9 Extending the Domain with Oracle Virtual Directory

This chapter describes how to extend the domain with Oracle Virtual Directory (OVD) in the enterprise deployment.

This chapter includes the following topics:

• Section 9.1, "Prerequisites for Configuring Oracle Virtual Directory Instances"

• Section 9.2, "When to use Oracle Virtual Directory"

• Section 9.3, "Configuring the Oracle Virtual Directory Instances"

• Section 9.4, "Post-Configuration Steps"

• Section 9.5, "Disable Oracle Virtual Directory Listener SSL NIO"

• Section 9.6, "Validating the Oracle Virtual Directory Instances"

• Section 9.7, "Creating ODSM Connections to Oracle Virtual Directory"

• Section 9.8, "Creating Adapters in Oracle Virtual Directory"

• Section 9.9, "Tuning Oracle Virtual Directory"

• Section 9.10, "Backing Up the Oracle Virtual Directory Configuration"

Follow these steps to configure the Oracle Virtual Directory components, OVDHOST1 and OVDHOST2 on the directory tier with Oracle Virtual Directory. The procedures for the installations are very similar, but the selections in the configuration options screen differ.

9.1 Prerequisites for Configuring Oracle Virtual Directory Instances

Before configuring the Oracle Virtual Directory instances on OVDHOST1 and OVDHOST2, ensure that the following tasks have been performed:

1. Install and upgrade the software on OVDHOST1 and OVDHOST2 as described in the following sections.

2. If you plan on provisioning the Oracle Virtual Directory instances on shared storage, ensure that the appropriate shared storage volumes are mounted on OVDHOST1 and OVDHOST2 as described in Section 2.4, "Shared Storage and Recommended Directory Structure."

3. Ensure that the load balancer is configured as describe in Section 2.2.2, "Configuring Virtual Server Names and Ports on the Load Balancer."

9.2 When to use Oracle Virtual Directory

Use of Oracle Virtual Directory is strongly recommended for all Identity Store deployments. This includes cases where your Identity Store uses multiple directories or a single directory (including Oracle Internet Directory).

9.3 Configuring the Oracle Virtual Directory Instances

This section contains the following topics:

• Section 9.3.1, "Configuring the First Oracle Virtual Directory Instance"

• Section 9.3.2, "Configuring an Additional Oracle Virtual Directory"

9.3.1 Configuring the First Oracle Virtual Directory Instance

1. Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "6501"
   netstat -an | grep "7501"
   

   If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

   On UNIX:

   Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.

2. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

3. Edit the staticports.ini file that you copied to the temporary directory to assign ports 6501 and 7501, as follows:

   Port	Value
   Non SSL Port for Oracle Virtual Directory	6501
   SSL Port for Oracle Virtual Directory	7501

   
   

4. Start the Oracle Identity Management 11g Configuration Assistant by running IDM_ORACLE_HOME/bin/config.sh.

5. On the Welcome screen, click Next.

6. On the Select Domain screen, select Configure without a Domain.

   Click Next.

7. On the Specify Installation Location screen, specify the following values:

   • Oracle Instance Location: /u01/app/oracle/admin/ovd_inst1

   • Oracle Instance Name: ovd_inst1

   Click Next.

8. On the Specify Email for Security Updates screen, specify these values:

   • Email Address: Provide the email address for your My Oracle Support account.

   • Oracle Support Password: Provide the password for your My Oracle Support account.

   • Check the check box next to the I wish to receive security updates via My Oracle Support field.

   Click Next.

9. On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and then click Next.

10. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.

    Click Next.

11. On the Specify Virtual Directory screen: In the Client Listeners section, enter:

    • LDAP v3 Name Space: dc=mycompany,dc=com

    In the OVD Administrator section, enter:

    • Administrator User Name: cn=orcladmin

    • Password: administrator_password

    • Confirm Password: administrator_password

    Select Configure the Administrative Server in secure mode.

    Click Next.

12. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.

13. On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.

    Click Next.

