After installing and configuring Oracle Authorization Policy Manager, you must reassociate Oracle WebLogic Server with LDAP as follows:
Ensure that the WebLogic Administration Server is up and running. For information about starting the WebLogic Administration Server, see Starting or Stopping the Oracle Stack.
Use an LDAP browser or client, such as JXplorer, to add a new node on the LDAP server that Oracle WebLogic Server is going to associate with:
On the File menu in your LDAP browser, click Connect to connect to your LDAP server. The Open LDAP/DSML Connection screen appears.
In the Host text box, enter the host name of your LDAP server.
In the Port text box, enter the port number.
On the Level drop-down list, choose the User + Password option.
In the User DN text box, enter the base distinguished name of the directory to which you want to connect.
In the Password text box, enter the password. Click OK. If the connection is successful, a list of entries in the Directory Information Tree is displayed in the left navigation pane.
Select the parent entry. From the Edit menu, choose New. The Set Entry Object Classes screen appears.
Select the Suggest Classes check box if you want to view the compulsory object classes for the new entry.
Verify that the Distinguished Name of the parent entry in the Parent DN text box is correct.
In the Enter RDN text box, enter the Relative Distinguished Name of the new entry. For example, to add apm_test_name to the new entry, enter
cn=apm_test_name. JXplorer displays the compulsory object classes for the new entry in the Selected Classes pane. Click OK.
If the information about the new entry is correct, click Submit.
Change the association of Oracle WebLogic Server to the new node by using WebLogic Scripting Tool (WLST) or Enterprise Manager:
At the command prompt, change your present working directory to the
At the WLS prompt, use the WLST command
reassociateSecurityStore as follows:
wls> reassociateSecurityStore(domain="domainName", admin="cnSpecification", password="passWord", ldapurl="hostAndPort", servertype="ldapSrvrType", jpsroot="cnSpecification" [,join="trueOrfalse"])
||Specifies the name of the domain where the reassociation occurs.|
||Specifies the user name of the administrator on the LDAP server. The format is
||Specifies the password for the administrator on the LDAP server.|
||Specifies the Uniform Resource Identifier (URI) of the LDAP server. The format is
||Specifies the type of the target LDAP server. The only valid types are Oracle Internet Directory and Oracle Virtual Directory.|
||Specifies the root node in the target LDAP repository under which all data is migrated. The format is
||Specifies whether the domain shares a policy store specified in another domain.
Using this argument allows multiple WebLogic domains to point to the same logical policy store.
reassociateSecurityStore(domain="myDomain", admin="cn=adminName", password="myPass", ldapurl="ldap(s)://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode")
If you want a domain other than myDomain, such as yourDomain, to share the policy store in myDomain, then you must run the command as follows:
reassociateSecurityStore(domain="yourDomain", admin="cn=adminName", password="myPass", ldapurl="ldap(s)://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode", join="true")
Using Enterprise Manager
Log in to Oracle Enterprise Manager.
Navigate to your WebLogic domain.
Right-click and choose Security > Security Provider Configuration.
Click Change Association.
On the Set Security Provider page, in the LDAP Server Details section, select the LDAP server type, host name, port number, connection string, and password.
In the LDAP Root Node Details section, enter a distinguished name for the JPS root.
Select the Create New Domain option if you want to create a new policy and credential domain on LDAP.
Note:To join a specified existing domain, do not select the Create New Domain option.
In the Domain Name text box, enter a name for the domain.
Note:After the reassociation, CredentialStore, SystemPolicy and apm are migrated to the node. You can verify them through an LDAP management tool, such as JXplorer.