Configuring Oracle Directory Server Enterprise Edition

7 Configuring Oracle Directory Server Enterprise Edition

You can configure Oracle Directory Server Enterprise Edition as the back-end directory for Oracle Directory Integration Platform synchronization.

Topics:

Before You Configure Oracle Directory Server Enterprise Edition as the Back-End Directory
Configuring Oracle Directory Server Enterprise Edition (Non-SSL) for Oracle Directory Integration Platform
Configuring Oracle Directory Server Enterprise Edition (SSL) for Oracle Directory Integration Platform
Verifying Oracle Directory Integration Platform

7.1 Before You Configure Oracle Directory Server Enterprise Edition as the Back-End Directory

Ensure that you install Oracle Directory Integration Platform before you configure Oracle Directory Server Enterprise Edition as the back-end directory.

See Configuring Oracle Directory Integration Platform in Oracle Fusion Middleware Installing and Configuring Oracle Internet Directory.

7.2 Configuring Oracle Directory Server Enterprise Edition (Non-SSL) for Oracle Directory Integration Platform

Use the steps in the following order to configure Oracle Directory Server Enterprise Edition (back-end directory) non-SSL communication for Oracle Directory Integration Platform.

7.2.1 Installing and Configuring Oracle Directory Server Enterprise Edition

Ensure that Oracle Directory Server Enterprise Edition is installed and configured.

See Oracle Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition and Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

Note:

You must create a Directory Server instance, as described in Creating Server Instances From Command Line in Oracle® Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition.

7.2.2 Installing Oracle Directory Server Enterprise Edition Plug-In

Install the Oracle Directory Server Enterprise Edition plug-in to synchronize the password for Oracle Directory Server Enterprise Edition.

You can synchronize the password for Oracle Directory Server Enterprise Edition, as described in Configuring Password Synchronization for Oracle Directory Server Enterprise Edition. To install the Oracle Directory Server Enterprise Edition plug-in, complete the following steps:

Select the dip-plugin.so or dip-plugin.dll depending on your platform, from ORACLE_HOME\dip\utils\dip-plugin (Windows) or $ORACLE_HOME/dip/utils/dip-plugin (UNIX) directory in the Oracle Identity Management distribution package.
Copy it in:
- 32-bit system:INSTALL-PATH/dsee7/lib (UNIX) or INSTALL-PATH\dsee7\lib or (Windows).
- 64-bit system: INSTALL-PATH/dsee7/lib64 (UNIX).

For more information about Oracle Directory Server Enterprise Edition plug-in, see Oracle Fusion Middleware Developer's Guide for Oracle Directory Server Enterprise Edition.

7.2.3 Creating Oracle Directory Server Enterprise Edition Suffixes

Use the dsconf command to create the suffixes for the server's Directory Information Tree (DIT).

You must create the following suffixes:

cn=OracleContext: This suffix is used for storing the Oracle Directory Integration Platform configuration details.
Create a suffix for storing the synchronized data.

To create the suffixes, run the dsconf command on the command line:

dsconf create-suffix -i -c -h host -p port -D "cn=Directory Manager" cn=OracleContext
dsconf create-suffix -i -c -h host -p port -D "cn=Directory Manager" <data_suffix_name>

After creating the suffixes, you must do the following:

Create a products.ldif file with the following content for cn=Products:

dn: cn=Products,cn=OracleContext 
changetype: add 
cn: Products 
objectclass: top 
objectclass: extensibleObject

Run ldapadd command, to add the cn=Products entries:

ldapadd -h host -p port -D "cn=Directory Manager" -w <pwd> -v -f products.ldif

For more information, see "Creating Suffixes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

7.2.4 Enabling the Retro Change Log for Oracle Directory Server Enterprise Edition

Use the dsconf command to enable the retro change log for Oracle Directory Server Enterprise Edition.

Complete the following steps:

Run the dsconf command on the command line:

dsconf set-server-prop -h host -p port retro-cl-enabled:on

Restart the directory server instance, as described in "Starting, Stopping, and Restarting a Directory Server Instance" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.

Note:

Enabling the retro change log for Oracle Directory Server Enterprise Edition may impact Directory Server performance.

7.2.5 Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition

You must configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition either in an existing or in a new WebLogic server Domain.

7.2.5.1 Configuring Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition in an Existing WebLogic Domain

Perform the following steps to configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition in an existing WebLogic administration domain:

Run the ORACLE_HOME/oracle_common/common/bin/config.sh script (UNIX) or ORACLE_HOME\oracle_common\common\bin\config.cmd (Windows).