14. On the Installation Complete screen, click Finish to confirm your choice to exit.

15. To validate the installation of the Oracle Virtual Directory instance on OVDHOST1, issue these commands:

    ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q
    

    Note:

    Ensure that the following environment variables are set before using ldapbind:

    • ORACLE_HOME (set to IDM_ORACLE_HOME)

    • ORACLE_INSTANCE

    • PATH - The following directory locations should be in your PATH:

      ORACLE_HOME/bin

      ORACLE_HOME/ldap/bin

      ORACLE_HOME/ldap/admin

9.3.2 Configuring an Additional Oracle Virtual Directory

The schema database must be running before you perform this task. Follow these steps to install Oracle Virtual Directory on OVDHOST2:

1. Ensure that ports 6501 and 7501 are not in use by any service on the computer by issuing these commands for the operating system you are using. If a port is not in use, no output is returned from the command.

   On UNIX:

   netstat -an | grep "6501"
   netstat -an | grep "7501"
   

   If the ports are in use (that is, if the command returns output identifying either port), you must free the port.

   On UNIX:

   Remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.

2. If the ports are in use (that is, if the command returns output identifying either port), you must free them.

3. Copy the staticports.ini file from the Disk1/stage/Response directory to a temporary directory.

   On UNIX, remove the entries for ports 6501 and 7501 in the /etc/services file and restart the services, as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components," or restart the computer.

4. Edit the staticports.ini file that you copied to the temporary directory to assign the following custom ports:

   Port	Value
   Non SSL Port for Oracle Virtual Directory	6501
   SSL Port for Oracle Virtual Directory	7501

   
   

5. Start the Oracle Identity Management 11g Configuration Assistant by running IDM_ORACLE_HOME/bin/config.sh.

6. On the Welcome screen, click Next.

7. On the Select Domain screen, select Configure without a Domain.

   Click Next.

8. On the Specify Installation Location screen, specify the following values:

   Oracle Instance Location: /u01/app/oracle/admin/ovd_inst2

   Oracle Instance Name: ovd_inst2

   Click Next.

9. On the Specify Email for Security Updates screen, specify these values:

   • Email Address: Provide the email address for your My Oracle Support account.

   • Oracle Support Password: Provide the password for your My Oracle Support account.

   • Check the check box next to the I wish to receive security updates via My Oracle Support field.

   Click Next.

10. On the Configure Components screen, select Oracle Virtual Directory, deselect all the other components, and click Next.

11. On the Configure Ports screen, select Specify Ports Using Configuration File and enter the full path name to the staticports.ini file that you edited in the temporary directory.

    Click Next.

12. On the Specify Virtual Directory screen: In the Client Listeners section, enter:

    • LDAP v3 Name Space: dc=mycompany,dc=com

    In the OVD Administrator section, enter:

    • Administrator User Name: cn=orcladmin

    • Password: administrator_password

    • Confirm Password: administrator_password

    Select Configure the Administrative Server in secure mode.

    Click Next.

13. On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens. When they are correct, click Configure.

14. On the Configuration screen, multiple configuration assistants are launched in succession. This process can be lengthy. Wait for the configuration process to finish.

    Click Next.

15. On the Installation Complete screen, click Finish to confirm your choice to exit.

16. To validate the installation of the Oracle Virtual Directory instance on OVDHOST2, issue these commands:

    ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q
    ldapbind -h ovdhost2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
    

    Note:

    Ensure that the following environment variables are set before using ldapbind:

    • ORACLE_HOME (set to IDM_ORACLE_HOME)

    • ORACLE_INSTANCE

    • PATH - The following directory locations should be in your PATH:

      ORACLE_HOME/bin

      ORACLE_HOME/ldap/bin

      ORACLE_HOME/ldap/admin

9.4 Post-Configuration Steps

This section contains the following topics:

• Section 9.4.1, "Registering Oracle Virtual Directory with the Oracle WebLogic Server Domain"

• Section 9.4.2, "Configuring Oracle Virtual Directory to Accept Server Authentication Only Mode SSL Connections"

9.4.1 Registering Oracle Virtual Directory with the Oracle WebLogic Server Domain

All the Oracle Fusion Middleware components deployed in this enterprise deployment are managed by using Oracle Enterprise Manager Fusion Middleware Control. To manage the Oracle Virtual Directory component with this tool, you must register the component and the Oracle Fusion Middleware instance that contains it with an Oracle WebLogic Server domain. A component can be registered either at install time or post-install. A previously un-registered component can be registered with a WebLogic domain by using the opmnctl registerinstance command.

