Certificate Import Wizard, click Finish.

    A message indicating that the import was successful is displayed.

18. Click OK to close the Certificate Import Wizard dialog box.