Oracle Virtual Directory can be administered from both a graphical user interface and a command-line interface. This chapter describes those Oracle Virtual Directory management interfaces, and explains how to start and stop Oracle Virtual Directory.
Note:
This chapter assumes you have installed and configured Oracle Virtual Directory as described in: Oracle Fusion Middleware Quick Installation Guide for Oracle Identity Management.This chapter includes the following topics:
After installing 11g Release 1 (11.1.1), Oracle recommends:
Reviewing Appendix A, "Comparing Oracle Virtual Directory 11g Release 1 (11.1.1) and 10g Releases (10.1.4.x)" to understand how fundamental items in Oracle Virtual Directory are implemented in 11g Release 1 (11.1.1) compared to legacy Oracle Virtual Directory 10g Releases (10.1.4.x).
Reviewing Appendix B, "Starting and Stopping the Oracle Stack" to understand how to start and stop the components of the Oracle stack in 11g Release 1 (11.1.1).
Reviewing Table 8-1 to understand the default URLs for various interfaces that can be used to manage Oracle Virtual Directory in 11g Release 1 (11.1.1):
Reviewing Table 8-2 to understand various default ports for Oracle Virtual Directory in 11g Release 1 (11.1.1):
Reviewing Table 8-3 to understand various environment variables for Oracle Virtual Directory 11g Release 1 (11.1.1):
Table 8-3 Environment Variables
| Variable | Description |
|---|---|
|
ORACLE_HOME |
The location of non-writable files in your Oracle Identity Management installation. |
|
ORACLE_INSTANCE |
The location of writable files in your Oracle Identity Management installation. |
|
PATH |
Add the following directory locations to your PATH:
|
The following provides an overview of the steps commonly used to configure and manage a basic Oracle Virtual Directory environment:
Configure Oracle Virtual Directory server by customizing its settings to be specific to your environment. For more information, refer to:
Create and configure adapters for the target data repositories. For more information, refer to:
Configure plug-ins for your environment. For more information, refer to:
Configure Access Control Lists for Oracle Virtual Directory. For more information, refer to:
This topic explains how to set up the Oracle Directory Services Manager interface for use with Oracle Virtual Directory and contains the following sections:
Oracle Directory Services Manager is the unified browser-based graphical user interface (GUI) for Oracle Virtual Directory and Oracle Internet Directory. Oracle Directory Services Manager simplifies the administration and configuration of Oracle Virtual Directory and Oracle Internet Directory by allowing you to use web-based forms and templates.
Notes:
Only the superuser (usually cn=orcladmin) can log in to Oracle Directory Services Manager.
The user name of the superuser used to log in to Oracle Directory Services Manager must be comprised of only ASCII characters. You cannot log in to Oracle Directory Services Manager using a user name of the superuser that contains non-ASCII characters.
Refer to the Oracle Identity Management Certification Information on the Oracle Technology Network web site for information about supported browsers for Oracle Directory Services Manager. You can access the Oracle Technology Network web site at:
You can invoke Oracle Directory Services Manager directly or from Oracle Enterprise Manager Fusion Middleware Control as follows:
To invoke Oracle Directory Services Manager directly, enter the following URL into your browser's address field.
http://host:port/odsm
In the URL to access Oracle Directory Services Manager, host is the name of the managed server where Oracle Directory Services Manager is running. port is the managed server port number from the WebLogic server.
You can determine the exact port number by examining the following file, where ORACLE_IDENTITY_MANAGEMENT_DOMAIN represents the root directory of the Oracle WebLogic Server Domain for Oracle Identity Management components:
$ORACLE_IDENTITY_MANAGEMENT_DOMAIN/servers/MANAGED_SERVER_NAME/data/nodemanager/MANAGED_SERVER_NAME.url
To invoke Oracle Directory Services Manager from Oracle Enterprise Manager Fusion Middleware Control, select one of the options from the Directory Services Manager entry in the Oracle Virtual Directory menu in the Oracle Virtual Directory target. A new browser window containing the Oracle Directory Services Manager Welcome screen appears.