To register the Oracle Virtual Directory instances, follow these steps on OVDHOST1:

1. Set the ORACLE_HOME variable. For example, issue this command:

   export ORACLE_HOME=IDM_ORACLE_HOME
   

2. Set the ORACLE_INSTANCE variable. For example, on OVDHOST1, issue this command:

   export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst1
   

   On OVDHOST2, issue this command:

   export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst2
   

3. Execute the opmnctl registerinstance command:

   ORACLE_INSTANCE/bin/opmnctl registerinstance -adminHost WLSHostName  -adminPort WLSPort -adminUsername adminUserName
   

   For example:

   ORACLE_INSTANCE/bin/opmnctl registerinstance \
      -adminHost ADMINVHN.mycompany.com -adminPort 7001 -adminUsername weblogic
   

   The command requires login to WebLogic Administration Server.

   Username: weblogic

   Password: password

   Note:

   For additional details on registering Oracle Virtual Directory components with a WebLogic Server domain, see the "Registering an Oracle Instance Using OPMNCTL" section in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

4. In order to manage Oracle Virtual Directory by using Oracle Enterprise Manager Fusion Middleware Control, you must update the Enterprise Manager Repository URL to point to the virtual IP address associated with the WebLogic Administration Server. Do this using the emctl utility with the switchOMS flag. The emctl utility is located under the ORACLE_INSTANCE/EMAGENT/EMAGENT/bin directory.

   Syntax:

   ./emctl switchOMS ReposURL
   

   For Example:

   ./emctl switchOMS http://ADMINVNH:7001/em/upload 
   

   Output:

   ./emctl switchOMS http://ADMINVHN.mycompany.com:7001/em/upload 
   Oracle Enterprise Manager 10g Release 5 Grid Control 10.2.0.5.0. 
   Copyright (c) 1996, 2009 Oracle Corporation.  All rights reserved. 
   SwitchOMS succeeded.
   

5. Validate if the agents on OVDHOST1 and OVDHOST2 are configured properly to monitor their respective targets. Follow these steps to complete this task:

   1. Use a web browser to access Oracle Enterprise Manager Fusion Middleware Control at http://adminvhn.mycompany.com:7001/em. Log in as the weblogic user.

   2. From the Domain Home Page navigate to the Agent-Monitored Targets page using the menu under Farm -> Agent-Monitored Targets

   3. Validate that the host name in Agent URL under the Agent column matches the host name under the Host column. In case of a mismatch follow these steps to correct the issue:

      • Click configure to go to the Configure Target Page.

      • On the Configure Target Page, click Change Agent and choose the correct agent for the host.

      • Update the WebLogic monitoring user name and the WebLogic monitoring password. Enter weblogic as the WebLogic monitoring user name and the password for the weblogic user as the WebLogic monitoring password.

      • Click OK to save your changes.

9.4.2 Configuring Oracle Virtual Directory to Accept Server Authentication Only Mode SSL Connections

Configure Oracle Virtual Directory as follows.

9.4.2.1 Prerequisites

Prior to running this command ensure that:

• Oracle Identity Management is installed

• Oracle Identity and Access Management is installed.

• Site certificate has been generated as described in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain."

• If you are using Windows, you have installed a UNIX emulation package such as Cygwin in order to run the scripts contained in this section. See http://www.cygwin.com.