The Configuration Type screen is displayed.
Select Update an existing domain, and click Next.

The Templates screen is displayed.
On the Templates screen, select Update Domain Using Product Templates and then select Oracle Directory Integration Platform - 12.2.1.3.0[dip] domain configuration option.

Note:
When you select the Oracle Directory Integration Platform - 12.2.1.3.0 [dip] option, Oracle Enterprise Manager 12.2.1.3.0 [em] is automatically selected.

Click Next.

The JDBC Data Sources screen is displayed.
Make changes if required and then click Next

The JDBC Data Sources Test screen is displayed.
Select the data sources to test, and click Test Selected Connections.

Click Next.

The Database Configuration Type screen is displayed.
Make changes if required and then click Get RCU Configuration to retrieve the schema information. After successfully retrieving the schema information, click Next to continue.

The JDBC Component Schema screen is displayed.
Verify that the values populated are correct for all schemas and click Next.

The JDBC Component Schema Test screen is displayed.
You can select the component schema to test, and click Test Selected Connections. Wait for one or more connection tests to complete. If you do not want to test connections, deselect all data sources.

Note:
In order to test connections, the database to which you are trying to connect must be running.

Click Next.

The Advanced Configuration screen is displayed.
Select Managed Servers, Clusters, and Machines option. Click Next.

The Managed Servers screen is displayed.
Specify the Managed Server name and click Next.

The Clusters screen is displayed.
Configure Clusters as required and click Next.

The Machines screen is displayed.
Select the Machine tab (for Windows) or Unix Machine tab. Click on Add and specify the machine name. Click Next.
If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Update to start extending the domain.
Click Finish, once the domain is extended.

Your existing domain is extended to support Oracle Directory Integration Platform.

7.2.5.2 Configuring Oracle Directory Integration Platform and Oracle Directory Server Enterprise Edition in a New Oracle WebLogic Server Domain

Run the Oracle Fusion Middleware Configuration Wizard to create a new Oracle WebLogic domain:

Run the ORACLE_HOME/oracle_common/common/bin/config.sh script (UNIX) or ORACLE_HOME\oracle_common\common\bin\config.cmd (Windows).

The Configuration Type screen is displayed.
On the Configuration Type screen, select Create a new domain and enter the full path for the domain or use the Browse button to navigate to the directory in which your domains are located. Click Next.

The Templates screen is displayed.
On the Templates screen, make sure Create Domain Using Product Templates is selected, and then select Oracle Directory Integration Platform - 12.2.1.3.0 [dip].
Note:

When you select Oracle Directory Integration Platform - 12.2.1.3.0 [dip] option, the following components are automatically selected:
- Oracle Enterprise Manager 12.2.1.3.0 [em]
- Oracle JRF - 12.2.1.3.0 [oracle_common]
- Weblogic Coherence Cluster Extension 12.2.1.3 [wlserver]
Click Next.

Click The Application Location screen is displayed.
Click Browse and specify the full path to the directory in which you want to store the applications that are associated with the domain.

Click Next.

The Administrator Account screen is displayed.
Specify the user name and password for the default WebLogic Administrator account for the domain.
The password must be at least eight characters and must contain at least one number or special character. Confirm the password and click Next.

Make a note of these details as you will need them to start or restart the WebLogic domain in the following procedure.

The Domain Mode and JDK screen is displayed.
Specify the domain mode and Java Development Kit (JDK).
1. Select Production in the Domain Mode field.
  
  Note:
  
  If you select Production mode as the domain, the node manager has a random username and password assigned to it. Use the WebLogic Server Administration Console to reset the password.
2. Accept Oracle Hotspot as a default JDK location.
3. Click Next.
The Database Configuration Type screen is displayed.
Select RCU Data. This option instructs the Configuration Wizard to connect to the database’s Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.

After selecting RCU Data:
1. Enter the name of the server hosting the database in the Host Name field.
  