When the Oracle Directory Services Manager Welcome screen appears, you can connect to either an Oracle Internet Directory server or a Oracle Virtual Directory server. The following is a list of items to consider regarding logging in to a directory server from Oracle Directory Services Manager:
The directory server must be running to connect to it from Oracle Directory Services Manager.
Only the superuser (usually cn=orcladmin) can log in to Oracle Directory Services Manager.
The user name of the superuser used to log in to Oracle Directory Services Manager must be comprised of only ASCII characters. You cannot log in to Oracle Directory Services Manager using a user name of the superuser that contains non-ASCII characters.
After you have logged in to Oracle Directory Services Manager, you can connect to multiple Oracle Virtual Directory and Oracle Internet Directory components from the same Oracle Directory Services Manager session (that is, the same browser window). However, you should avoid using multiple browser windows of the same browser program to connect to different directories at the same time. Doing so can cause a Target unreachable error.
You can use the same Oracle Directory Services Manager component with different browser programs, such as Internet Explorer and Firefox, and connect each to a different directory system component.
If you change the browser language setting, you must update the session in order to use the new setting. To do update the session, either reenter the Oracle Directory Services Manager URL in the URL field and press Enter or quit and restart the browser.
This section contains the following topics:
Logging in to the Directory Server from Oracle Directory Services Manager
Logging in to the Directory Server from Oracle Directory Services Manager Using SSL
You log in to a directory server's non-SSL port from Oracle Directory Services Manager as follows:
Click Connect to a directory at the top of the Oracle Directory Services Manager Welcome screen. A menu containing the following appears:
A list of live connections, which are current connections that you can return to.
Note:
To reconnect to a live connection, click it. You will see a short version of the Connect dialog box where you need to enter only a user name and password. To remove a live connection from the list, click it and then click Remove on the Connect dialog box.A Create a New Connection option, which is used to initiate a new connection.
To initiate a connection to a new directory server, click Create a New Connection. The New Connection Dialog appears. Continue the log in process using the following steps.
Select OID or OVD.
Optionally, enter an alias name in the Name field to identify the connection. This name will appear in the list of live connections (as described in 1) to enable you to quickly reconnect to it after ending the current Oracle Directory Services Manager session.
Enter the name of server where Oracle Internet Directory or Oracle Virtual Directory is running in the Name field.
Enter the non-SSL port in the Port field. For Oracle Virtual Directory, enter the non-SSL port for the Admin Listener. For Oracle Internet Directory, enter the non-SSL LDAP port.
Enter the superuser (usually cn=orcladmin) and password.
Note:
The user name of the superuser must be comprised of only ASCII characters.After you have logged in to an Oracle Internet Directory or Oracle Virtual Directory server, you can use the navigation tabs to select other pages.
The Oracle Directory Services Manager home pages for Oracle Internet Directory and Oracle Virtual Directory list version information about Oracle Directory Services Manager itself, as well as the directory and adapters. It also lists the existing configured adapters for Oracle Virtual Directory.
When you log in to the server's SSL port, you follow the procedure in "Logging in to the Directory Server from Oracle Directory Services Manager", except that you specify the SSL port in Step 4 and select SSL Enabled in Step 6. Specifically, you enter the SSL port for the Admin Listener for Oracle Virtual Directory, or you enter enter the SSL LDAP port for Oracle Internet Directory. Then, after you click Connect in Step 9, you might be presented with a certificate, depending on the type of SSL authentication. The following sections provide information on handling the certificate for each supported SSL authentication type:
If the directory server is using SSL No Authentication mode, you will not be presented with a certificate. SSL No Authentication provides data confidentiality and integrity, but no authentication using X509 certificates.