9.4.2.2 Configuring Oracle Virtual Directory for SSL

Before configuring Oracle Virtual Directory for SSL, set the ORACLE_HOME, ORACLE_INSTANCE and JAVA_HOME variables. For example, on OVDHOST1 and OVDHOST2, issue this command

export ORACLE_HOME=IDM_ORACLE_HOME
export ORACLE_INSTANCE=/u01/app/oracle/admin/ovd_inst1
export PATH=$JAVA_HOME/bin:$PATH

Start the SSL Configuration tool by issuing the command SSLServerConfig command which is located in the directory ORACLE_COMMON_HOME/bin directory.

For example:

ORACLE_COMMON_HOME/bin/SSLServerConfig.sh -component ovd

When prompted, enter the following information:

• LDAP Hostname: Central LDAP host, for example: policystore.mycompany.com

  Note:

  It is recommended that you use the Policy Store directory, not the Identity Store.

• LDAP port: LDAP port, for example: 389

• Admin user DN: cn=orcladmin

• Password: administrator_password

• sslDomain for the CA: IDMDomain

• Password to protect your SSL wallet/keystore: password_for_local_keystore

• Enter confirmed password for your SSL wallet/keystore: password_for_local_keystore

• Password for the CA wallet: certificate_password. This is the one created in Section 7.4.2, "Generating a Certificate to be Used by the Identity Management Domain."

• Country Name 2 letter code: Two letter country code, such as US

• State or Province Name: State or province, for example: California

• Locality Name: Enter the name of your city, for example: RedwoodCity

• Organization Name: Company name, for example: mycompany

• Organizational Unit Name: Leave at the default

• Common Name: Name of this host, for example: OVDHOST1.mycompany.com

• OVD component name: Name of your Oracle Instance. This is the value you entered in Step 7 of sections Section 9.3.1, "Configuring the First Oracle Virtual Directory Instance" and Section 9.3.2, "Configuring an Additional Oracle Virtual Directory," one for each instance, for example: ovd1

• OVD Instance Name: for example, ovd1. If you need to determine what your OVD component name is, execute the command:

  ORACLE_INSTANCE/bin/opmnctl status
  

• Oracle instance name: Name of your Oracle instance, for example: asinst_ovd1

• WebLogic admin host: Host running the WebLogic Administration Server, for example:. adminvhn.mycompany.com

• WebLogic admin port: WebLogic Administration Server port, for example: 7001

• WebLogic admin user: Name of your WebLogic administration user, for example: weblogic

• WebLogic password: password.

• SSL wallet name for OVD component [ovdks1.jks]: Accept the default

When asked if you want to restart your Oracle Virtual Directory component, enter Yes.

When asked if you would like to test your OVD SSL connection, enter Yes. Ensure that the test is a success.

Note:

If this step fails, perform the steps in Section 9.5, "Disable Oracle Virtual Directory Listener SSL NIO" as a workaround.

9.5 Disable Oracle Virtual Directory Listener SSL NIO

Before you can bind to the SSL port on Oracle Virtual Directory you must disable NIO. To do this, perform the following steps on each of the Oracle Virtual Directory instances:

1. Stop Oracle Virtual Directory by typing:

   ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
   

2. Edit the file:

   ORACLE_INSTANCE/config/OVD/component/listeners.os_xml

   Locate the section for LDAP SSL listener, which looks like this:

   <ldap version="20" id="LDAP SSL Endpoint">
   <port>7501</port>
   <host>0.0.0.0</host>
   .........
   .........
   <ssl enabled="true">
   <protocols>SSLv3</protocols>
   <cipherSuites>
   .......
   .......
   <tcpNoDelay>true</tcpNoDelay>
   <readTimeout>180000</readTimeout>
   </socketOptions>
   </ldap>
   

   Modify this section so that it looks like this:

