9 Configuring and Managing the Oracle Virtual Directory Server

This chapter explains how to configure Oracle Virtual Directory server settings and includes the following topics:

• Configuring Oracle Virtual Directory Server Properties Using Fusion Middleware Control

• Configuring Oracle Virtual Directory Server Settings Using WLST

• Controlling Orphan Connections Caused by Remote Client or Server Failure

• Managing Oracle Virtual Directory Libraries Using Oracle Directory Services Manager

• Copying Configuration Files Between Oracle Virtual Directory Servers Using syncovdconfig

Configuring Oracle Virtual Directory Server Properties Using Fusion Middleware Control

Oracle Virtual Directory provides the ability to regulate items such as the number of entries the server can return for an anonymous user or for an authenticated user. You can also limit inbound transaction traffic, which can be used to protect proxied sources from Denial Of Service attacks or to limit LDAP traffic to control access to a limited directory infrastructure resource. You can configure these properties and others on the Oracle Virtual Directory Server Properties page in Oracle Enterprise Manager Fusion Middleware Control.

There are two tabs on the Server Properties screen: General and Change SuperUser Password. The General tab contains options to configure general server properties, such as quotas on activity limits, search settings, and schema and access control checks. The Change SuperUser Password tab allows you to change the password for the Oracle Virtual Directory superuser.

The following are the procedures to configure the properties on each tab:

1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target that you want to configure server settings on.

2. Select Administration and then Server Properties from the Oracle Virtual Directory menu. The Server Properties screen appears.

To configure general Oracle Virtual Directory server properties:

1. Click the General tab on the Server Properties screen.

2. Enable quota enforcement on the server by selecting the Enable Quota Enforcement option and entering the following information:

   Note:

   You must select the Enable Quota Enforcement option to configure the Activity Limits parameters.

   • Enter the maximum number of client connections to allow in the Maximum Client Connections field.

   • Enter the maximum number of operations to allow for each connection in the Maximum Operations per Connection field.

   • Enter the maximum number of connections to allow for each authenticated subject in the Maximum Connections per Authenticated Subject field.

   • Enter the maximum number of connections to allow for each IP address connected to Oracle Virtual Directory in the Maximum Connections per IP Address field.

   • Enter the maximum length of time (in minutes) that a client connection can remain inactive before Oracle Virtual Directory closes the connection in the Maximum time period (minutes) that a connection can remain inactive field.

   • Add or delete IP addresses that are exempt from the quota checking in the Exempt IP addresses field. To add an IP address, enter the IP address in the Exempt IP Addresses field. To delete an IP address, select the IP address in the Exempt IP Addresses field and delete it.

     Note:

     Oracle Virtual Directory 11g Release 1 (11.1.1) supports IPv6. If your network supports IPv6 you can use literal IPv6 addresses in the Exempt IP Addresses field to identify IP addresses that are exempt from quota enforcement.

   • Add or delete subjects that are exempt from the quota checking in the Exempt Subjects field. To add a subject, enter the subject in the Exempt IP Subjects field. To delete a subject, select the subject in the Exempt IP Subjects field and delete it.

     Note:

     By default, the superuser (typically cn=orcladmin) is exempt from quota checking

3. Enter the maximum number of entries to return for an anonymous client search in the Anonymous Search field. The default setting is 1000.

4. Enter the maximum number of entries to return for an authenticated user in the Authenticated User Search field. An authenticated user is defined as a user bound to Oracle Virtual Directory. The Oracle Virtual Directory root account is exempt from this quota and the default setting is 10,000.

5. Select the Enable Access Control Check option to enable Oracle Virtual Directory to enforce access controls as defined in the access control file.

6. Select the Enable Schema Check option to enable Oracle Virtual Directory to check LDAP entries for conformance to schema definitions known by the server. Oracle suggests that the Enable Schema Check option should be disabled only when an external means of schema checking will be used.

7. Select the Enable Persistent Search option to enable Oracle Virtual Directory to support the persistent search control regardless of the adapters configured.