If the directory server is using SSL Server Authentication Only Mode, which is the default for Oracle Virtual Directory, you will be presented with the server's certificate when you click Connect in Step 9. After manually verifying the authenticity of the server certificate, you can accept the certificate permanently, accept the certificate for the current session only, or reject the certificate. If you accept the certificate permanently, the certificate is stored in the Oracle Directory Services Manager's Java Key Store (JKS). From then on, you will not be prompted to accept the certificate when you connect to that server using that particular Oracle Directory Services Manager URL. If you accept the certificate only for the current session, you will be prompted to accept or reject the certificate every time you connect to the server. If you reject the certificate, Oracle Directory Services Manager closes the connection to the server.
Refer to "Managing Oracle Directory Services Manager's Key Store" for additional information.
Oracle Directory Services Manager is integrated with the Credential Store Framework, a secure storage framework provided by Oracle. This section explains how to manage Oracle Directory Services Manager's credentials and contains the following topics:
Oracle Directory Services Manager creates a Java Key Store file and assigns a random password to the JKS the first time Oracle Directory Services Manager is used. The JKS file has the name odsm.cer. It resides in a directory with a name of the form:
ORACLE_IDENTITY_MANAGEMENT_DOMAIN/servers/MANAGED_SERVER_NAME/tmp/_WL_user/ odsm_11.1.1.1.0/RANDOM_NUMBER/war/conf
Oracle Directory Services Manager stores this random password in the Credential Store Framework. The WebLogic server administrator can retrieve the Java Key Store password stored in the Credential Store Framework. Oracle Directory Services Manager also generates a self-signed certificate for itself and stores it in the Java Key Store file. The only purpose for this keystore is to store back-end CA certificates.
See Also:
The Oracle Fusion Middleware Security Guide for more information about the Credential Store Framework.
JavaTM Cryptography Architecture API Specification & Reference, at http://java.sun.com
keytool - Key and Certificate Management Tool, at http://java.sun.com
To manage Oracle Directory Services Manager's Java Key Store, you must first retrieve Oracle Directory Services Manager's Java Key Store password. The WebLogic administrator can retrieve it using the WLST as follows:
Start the WLST shell:
ORACLE_HOME/common/bin/wlst.sh
Enter connect() and provide the username, password, and URL to the Admin Server.
Enter the following listCred() method to retrieve Oracle Directory Services Manager's Java Key Store password:
listCred( map="ODSMMap", key="ODSMKey.Wallet" )
See Also:
The "Managing Credentials with WLST Commands" section in the Oracle Fusion Middleware Security Guide for more information.After you retrieve the Java Key Store password, you can manage it using the keytool command.
To list contents of odsm.cer:
Move (cd) to the directory containing the odsm.cer, for example:
cd ORACLE_IDENTITY_MANAGEMENT_DOMAIN/servers/MANAGED_SERVER_NAME/tmp/_WL_user/
odsm_11.1.1.1.0/5z2ikx/war/conf
Use keytool to list the contents of odsm.cer, for example:
ORACLE_HOME/jdk/jre/bin/keytool -list -keystore odsm.cer \ -storepass "JKS_PASSWORD" -v Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: serverselfsigned Creation date: Dec 26, 2008 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Serial number: 495586b6 Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009 Certificate fingerprints: MD5: 6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93 SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0 Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* Alias name: cn=rootca, o=oracle, c=us (0) Creation date: Dec 31, 2008 Entry type: trustedCertEntry Owner: CN=RootCA, O=Oracle, C=US Issuer: CN=RootCA, O=Oracle, C=US Serial number: 0 Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050 Certificate fingerprints: MD5: 72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF Signature algorithm name: MD5withRSA Version: 1 ******************************************* *******************************************
To delete trusted certificates in odsm.cer:
Move (cd) to the directory containing the odsm.cer, for example:
cd ORACLE_IDENTITY_MANAGEMENT_DOMAIN/servers/MANAGED_SERVER_NAME/tmp/_WL_user/ odsm_11.1.1.1.0/5z2ikx/war/conf
Use keytool to delete the contents of odsm.cer, for example:
ORACLE_HOME/jdk/jre/bin/keytool -delete -keystore odsm.cer \ -storepass "JKS_PASSWORD" -alias "cn=rootca, o=oracle, c=us (0)" [Storing odsm.cer]
Perform the following steps to configure Oracle HTTP Server to route Oracle Directory Services Manager requests to multiple Oracle WebLogic Servers in a clustered Oracle WebLogic Server environment:
Create a backup copy of the Oracle HTTP Server's httpd.conf file. The backup copy will provide a source to revert back to if you encounter problems after performing this procedure.