   <ldap version="20" id="LDAP SSL Endpoint">
   <port>7501</port>
   <host>0.0.0.0</host>
   .........
   .........
   <ssl enabled="true">
   <protocols>SSLv3,TLSv1,SSLv2Hello</protocols>
   <cipherSuites includeAnonCiphers="true">
   <cipher>SSL_RSA_WITH_RC4_128_MD5</cipher>
   <cipher>SSL_RSA_WITH_RC4_128_SHA</cipher>
   <cipher>TLS_RSA_WITH_AES_128_CBC_SHA</cipher></cipherSuites>
   ......
   ......
   <tcpNoDelay>true</tcpNoDelay>
   <readTimeout>180000</readTimeout>
   </socketOptions>
   <useNIO>false</useNIO>          
   </ldap>
   

3. Save the file.

4. Restart Oracle Virtual Directory using the command:

   ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1
   

5. Repeat for each Oracle Virtual Directory instance.

9.6 Validating the Oracle Virtual Directory Instances

To validate the Oracle Virtual Directory instances, ensure that you can connect to each Oracle Virtual Directory instance and the load balancing router using these ldapbind commands.

Follow the steps in Section 9.4.2.2, "Configuring Oracle Virtual Directory for SSL" before running the ldapbind command with the SSL port.

ldapbind -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q
ldapbind -h ovdhost2.mycompany.com -p 6501 -D "cn=orcladmin" -q
ldapbind -h idstore.mycompany.com -p 389 -D "cn=orcladmin" -q

ldapbind -h ovdhost1.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1
ldapbind -h ovdhost2.mycompany.com -p 7501 -D "cn=orcladmin" -q -U 1

9.7 Creating ODSM Connections to Oracle Virtual Directory

Before you can manage Oracle Virtual Directory you must create connections from ODSM to each of your Oracle Virtual Directory instances. To do this, proceed as follows:

1. Access ODSM through the load balancer address: http://admin.mycompany.com/odsm

2. Validate that Oracle Directory Services Manager can create connections to Oracle Virtual Directory. Follow these steps to create connections to Oracle Virtual Directory:

   To create connections to Oracle Virtual Directory, follow these steps. Create connections to each Oracle Virtual Directory node separately. Using the Oracle Virtual Directory load balancer virtual host from ODSM is not supported:

   1. Launch Oracle Directory Services Manager:

      http://admin.mycompany.com/odsm/
      

   2. Create a direct connection to Oracle Virtual Directory on OVDHOST1 providing the following information in ODSM:

      Host: ovdhost1.mycompany.com
      Port: 8899  (The Oracle Virtual Directory proxy port)
      Enable the SSL option
      User: cn=orcladmin
      Password: password_to_connect_to_OVD
      

9.8 Creating Adapters in Oracle Virtual Directory

Oracle Virtual Directory communicates with other directories through adapters.

Before you can start using Oracle Virtual Directory as an Identity Store, you must create adapters to each of the directories you want to use.The procedure is slightly different, depending on the directory you are connecting to. The following sections show how to create and validate adapters for supported directories:

• Section 9.8.1, "Creating Adapters for Oracle Internet Directory"

• Section 9.8.2, "Creating Adapters for Microsoft Active Directory Server"

• Section 9.8.3, "Validating the Oracle Virtual Directory Adapters"

9.8.1 Creating Adapters for Oracle Internet Directory

Oracle Virtual Directory is not required when you use Oracle Internet Directory as the back-end directory. However, if you want to access your Oracle Internet Directory through Oracle Virtual Directory, create the following Oracle Virtual Directory adapters.

9.8.1.1 User Adapter for Oracle Internet Directory

Create the user adapter on the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM) at: http://admin.mycompany.com/odsm.

2. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

3. On the Home page, click the Adapter tab.

4. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

5. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	User Adapter
   	Adapter Template	User_OID
   Connection	Use DNS for Auto Discovery	No
   	Host	oididstore.mycompany.com
   	Port	389
   	Server Proxy Bind DN	cn=orcladmin
   	Proxy Password	Password for orcladmin user.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	dc=mycompany,dc=com
   	Mapped NamespaceFoot 1	dc=mycompany,dc=com

   
   

   ^Footnote 1 The Remote Base is the context in Oracle Virtual Directory where your information is stored. The Mapped Namespace is the context in Oracle Internet Directory where your information is stored. These are usually the same, but need not be.

