7 Configuring Oracle Directory Server Enterprise Edition
You can configure Oracle Directory Server Enterprise Edition as the back-end directory for Oracle Directory Integration Platform synchronization.
Topics:
7.1 Before You Configure Oracle Directory Server Enterprise Edition as the Back-End Directory
Ensure that you install Oracle Directory Integration Platform before you configure Oracle Directory Server Enterprise Edition as the back-end directory.
See Configuring Oracle Directory Integration Platform in Oracle Fusion Middleware Installing and Configuring Oracle Internet Directory.
7.2 Configuring Oracle Directory Server Enterprise Edition (Non-SSL) for Oracle Directory Integration Platform
Use the steps in the following order to configure Oracle Directory Server Enterprise Edition (back-end directory) non-SSL communication for Oracle Directory Integration Platform.
-
Installing and Configuring Oracle Directory Server Enterprise Edition
-
Installing Oracle Directory Server Enterprise Edition Plug-In
-
Creating Oracle Directory Server Enterprise Edition Suffixes
-
Enabling the Retro Change Log for Oracle Directory Server Enterprise Edition
-
Starting the Oracle WebLogic Server and the Oracle Directory Server Enterprise Edition Instance
-
Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition
-
Adding Access Control Instructions (ACIs) for Oracle Directory Server Enterprise Edition
7.2.1 Installing and Configuring Oracle Directory Server Enterprise Edition
Ensure that Oracle Directory Server Enterprise Edition is installed and configured.
See Oracle Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition and Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
Note:
You must create a Directory Server instance, as described in Creating Server Instances From Command Line in Oracle® Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition.
7.2.2 Installing Oracle Directory Server Enterprise Edition Plug-In
Install the Oracle Directory Server Enterprise Edition plug-in to synchronize the password for Oracle Directory Server Enterprise Edition.
You can synchronize the password for Oracle Directory Server Enterprise Edition, as described in Configuring Password Synchronization for Oracle Directory Server Enterprise Edition. To install the Oracle Directory Server Enterprise Edition plug-in, complete the following steps:
For more information about Oracle Directory Server Enterprise Edition plug-in, see Oracle Fusion Middleware Developer's Guide for Oracle Directory Server Enterprise Edition.
7.2.3 Creating Oracle Directory Server Enterprise Edition Suffixes
Use the dsconf
command to create the suffixes for the server's Directory Information Tree (DIT).
You must create the following suffixes:
-
cn=OracleContext
: This suffix is used for storing the Oracle Directory Integration Platform configuration details. -
Create a suffix for storing the synchronized data.
To create the suffixes, run the dsconf
command on the command line:
dsconf create-suffix -i -c -h host -p port -D "cn=Directory Manager" cn=OracleContext dsconf create-suffix -i -c -h host -p port -D "cn=Directory Manager" <data_suffix_name>
After creating the suffixes, you must do the following:
For more information, see "Creating Suffixes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
7.2.4 Enabling the Retro Change Log for Oracle Directory Server Enterprise Edition
Use the dsconf
command to enable the retro change log for Oracle Directory Server Enterprise Edition.
Complete the following steps:
Note:
Enabling the retro change log for Oracle Directory Server Enterprise Edition may impact Directory Server performance.
7.2.5 Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition
You must configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition either in an existing or in a new WebLogic server Domain.
7.2.5.1 Configuring Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition in an Existing WebLogic Domain
Perform the following steps to configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition in an existing WebLogic administration domain:
7.2.6 Starting the Oracle WebLogic Server and the Oracle Directory Server Enterprise Edition Instance
After the WebLogic domain configuration is complete, you can start the servers to manage the domain.
After configuring the Oracle WebLogic Server domain, perform the following tasks:
7.2.7 Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition
After configuring the Oracle WebLogic Server domain, you must configure Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition.
-
Set the WL_HOME and ORACLE_HOME environment variables for Oracle Directory Integration Platform.
-
Run the
dipConfigurator setup
(<ORACLE_HOME>/bin
) command on the command line and enter the following arguments:Note:
If you are running the
dipConfigurator setup
for a secured LDAP (isldapssl=true
) then you must configure Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL communication mode. See Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL.Table 7-1 dipConfigurator Properties for Oracle Directory Server Enterprise Edition
Properties Description wlshost
Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed.
wlsport
Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
wlsuser
Oracle WebLogic Server login user name.
ldaphost
Oracle Directory Server Enterprise Edition host name.
ldapport
Oracle Directory Server Enterprise Edition server port number. The default value is
636
.isldapssl
Specify
true
orfalse
, to enable or disable SSL.ldapuser
The bind DN to connect to the Oracle Directory Server Enterprise Edition.
isclustered <BOOLEAN>
Specify if the Oracle Directory Integration Platform instance is in a cluster environment.
clustercheckininterval <INT>
Specify the frequency (milliseconds) at which an instance checks for server status (For example, detecting failed instances) with the other instances of the cluster.
Example:
UNIX:
$ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false
Windows:
ORACLE_HOME\bin\dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false
Note:
You can synchronize the password for Oracle Directory Server Enterprise Edition, as described in Configuring Password Synchronization for Oracle Directory Server Enterprise Edition.
7.2.8 Adding Access Control Instructions (ACIs) for Oracle Directory Server Enterprise Edition
Add the ACIs in an LDIF file for Oracle Directory Server Enterprise Edition using the ldapmodify command.
Run the ldapmodify
command on the command line:
ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w secret12 <<EOF dn: dc=<suffix_name>,dc=com changetype: modify add: aci aci: (target="ldap:///dc=<suffix_name>,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; ) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) EOF
7.3 Configuring Oracle Directory Server Enterprise Edition (SSL) for Oracle Directory Integration Platform
Use the steps in the following order to configure Oracle Directory Server Enterprise Edition (back-end directory) SSL communication for Oracle Directory Integration Platform.