Add the following text to the end of the Oracle HTTP Server's httpd.conf file and replace the variable placeholder values with the host names and managed server port numbers specific to your environment. Be sure to use the <Location /odsm/ > as the first line in the entry. Using <Location /odsm/faces > or <Location /odsm/faces/odsm.jspx > can distort the appearance of the Oracle Directory Services Manager interface.
<Location /odsm/ > SetHandler weblogic-handler WebLogicCluster host-name-1:managed-server-port,host-name_2:managed_server_port </Location>
Stop, then start the Oracle HTTP Server to activate the configuration change.
Note:
Oracle Directory Services Manager loses its connection and displays a session time-out message if the Oracle WebLogic Server in the cluster that it is connected to fails. Oracle Directory Services Manager requests will be routed to the secondary Oracle WebLogic Server in the cluster that you identified in the httpd.conf file after you log back in to Oracle Directory Services Manager.This topic explains how to get started using Oracle Enterprise Manager Fusion Middleware Control with Oracle Virtual Directory. It contains the following sections:
Invoking Fusion Middleware Control to Manage Oracle Virtual Directory
Starting the Oracle Virtual Directory Server Using Fusion Middleware Control
Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control
Restarting the Oracle Virtual Directory Server Using Fusion Middleware Control
Monitoring Oracle Virtual Directory Using Fusion Middleware Control Metrics
Note:
If Oracle Virtual Directory is configured to listen on privileged ports, ensure OPMN was started as the superuser (root) before starting, stopping, or restarting Oracle Virtual Directory using Oracle Enterprise Manager Fusion Middleware Control as described in this topic. Refer to Chapter 10, "Managing Oracle Virtual Directory Server Processes" for more information.Oracle Enterprise Manager Fusion Middleware Control is a graphical user interface that provides a comprehensive systems management platform for Oracle Fusion Middleware. Oracle Enterprise Manager Fusion Middleware Control organizes a wide variety of performance data and administrative functions into distinct, Web-based home pages for the farm, Oracle Fusion Middleware components, middleware system components, and applications.
Oracle Virtual Directory is a target type in Oracle Enterprise Manager Fusion Middleware Control. To use the Oracle Enterprise Manager Fusion Middleware Control interface to manage Oracle Virtual Directory:
Connect to Oracle Enterprise Manager Fusion Middleware Control using a web browser. The URL is of the form:
https://host:port/em
In the left panel topology tree, expand the farm, then Fusion Middleware, then Identity and Access. Alternatively, from the farm home page, expand Fusion Middleware, then Identity and Access. Oracle Virtual Directory components are listed in both places.
To distinguish one component from another, move the mouse over the component name and view the full name of the component in the tool tip.
Select the Oracle Virtual Directory component you want to manage.
Use the Oracle Virtual Directory menu to select tasks.
You can use the Oracle Virtual Directory menu to navigate to other Oracle Enterprise Manager Fusion Middleware Control pages for Oracle Virtual Directory and to navigate to Oracle Directory Services Manager pages for Oracle Virtual Directory.
Perform the following steps to start an Oracle Virtual Directory server that is not running using Oracle Enterprise Manager Fusion Middleware Control. To restart an Oracle Virtual Directory server that is running, refer to Restarting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target you want to start.