   Verify that the summary is correct and then click Finish.

6. Edit the User Adapter as follows:

   1. Select the User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in in the plug-ins table, then click Edit. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values as follows:

      Parameter	Value	Default
      directoryType	oid	Yes
      pwdMaxFailure	10	Yes
      oamEnabled	trueFoot 1
      mapObjectclass	container=orclContainer	Yes

      
      

      ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.

   5. Click OK.

   6. Click Apply.

9.8.1.2 Changelog Adapter for Oracle Internet Directory

To use the changelog adapter, you must first enable changelog on the connected directory. To test whether the directory is changelog enabled, type:

ldapsearch -h directory_host -p ldap_port -D bind_dn -q -b '' -s base 'objectclass=*' lastchangenumber

for example:

ldapsearch -h oidhost1 -p 389 -D "cn=orcladmin" -q -b '' -s base -s base 'objectclass=*' lastchangenumber

If you see lastchangenumber with a value, it is enabled. If it is not enabled, enable it as described in the Enabling and Disabling Changelog Generation by Using the Command Line section of Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

The changelog adapter is only required if you are implementing Oracle Identity Manager.

Create the changelog adapter on the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM) at: http://admin.mycompany.com/odsm.

2. Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2, if they do not already exist.

3. Connect to an Oracle Virtual Directory instance by using the appropriate connection entry.

4. On the Home page, click the Adapter tab.

5. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

6. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	Changelog Adapter
   	Adapter Template	Changelog_OID
   Connection	Use DNS for Auto Discovery	No
   	Host	oididstore.mycompany.com
   	Port	389
   	Server Proxy Bind DN	cn=orcladmin
   	Proxy Password	Password for orcladmin user.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	(Do not assign.)
   	Mapped Namespace	cn=changelog
   Summary		Verify that the summary is correct, then click Finish.

   
   

7. To edit the change adapter follow these steps.

   1. Select the Changelog Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plug-ins table, click the changelog plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values.

      Edit the Changelog Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the modifierDNFilter, sizeLimit, and targetDNFilter properties to the adapter.

      Parameter	Value	Comments
      directoryType	oid	Default
      mapAttribute	targetGUID=orclguid	Default
      requiredAttribute	orclGUID	Default
      modifierDNFilter	!(modifiersname=cn=orcladmin)	Create
      sizeLimit	1000	Create
      targetDNFilter	dc=mycompany,dc=com Search base from which reconciliation must happen. This value must be the same as the LDAP SearchDN that is specified during Oracle Identity Manager installation.	Create
      mapUserState	true	Update
      oamEnabled	trueFoot 1	Update
      virtualDITAdapterName	User Adapter (The name of the User adapter's name)	Create

      
      

      ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.

   5. Click OK.

   6. Click Apply.

9.8.2 Creating Adapters for Microsoft Active Directory Server

Use this adapter to connect to Active Directory.

9.8.2.1 User Adapter for Active Directory

Create the user adapter on the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the User Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. Start the Administration Server and the WLS_ODSM Managed Servers as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."

2. In a web browser, go to Oracle Directory Services Manager (ODSM) at: http://admin.mycompany.com/odsm.

3. Connect to each Oracle Virtual Directory instance by using the appropriate connection entry.

4. On the Home page, click the Adapter tab.

5. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

6. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	User Adapter
   	Adapter Template	User_ActiveDirectory
   Connection	Use DNS for Auto Discovery	No
   	Host	Active Directory host/virtual name
   	Port	Active Directory SSL port
   	Server Proxy Bind DN	The bind DN of a user who has access to Active Directory.
   	Proxy Password	Password for the Active Directory administrative user.
   	User SSL/TLS	Selected
   	SSL Authentication Mode	Server Only Authentication
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	dc=mycompany,dc=com
   	Mapped Namespace	dc=mycompany,dc=com

   
   

   Verify that the summary is correct and then click Finish.