7.3.1 Configuring Oracle Directory Server Enterprise Edition for SSL
Use the steps to configure Oracle Directory Server Enterprise Edition (back-end directory) SSL communication for Oracle Directory Integration Platform.
-
Configure Oracle Directory Server Enterprise Edition, as described in Configuring Oracle Directory Server Enterprise Edition (Non-SSL) for Oracle Directory Integration Platform.
-
You can disable non-SSL communications so that the Oracle Directory Server Enterprise Edition communicates only through SSL. To do so, run the
dsconf
command on the command line:UNIX:
$ dsconf set-server-prop -h host -P 1636 ldap-port:disabled
Windows:
dsconf set-server-prop -h host -P 1636 ldap-port:disabled
Restart the Oracle Directory Server Enterprise Edition instance:
dsadm restart instance-path
You can now no longer bind on the non secure port
389
. -
Create the Oracle Directory Integration Platform credentials, by doing the following:
-
Open the WLST prompt by running the following command:
$ORACLE_HOME/oracle_common/common/bin/wlst.sh
(UNIX) orORACLE_HOME\oracle_common\common\bin\wlst.cmd
(Windows) -
Run the following command on the command line:
createCred(map="dip", key="jksKey", user="jksUser", password="password", desc="DIP SSL JKS")
Example:
createCred -wlshost localhost -wlsport 7001 -wlsuser weblogic -csfmap dip -csfkey jksKey -csfuser "cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=products,cn=oraclecontext" -csfpassword password
For more information, see Credential Store Framework for Oracle Directory Integration Platform.
-
-
Import the Oracle Directory Server Enterprise Edition certificate into Oracle Directory Integration Platform, by running the following command:
bin/dsadm show-cert -F der -o dsee-cert instance-path keytool -importcert -noprompt -trustcacerts -alias mycompany.com -file ~/dsee-cert -keystore ~/keystores/DIPKeyStore.jks -storepass <password> keytool -list -keystore ~/DIPKeyStore.jks -storepass <password>
7.3.2 Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL
After configuring the Oracle Directory Server Enterprise Edition (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform.
To configure Oracle Directory Integration Platform:
-
Update the Oracle Directory Server Enterprise Edition host name and port number, by running the
manageDIPServerConfig
utility (ORACLE_HOME/bin directory
):manageDIPServerConfig set -h host -p port -D wlsuser -attribute {sslmode | refreshinterval | quartzthreadcount | quartzdbretryinterval | backendhostport | keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-value ATTRIBUTE_VALUE] [-help]
Example:
manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute backendhostport -val odseehost:1636
For more information, see manageDIPServerConfig Utility.
-
Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.
keytool -importcert -trustcacerts -alias
Some_alias_name-file
Path_to_certificate_file-keystore
path_to_keystoreFor example:
keytool -importcert -trustcacerts -alias ODSEE -file /home/Middleware/asinst_1/ODSEE/admin/odseecert.txt -keystore /home/Middleware/dip.jks
The system will prompt for a keystore password. Type a new password for this keystore.
Note:
-
If you use the
-keystore
option and the keystore does not exist, keytool creates the keystore.
If you are using the Microsoft Active Directory as the connected directory, then you must do the following:
-
Export the Microsoft Active Directory certificate, as described in LDAP over SSL (LDAPS) Certificate.
-
Import the Microsoft Active Directory certificate to the Oracle Directory Integration Platform, by running the following command:
keytool -importcert -noprompt -trustcacerts -alias mycompany.com -file ~/jpi-ad.cer -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
-
Verify the certificate, by running the following command:
keytool -list -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
-
Update the Keystore location in Oracle Directory Integration Platform:
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute keystorelocation -val ~/keystores/DIPKeyStore.jks -h host -p 7005 -D "weblogic"
-
Import the Microsoft Active Directory certificate to the Oracle Directory Server Enterprise Edition, by running the following command:
dsee7/bin/dsadm add-cert -C instance-path
-
Restart the directory server instance:
dsadm restart instance-path
-
Verify the certificate, by running the following command:
/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd-/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd- -n certAD/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd- -n host
-
-
Run the following command to update the Java Keystore location in Oracle Directory Integration Platform:
manageDIPServerConfig set -attr keystorelocation -val
full_path_to_keystore-h
weblogic_host-p
weblogic_managed_server_port-wlsuser
weblogic_userNote:
full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).
For example:
manageDIPServerConfig set -attr keystorelocation -val /home/Middleware/dip.jks -h localhost -p 7005 -wlsuser weblogic
The system will prompt for the WebLogic password.
-
Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration, by running the following command:
manageDIPServerConfig set -h weblogic_host -p weblogic_managed_server_port -wlsuser weblogic_user -attribute sslmode [-value ATTRIBUTE_VALUE] [-help]
For example:
manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute sslmode -val 2
For more information, see Arguments for manageDIPServerConfig.
-
Restart the Oracle WebLogic managed server.
Oracle Directory Integration Platform will now connect to Oracle Directory Server Enterprise Edition in SSL Server authentication mode.
7.4 Verifying Oracle Directory Integration Platform
Verify the Oracle Directory Integration Platform installation using the dipStatus
command, located in the $ORACLE_HOME/bin/
directory.
For more information, see Verifying Oracle Directory Integration Platform.
After configuring Oracle Directory Server Enterprise Edition (back-end directory) non-SSL communication for Oracle Directory Integration Platform, you can synchronize it with a connected directory, as described in Synchronization Using Oracle Directory Integration Platform.