Select Control from the Oracle Virtual Directory menu and then select Start Up. A dialog box appears listing messages and the status of the target.
Click OK on the message dialog box to close it.
Perform the following steps to stop a running Oracle Virtual Directory server using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target you want to stop.
Select Control from the Oracle Virtual Directory menu and then select Shut Down. A confirmation dialog box appears asking you to confirm that you want to stop the Oracle Virtual Directory server.
Click Yes on the dialog box to stop the Oracle Virtual Directory server. A dialog box appears listing messages and the status of the target.
Click OK on the message dialog box to close it.
Perform the following steps to restart an Oracle Virtual Directory server that is currently running using Oracle Enterprise Manager Fusion Middleware Control.
Note:
Restarting an Oracle Virtual Directory that is running reloads all the server configurations from the file system. Restarting an Oracle Virtual Directory that is running will not stop the server process.Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Control Directory target you want to restart.
Select Control from the Oracle Virtual Directory menu and then select Restart. A confirmation dialog box appears asking you to confirm that you want to restart the Oracle Virtual Directory server.
Click Yes on the dialog box to restart the Oracle Virtual Directory server. A dialog box appears listing messages and the status of the target.
Click OK on the message dialog box to close it.
You can use Oracle Enterprise Manager Fusion Middleware Control to view multiple types of metrics for the Oracle Virtual Directory server. The Oracle Virtual Directory server must be running to view its metrics using Oracle Enterprise Manager Fusion Middleware Control. You can access the metrics from the following locations in Oracle Enterprise Manager Fusion Middleware Control:
The Oracle Virtual Directory Home page
The Oracle Virtual Directory Performance Summary page
To view the metrics on the Oracle Directory Home page, log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target that you want to view metrics for. The Home page appears displaying the statistics.
Table 8-4 lists the statistics that are available on the Oracle Virtual Directory Home page:
Table 8-4 Metrics Available on the Home Page
| Subject | Metric |
|---|---|
|
Current Load |
|
|
Resource Usage |
|
|
Average Response Time and Operations |
|
|
Listeners |
Displays a table of configured Oracle Virtual Directory Listeners, including:
|
|
Adapters |
Displays a table of configured Oracle Virtual Directory Adapters, including:
|
The Performance Summary page allows you to choose a variety of metrics to display in a time based context. You can customize the metrics displayed on the Performance Summary page using the Metric Palette. Refer to the Oracle Fusion Middleware Administrator's Guide for more information on using the Metric Palette.
To view the metrics on the Performance Summary page:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target that you want to view metrics for.
Select Monitoring and then Performance Summary from the Oracle Virtual Directory menu. The Performance Summary page appears.
Refer to Table D-1 for a list and description of the metrics that are available on the Performance Summary page.
You can use the WebLogic Scripting Tool (WLST) as the interface to perform several Oracle Virtual Directory administration and management tasks. While there are several tasks and procedures in this document that explain how to use WLST, you should refer to the following documents for complete information:
The Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command-line tool.
The Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information on syntax for the WLST command-line tool.
Important:
After you install Oracle Virtual Directory or after you restart the Oracle WebLogic Server, you must execute the WLSTload() method before you execute any other WLST command.
Additionally, Oracle recommends executing the WLST load() method before executing any WLST command on the Oracle Virtual Directory MBean. Executing the load() method refreshes the MBean to the current configuration.
The LDAP tools (ldapadd, ldapdelete, ldapbind, and so on) for Oracle Virtual Directory have been modified to prevent exposing passwords. Use the -q option instead of the -w option for user passwords, and use the -Q option instead of the -P option for wallet passwords. Commands will prompt you for the password when you use the -q and -Q options.
You can disable the -w and -P password options by setting the LDAP_PASSWORD_PROMPTONLY environment variable to TRUE or 1. Set this environment variable whenever possible.