7. Edit the User Adapter as follows:

   1. Select the OIM User Adapter.

   2. Click the Plug-ins tab.

   3. Click the User Management Plug-in, then click Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values as follows:

      Parameter	Value	Default
      directoryType	activedirectory	Yes
      exclusionMapping	orclappiduser,uid=samaccountname
      mapAttribute	orclguid=objectGuid
      mapAttribute	uniquemember=member
      addAttribute	user,samaccountname=%uid%,%orclshortuid%
      mapAttribute	mail=userPrincipalName
      mapAttribute	ntgrouptype=grouptype
      mapObjectclass	groupofUniqueNames=group
      mapObjectclass	orclidxperson=user
      pwdMaxFailure	10	Yes
      oamEnabled	TrueFoot 1
      mapObjectClass	inetorgperson=user	Yes
      mapPassword	True	Yes

      
      

      ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.

      Note:

      For language support, you must edit the User Management plug-in to add a new configuration parameter oimLanguages.

      For example, if the Managed Localization for the DisplayName while creating the user in Oracle Identity Manager is selected as French, then the value for oimLanguages in the User Management adapter plug-in should be fr. If you have other languages to be supported, say Japanese, then the value for the parameter should be fr,ja.

      The User Management plug-in has the following configuration parameter:

      oimLanguages: a comma-delimited list of language codes to be used in attribute language subtypes.

      This parameter is functional only when the directoryType parameter is set to activedirectory.

   5. Click OK.

   6. Click Apply.

9.8.2.2 Changelog Adapter for Active Directory

The changelog adapter is only required if you are implementing Oracle Identity Manager.

Create the changelog adapter on the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2 individually. Follow these steps to create the Changelog Adapter in Oracle Virtual Directory using Oracle Directory Services Manager.

1. In a web browser, go to Oracle Directory Services Manager (ODSM) at: http://admin.mycompany.com/odsm.

2. Create connections to each of the Oracle Virtual Directory instances running on OVDHOST1 and OVDHOST2, if they do not already exist.

3. Connect to an Oracle Virtual Directory instance by using the appropriate connection entry.

4. On the Home page, click the Adapter tab.

5. Start the New Adapter Wizard by clicking Create Adapter at the top of the adapter window.

6. Create a new adapter using the New Adapter Wizard, with the following parameters:

   Screen	Field	Value/Step
   Type	Adapter Type	LDAP
   	Adapter Name	OIM Changelog Adapter
   	Adapter Template	Changelog_ActiveDirectory
   Connection	Use DNS for Auto Discovery	No
   	Host	Active Directory host/virtual name
   	Port	389
   	Server Proxy Bind DN	The bind DN of a user who has access to Active Directory.
   	Proxy Password	Password for oimLDAP user.
   Connection Test		Validate that the test succeeds.
   Namespace	Remote Base	(Do not assign.)
   	Mapped Namespace	cn=changelog
   Summary		Verify that the summary is correct, then click Finish.

   
   

7. To edit the change adapter follow these steps.

   1. Select the OIM Changelog Adapter.

   2. Click the Plug-ins tab.

   3. In the Deployed Plus-ins table, click the changelog plug-in, then click "Edit in the plug-ins table. The plug-in editing window appears.

   4. In the Parameters table, update the parameter values.

      Edit the Changelog Adapter to either add or modify the properties so that they match the values shown in the following table. You must add the, sizeLimit, and targetDNFilter properties to the adapter.

      Parameter	Value	Comments
      directoryType	activedirectory	Default
      mapAttribute	targetGUID=objectGUID	Default
      requiredAttribute	samaccountname	Default
      sizeLimit	1000	Create
      targetDNFilter	dc=mycompany,dc=com Search base from which reconciliation must happen. This value must be the same as the LDAP SearchDN that is specified during Oracle Identity Manager installation.	Create
      mapUserState	true	Update
      oamEnabled	trueFoot 1
      virtualDITAdapterName	The name of the User adapter's name	Create

      
      

      ^Footnote 1 Set oamEnabled to true only if you are using Oracle Access Manager.