  Note:
  Ensure that you do not specify localhost in the Host Name field.
2. Enter the database DBMS name, or service name if you selected a service type driver in the DBMS/Service field.
3. Enter the port number on which the database listens.
4. Enter the username and password for connecting to the database's Service Table schema.
5. Click Get RCU Configuration to retrieve the schema information. After successfully retrieving the schema information, click Next to continue.
The JDBC Component Schema screen is displayed.
Verify that the values populated are correct for all schemas, and Click Next.
The JDBC Component Schema Test screen is displayed.
Test datasource connections that you just configured.
A green check mark in the Status column indicates a successful test. If you encounter issues, see the error message in the Connection Result Log section of the screen, fix the problem, then test the connection again.
The Advanced Configuration screen is displayed.
To complete domain configuration, select any of these options:
- Administration Server: Required to properly configure the Administration Server’s listen address.
- Node Manager: Required to configure Node Manager.
- Topology: Required to configure the Managed Servers and cluster, and for configuring the machine and targeting Managed Servers to the machine.
- Deployments and Services: Required to target to servers or clusters.
Click Next.
Review each item on the Configuration Summary screen and verify that the information is correct.
To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.

A new WebLogic domain (for example: base_domain) is created to support Oracle Directory Integration Platform and Fusion Middleware Control in the <ORACLE_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <ORACLE_HOME>/user_projects/domains directory.

7.2.6 Starting the Oracle WebLogic Server and the Oracle Directory Server Enterprise Edition Instance

After the WebLogic domain configuration is complete, you can start the servers to manage the domain.

After configuring the Oracle WebLogic Server domain, perform the following tasks:

Start the Administration Server, Node Manager and Managed Server as described in Starting and Stopping the Oracle Stack.
Start the Oracle Directory Server Enterprise Edition instance:
```
$ dsadm start instance-path
```

7.2.7 Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition

After configuring the Oracle WebLogic Server domain, you must configure Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition.

Complete the following steps:

Set the WL_HOME and ORACLE_HOME environment variables for Oracle Directory Integration Platform.

Run the dipConfigurator setup (<ORACLE_HOME>/bin) command on the command line and enter the following arguments:

Note:

If you are running the dipConfigurator setup for a secured LDAP (isldapssl=true) then you must configure Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL communication mode. See Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL.

Table 7-1 dipConfigurator Properties for Oracle Directory Server Enterprise Edition

Properties	Description
`wlshost`	Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed.
`wlsport`	Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
`wlsuser`	Oracle WebLogic Server login user name.
`ldaphost`	Oracle Directory Server Enterprise Edition host name.
`ldapport`	Oracle Directory Server Enterprise Edition server port number. The default value is `636`.
`isldapssl`	Specify `true` or `false`, to enable or disable SSL.
`ldapuser`	The bind DN to connect to the Oracle Directory Server Enterprise Edition.
`isclustered <BOOLEAN>`	Specify if the Oracle Directory Integration Platform instance is in a cluster environment.
`clustercheckininterval <INT>`	Specify the frequency (milliseconds) at which an instance checks for server status (For example, detecting failed instances) with the other instances of the cluster.

Example:

UNIX:

$ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false

Windows:

ORACLE_HOME\bin\dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false

Note:

You can synchronize the password for Oracle Directory Server Enterprise Edition, as described in Configuring Password Synchronization for Oracle Directory Server Enterprise Edition.

7.2.8 Adding Access Control Instructions (ACIs) for Oracle Directory Server Enterprise Edition

Add the ACIs in an LDIF file for Oracle Directory Server Enterprise Edition using the ldapmodify command.

Run the ldapmodify command on the command line:

ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w secret12 <<EOF
dn: dc=<suffix_name>,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=<suffix_name>,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; )
-
add: aci
aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";)
EOF

7.3 Configuring Oracle Directory Server Enterprise Edition (SSL) for Oracle Directory Integration Platform

Use the steps in the following order to configure Oracle Directory Server Enterprise Edition (back-end directory) SSL communication for Oracle Directory Integration Platform.

7.3.1 Configuring Oracle Directory Server Enterprise Edition for SSL

Use the steps to configure Oracle Directory Server Enterprise Edition (back-end directory) SSL communication for Oracle Directory Integration Platform.

Configure Oracle Directory Server Enterprise Edition, as described in Configuring Oracle Directory Server Enterprise Edition (Non-SSL) for Oracle Directory Integration Platform.
You can disable non-SSL communications so that the Oracle Directory Server Enterprise Edition communicates only through SSL. To do so, run the dsconf command on the command line:

UNIX:
```
 $ dsconf set-server-prop -h host -P 1636 ldap-port:disabled
```
Windows:
```
dsconf set-server-prop -h host -P 1636 ldap-port:disabled
```
Restart the Oracle Directory Server Enterprise Edition instance:
```
dsadm restart instance-path
```
You can now no longer bind on the non secure port 389.
Create the Oracle Directory Integration Platform credentials, by doing the following:
1. Open the WLST prompt by running the following command:
  
  $ORACLE_HOME/oracle_common/common/bin/wlst.sh (UNIX) or ORACLE_HOME\oracle_common\common\bin\wlst.cmd (Windows)
2. Run the following command on the command line:
```
createCred(map="dip", key="jksKey", user="jksUser", password="password", desc="DIP SSL JKS")
```
  Example:
```
createCred -wlshost localhost -wlsport 7001 -wlsuser weblogic -csfmap dip -csfkey jksKey -csfuser "cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=products,cn=oraclecontext" -csfpassword password
```
For more information, see Credential Store Framework for Oracle Directory Integration Platform.