8. Click Apply on the Server Configuration screen to apply your settings.

To change the password for the Oracle Virtual Directory superuser:

1. Click the Change SuperUser Password tab on the Server Properties screen.

2. Enter the existing superuser password in the Old Password field.

3. Enter the new superuser password in the New Password field.

4. Reenter the new superuser password in the Confirm Password field.

5. Click Apply.

Configuring Oracle Virtual Directory Server Settings Using WLST

You can use the WebLogic Scripting Tool (WLST) at ORACLE_HOME/common/bin/wlst.sh to set Oracle Virtual Directory server settings as follows:

1. Connect to the WebLogic Admin Server. For example:

   connect('username', 'password','t3://host_name:Admin_Server_Port')
   

2. Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:

   custom()
   cd('oracle.as.management.mbeans.register')
   cd('oracle.as.management.mbeans.register:type=component,name=OVD_COMPONENT_NAME,instance=INSTANCE_NAME')
   invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
   g)) 
   

3. Move to the Oracle Virtual Directory Server configuration MBean. For example:

   cd('../..')
   cd('oracle.as.ovd/oracle.as.ovd:type=component.serverconfig,name=serverconfig,i
   nstance=INSTANCE_NAME,component=OVD_COMPONENT_NAME')
   

4. Using the WLST ls() command, you can see a list of attributes for the Oracle Virtual Directory server configuration MBean. Use the get('ATTRIBUTE_NAME') command to retrieve the current value for an attribute. For example, to retrieve the current value for MaxConnections, which is the maximum number of client connections to allow, execute the following:

   get('MaxConnections')
   

   Use the set() command to update an attribute. For example, to update the value for the MaxConnections setting, execute the following:

   set('MaxConnections', 3000)
   

   Note:

   Using the set() command as shown in the preceding example saves the attribute setting to the MBean—you must perform step 5 in this procedure to save the changes to the Oracle Virtual Directory server.

   The following is a list of each Oracle Virtual Directory server configuration MBean attribute and an example command for setting them:

   • ACLCheck: set('ACLCheck',true)

   • Anonymous: set('Anonymous',2000)

   • Authenticated: set('Authenticated',20000)

   • DoSActive: set('DoSActive',true)

   • DoSRatePeriod: set('DoSRatePeriod',20000)

   • ExemptIPAddresses:

     First (on one command-line):

     invoke('addExemptIPAddress',jarray.array([java.lang.String('127.0.0.1')],
     java.lang.Object),jarray.array(['java.lang.String'],java.lang.String))
     

     Then (on one command-line):

     invoke('deleteExemptIPAddress',jarray.array([java.lang.String('127.0.0.1')]
     ,java.lang.Object),jarray.array(['java.lang.String'],java.lang.String))
     

   • ExemptSubjects:

     First (on one command-line):

     invoke('addExemptSubjects',jarray.array([java.lang.String('cn=myuser')],
     java.lang.Object),jarray.array(['java.lang.String'],java.lang.String))
     

     Then (on one command-line):

     invoke('deleteExemptSubjects',jarray.array([java.lang.String('cn=myuser')],
     java.lang.Object),jarray.array(['java.lang.String'],java.lang.String))
     

   • InactiveConnectionTimeout: set('InactiveConnectionTimeout',50)

   • MaxConnections: set('MaxConnections',50)

   • MaxConnectionsPerIP: set('MaxConnectionsPerIP',20)

   • MaxConnectionsPerSubject: set('MaxConnectionsPerSubject',20)

   • MaxOperationsPerConnection:

     set('MaxOperationsPerConnection',10)

   • PersistentSearch: set('PersistentSearch',false)

   • TLSKeyStore: Read-only attribute

   • TLSTrustStore: Read-only attribute

   • TLSKeyStorePassword:

     set('TLSKeyStorePassword',java.lang.String('PASSWORD').toCharArray())
     

   • TLSTrustStorePassword:

     set('TLSTrustStorePassword',java.lang.String('welcome1').toCharArray())
     

   • SchemaCheck: set('SchemaCheck',true)

   • SchemaLocations:

     First (on one command-line):

     invoke('addSchemaLocation',jarray.array([java.lang.String('schema.myschema.
     xml')],java.lang.Object),jarray.array(['java.lang.String'],java.lang.String
     ))
     

     Then (on one command-line):

     invoke('deleteSchemaLocation',jarray.array([java.lang.String('schema.mysche
     ma.xml')],java.lang.Object),jarray.array(['java.lang.String'],java.lang.Str
     ing))
     

5. Save the changes to the Oracle Virtual Directory server and then refresh the MBean. For example:

   cd('../..')
   cd('oracle.as.management.mbeans.register')
   cd('oracle.as.management.mbeans.register:type=component,name=OVD_COMPONENT_NAME,instance=asinst1')
   invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
   g))
   invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin
   g))
   

Controlling Orphan Connections Caused by Remote Client or Server Failure

Oracle Virtual Directory supports two parameters that help detect and safely close orphan socket connections caused by remote client or server failure. These parameters will help if applications or directory sources are on different networks—in particular, outside of the same data-center—than Oracle Virtual Directory and the network is unstable.