      Note:

      virtualDITAdapterName identifies the corresponding user profile adapter name. For example, in a single-directory deployment, you can set this parameter value to User Adapter, which is the user adapter name. In a split-user profile scenario, you can set this parameter to J1;A2, where J1 is the JoinView adapter name, and A2 is the corresponding user adapter in the J1.

   5. Click OK.

   6. Click Apply.

9.8.3 Validating the Oracle Virtual Directory Adapters

Perform the following tasks by using ODSM:

1. Connect to Oracle Virtual Directory.

2. Go the Data Browser tab.

3. Expand Client View so that you can see each of your user adapter root DN's listed.

4. Expand the user adapter root DN, if there are objects already in the back end LDAP server, you should see those objects here.

5. ODSM doesn't support changelog query, so you cannot expand the cn=changelog subtree.

Perform the following tasks by using the command-line:

• Validate the user adapters by typing:

  ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q  -b <user_search_base> -s sub "objectclass=inetorgperson" dn
  

  For example:

  ldapsearch -h ovdhost1.mycompany.com -p 6501 -D "cn=orcladmin" -q -b "cn=Users,dc=mycompany,dc=com" -s sub "objectclass=inetorgperson" dn
  

  Supply the password when prompted.

  You should see the user entries that already exist in the back end LDAP server.

• Validate changelog adapters by typing:

  ldapsearch -h directory_host -p ldap_port -D "cn=orcladmin" -q  -b "cn=changelog" -s one "changenumber>=0"
  

  For example:

  ldapsearch -h ovdhost1 -p 6501 -D "cn=orcladmin" -q -b "cn=changelog" -s one "changenumber>=0"
  

  The command returns no data at this stage, as Oracle Identity Manager is not generating changes. However, the command returns without error if changelog adapters are valid.

9.9 Tuning Oracle Virtual Directory

For information about tuning Oracle Virtual Directory, see Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

In particular, set the following server attribute values when deploying Oracle Identity Management for Fusion Applications:

Attribute	Value
timeout	600000
maxPoolSize	20

9.10 Backing Up the Oracle Virtual Directory Configuration

It is an Oracle best practices recommendation to create a backup file after successfully completing the installation and configuration of each tier or a logical point. Create a backup of the installation after verifying that the install so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. This backup can be discarded once the enterprise deployment setup is complete. After the enterprise deployment setup is complete, the regular deployment-specific Backup and Recovery process can be initiated. More details are described in the Oracle Fusion Middleware Administrator's Guide.

For information on database backups, refer to Oracle Database Backup and Recovery User's Guide.

To back up the installation to this point, follow these steps:

1. Back up the directory tier:

   1. Shut down the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:

      ORACLE_INSTANCE/bin/opmnctl stopall
      

   2. Create a backup of the Middleware home on the directory tier. On Linux, as the root user, type:

      tar -cvpf BACKUP_LOCATION/dirtier.tar MW_HOME
      

   3. Create a backup of the Instance home on the directory tier as the root user:

      tar -cvpf BACKUP_LOCATION/instance_backup.tar ORACLE_INSTANCE
      

   4. Start up the instance using opmnctl located under the ORACLE_INSTANCE/bin directory:

      ORACLE_INSTANCE/bin/opmnctl startall
      

2. Perform a full database backup (either a hot or cold backup). Oracle recommends that you use Oracle Recovery Manager.

3. Back up the Administration Server domain directory. This saves your domain configuration. The configuration files all exist under the ORACLE_BASE/admin/domainName/aserver directory. On Linux, type:

   IDMHOST1> tar cvf edgdomainback.tar ORACLE_BASE/admin/domainName/aserver
   

Note:

Create backups on all machines in the directory tier by following the steps shown in this section.

For more information about backing up the directory tier configuration, see Section 19.4, "Performing Backups and Recoveries."