Import the Oracle Directory Server Enterprise Edition certificate into Oracle Directory Integration Platform, by running the following command:

bin/dsadm show-cert -F der -o dsee-cert instance-path
keytool -importcert -noprompt -trustcacerts -alias mycompany.com -file ~/dsee-cert -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
keytool -list -keystore ~/DIPKeyStore.jks -storepass <password>

7.3.2 Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL

After configuring the Oracle Directory Server Enterprise Edition (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform.

To configure Oracle Directory Integration Platform:

Update the Oracle Directory Server Enterprise Edition host name and port number, by running the manageDIPServerConfig utility (ORACLE_HOME/bin directory):

manageDIPServerConfig set -h host -p port -D wlsuser -attribute {sslmode |
refreshinterval | quartzthreadcount | quartzdbretryinterval | backendhostport |
keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] 
[-value ATTRIBUTE_VALUE] [-help]

Example:

manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute backendhostport -val odseehost:1636

For more information, see manageDIPServerConfig Utility.

Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.

keytool -importcert -trustcacerts -alias Some_alias_name -file Path_to_certificate_file -keystore path_to_keystore

For example:

keytool -importcert -trustcacerts -alias ODSEE -file /home/Middleware/asinst_1/ODSEE/admin/odseecert.txt -keystore /home/Middleware/dip.jks

The system will prompt for a keystore password. Type a new password for this keystore.
Note:
- If you use the -keystore option and the keystore does not exist, keytool creates the keystore.
If you are using the Microsoft Active Directory as the connected directory, then you must do the following:
1. Export the Microsoft Active Directory certificate, as described in LDAP over SSL (LDAPS) Certificate.
2. Import the Microsoft Active Directory certificate to the Oracle Directory Integration Platform, by running the following command:
```
keytool -importcert -noprompt -trustcacerts -alias mycompany.com -file ~/jpi-ad.cer -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
```
3. Verify the certificate, by running the following command:
```
keytool -list -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
```
4. Update the Keystore location in Oracle Directory Integration Platform:
```
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute keystorelocation -val ~/keystores/DIPKeyStore.jks -h host -p 7005 -D "weblogic"
```
5. Import the Microsoft Active Directory certificate to the Oracle Directory Server Enterprise Edition, by running the following command:
```
dsee7/bin/dsadm add-cert -C instance-path
```
6. Restart the directory server instance:
```
dsadm restart instance-path
```
7. Verify the certificate, by running the following command:
```
/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd-/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd- -n certAD/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd- -n host
```
Run the following command to update the Java Keystore location in Oracle Directory Integration Platform:

manageDIPServerConfig set -attr keystorelocation -val full_path_to_keystore -h weblogic_host -p weblogic_managed_server_port -wlsuser weblogic_user

Note:

full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).

For example:

manageDIPServerConfig set -attr keystorelocation -val /home/Middleware/dip.jks -h localhost -p 7005 -wlsuser weblogic

The system will prompt for the WebLogic password.

Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration, by running the following command:

manageDIPServerConfig set -h weblogic_host -p weblogic_managed_server_port -wlsuser weblogic_user -attribute sslmode [-value ATTRIBUTE_VALUE] [-help]

For example:

manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute sslmode -val 2

For more information, see Arguments for manageDIPServerConfig.

Restart the Oracle WebLogic managed server.

Oracle Directory Integration Platform will now connect to Oracle Directory Server Enterprise Edition in SSL Server authentication mode.

7.4 Verifying Oracle Directory Integration Platform

Verify the Oracle Directory Integration Platform installation using the dipStatus command, located in the $ORACLE_HOME/bin/ directory.

For more information, see Verifying Oracle Directory Integration Platform.

After configuring Oracle Directory Server Enterprise Edition (back-end directory) non-SSL communication for Oracle Directory Integration Platform, you can synchronize it with a connected directory, as described in Synchronization Using Oracle Directory Integration Platform.