Set each parameter to the amount of time in seconds that TCP should wait for a response from the client or server. The status and stability of your network will influence which parameters you set and also the amount of time you set. In an unstable network, you may want to set these parameters to a greater number of seconds than you would in a stable network environment.

Note:

If your operating system is reporting several connections in TIME_WAIT status and they do not close for an extended length of time, such as, five minutes or more, it is a good indication to use these parameters to control the orphan connections.

Controlling Orphan Client Connections:

The LDAP Listener's SocketOptionsReadTimeout parameter can be used to control orphan client connections. Use the WLST set() command to set the SocketOptionsReadTimeout parameter. For example:

set('SocketOptionsReadTimeout', 120)

Refer to "Updating Listener Settings" for the complete procedure on updating Listener settings using WLST.

Note:

You can also use Oracle Enterprise Manager Fusion Middleware Control to set this parameter for the LDAP Listener. Refer to the Read Timeout parameter described in "Creating LDAP Listeners" for more information.

Controlling Orphan Server Connections:

The vde.soTimeoutBackend Java Virtual Machine parameter located in the ORACLE_INSTANCE/config/OPMN/opmn/opmn.xml file can be used to control orphan server connections.

To set the vde.soTimeoutBackend parameter, edit opmn.xml and then restart Oracle Virtual Directory. The following is an example of the vde.soTimeoutBackend parameter set in the opmn.xml file:

<ias-component id="OVD_COMPONENT_NAME">
            <process-type id="OVD" module-id="OVD">
               <module-data>
                  <category id="start-options">
                     <data id="java-options" value="-server -Xms512m -Xmx512m                               
-Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml 
-Dvde.soTimeoutBackend=120"/>
                     <data id="java-classpath" value="$ORACLE_
HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/>
                  </category>
               </module-data>
               <stop timeout="120"/>
            </process-type>
         </ias-component>

Managing Oracle Virtual Directory Libraries Using Oracle Directory Services Manager

This topic describes how to manage libraries used for Oracle Virtual Directory plug-ins and Join View Adapters. It contains the following sections:

• Viewing Oracle Virtual Directory Server Libraries

• Loading Libraries into the Oracle Virtual Directory Server

Viewing Oracle Virtual Directory Server Libraries

Perform the following steps to view the libraries, including plug-ins and Join View adapters, that reside on the Oracle Virtual Directory server:

1. Log in to Oracle Directory Services Manager.

2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

3. Expand the Libraries entry in the Advanced tree. A list of the library files that reside on the Oracle Virtual Directory server appears in the Libraries entry of the Advanced tree.

Loading Libraries into the Oracle Virtual Directory Server

Perform the following steps to load libraries into Oracle Virtual Directory using Oracle Directory Services Manager:

1. Log in to Oracle Directory Services Manager.

2. Select Advanced from the task selection bar. The Advanced navigation tree appears.

3. Expand the Libraries entry in the Advanced tree.

4. Click the Upload New Library button at the top of the Advanced tree. The Upload New Library dialog box appears.

5. Enter the path to the library you want to load into Oracle Virtual Directory or click Browse, navigate to the library and select it. Click OK on the Upload New Library dialog box to load the library into Oracle Virtual Directory. The library appears in the Libraries entry of the Advanced tree.

Copying Configuration Files Between Oracle Virtual Directory Servers Using syncovdconfig

You can use the syncovdconfig command to copy the following Oracle Virtual Directory configuration files between multiple Oracle Virtual Directory components:

• server.os_xml

• adapters.os_xml

• acls.os_xml

• schema.user.xml

The syncovdconfig command (.pl for UNIX/Linux and.bat for Windows) is located in the $ORACLE_HOME/ovd/bin/ directory. The following is the syntax for syncovdconfig:

syncovdconfig -srcHost source_host_name -srcPort source_port_number
-srcUserName source_user_name -dstHost destination_host_name
-dstPort destination_port_number -dstUserName destination_user_name
-configFile name_of_configuration_file -adapterName name_of_adapter
-isSrcAdminSSL [true |false] -isDstAdminSSL [true |false]

Notes:

• You will be prompted for the password for both the source and destination users.

• Set the Oracle Home variable before using the syncovdconfig command.

Options

The following is a list of the options for syncovdconfig:

srcHost

Required. String format. The host name of the source Oracle Virtual Directory server—that is, the Oracle Virtual Directory server that contains the configuration files you want to copy to a different Oracle Virtual Directory server.

srcPort

Required. Integer format. The listening port number of the source Oracle Virtual Directory server—that is, the Oracle Virtual Directory server that contains the configuration files you want to copy to a different Oracle Virtual Directory server.

srcUserName

Optional. String format. The superuser of the source Oracle Virtual Directory server—that is, the Oracle Virtual Directory server that contains the configuration files you want to copy to a different Oracle Virtual Directory server. If the srcUserName option is not specified, the default value of cn=orcladmin is used.

dstHost

Required. String format. The host name of the destination Oracle Virtual Directory server—that is, the Oracle Virtual Directory server where you want to copy the configuration files to.

dstPort

Required. Integer format. The listening port number of the destination Oracle Virtual Directory server—that is, the Oracle Virtual Directory server where you want to copy the configuration files to.

dstUserName

Optional. String format. The superuser of the destination Oracle Virtual Directory server—that is, the Oracle Virtual Directory server where you want to copy the configuration files to. If the dstUserName option is not specified, the default value of cn=orcladmin is used.

configFile

Optional. String format. The name of the configuration file on the source Oracle Virtual Directory server that you want to copy to the destination Oracle Virtual Directory server. You can use the configFile option multiple times in the same command to copy more than one configuration file.

If you do not include the configFile option, the server.os_xml, adapters.os_xml, acls.os_xml, and schema.user.xml files on the source Oracle Virtual Directory server are copied to the destination Oracle Virtual Directory server.

adapterName

Optional. String format. The name of the adapter on the source Oracle Virtual Directory server that you want to copy to the destination Oracle Virtual Directory server. You can use the adapterName option multiple times in the same command to copy more than one adapter.

If you do not include the adapterName option—but you include the configFile option and specify an adapters.os.xml file, you will overwrite the adapters.os.xml file on the destination Oracle Virtual Directory server.

Surround adapter names that contain space characters with quotation marks ("). For example:

ORACLE_HOME/ovd/bin/syncovdconfig.pl -srcHost sales.west.com -srcPort 8888 \
-dstHost sales.east.com -dstPort 8899 -configFile adapters.os_xml \
-adapterName "Sales Organizations"

isSrcAdminSSL

Optional. Boolean format. Indicates whether or not the administrative Listener on the source Oracle Virtual Directory component is SSL enabled. Supported values are true and false. If the isSrcAdminSSL option is not specified, the default value of true is used.

isDstAdminSSL

Optional. Boolean format. Indicates whether or not the administrative Listener on the destination Oracle Virtual Directory component is SSL enabled. Supported values are true and false. If the isDstAdminSSL option is not specified, the default value of true is used.

Examples

The following are examples of the syncovdconfig command:

• To synchronize the server.os_xml, adapters.os_xml, acls.os_xml, and schema.user.xml files between two Oracle Virtual Directory components:

  ORACLE_HOME/ovd/bin/syncovdconfig.pl –srcHost  sales.west.com –srcPort 8899 \
  –srcUserName cn=orcladmin  –dstHost sales.west.com –dstPort 8888 –dstUserName \
  cn=orcladmin  -isSrcAdminSSl true –isDstAdminSSL false
  

• To synchronize only the server.os_xml file between two Oracle Virtual Directory components:

  ORACLE_HOME/ovd/bin/syncovdconfig.pl –srcHost  sales.west.com –srcPort 8899 \
  –srcUserName cn=orcladmin –dstHost sales.west.com –dstPort 8888 \
  –dstUserName cn=orcladmin -configFile server.os_xml
  

• To synchronize multiple files between two Oracle Virtual Directory components:

  ORACLE_HOME/ovd/bin/syncovdconfig.pl –srcHost  sales.west.com –srcPort 8899 \
  –srcUserName cn=orcladmin –dstHost sales.west.com –dstPort 8888 \
  –dstUserName cn=orcladmin -configFile server.os_xml –configFile adapters.os_xml
  

• To synchronize a specific adapter between two Oracle Virtual Directory components:

  ORACLE_HOME/ovd/bin/syncovdconfig.pl –srcHost  sales.west.com –srcPort 8899 \ –srcUserName cn=orcladmin –dstHost sales.west.com –dstPort 8888 \
  –dstUserName cn=orcladmin -configFile server.os_xml \
  -configFile adapters.os_xml –adapterName Sales