6 Configuring Oracle Internet Directory
You can configure Oracle Internet Directory as the back-end directory for Oracle Directory Integration Platform synchronization or provisioning.
Topics:
6.1 Before You Configure Oracle Internet Directory as the Back-End Directory
Before configuring Oracle Internet Directory as the back-end directory, you must install Oracle Internet Directory and Oracle Directory Integration Platform.
-
Install Oracle Internet Directory either as a collocated configuration or as a standalone configuration. For more information, see Installing the Oracle Internet Directory Software in Installing and Configuring Oracle Internet Directory.
Note:
You can only configure Oracle Internet Directory with Oracle Directory Integration Platform in SSL mode. The Oracle Internet Directory SSL port must be configured in SSL No Authentication Mode or SSL Server Authentication Only Mode. -
Configure Oracle Directory Integration Platform after you install Oracle Internet Directory binaries as described in Configuring Oracle Directory Integration Platform in Installing and Configuring Oracle Internet Directory.
6.2 Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Internet Directory
You must configure Oracle Directory Integration Platform with Oracle Internet Directory either in an existing or in a new WebLogic server Domain.
6.2.1 Configuring Oracle Directory Integration Platform with Oracle Internet Directory in an Existing WebLogic Domain
Note:
-
During the Oracle Internet Directory domain configuration, if you have already selected the Oracle Directory Integration Platform - 12.2.1.3.0[dip] option in the Templates screen then you can skip this section.
See Selecting the Configuration Templates for Oracle Internet Directory in Oracle Fusion Middleware Installing and Configuring Oracle Internet Directory.
-
You must stop the Administration Server, Managed Servers, and Node Manager before updating the existing WebLogic domain.
6.2.2 Configuring Oracle Directory Integration Platform and Oracle Internet Directory in a New Oracle WebLogic Server Domain
Perform the configuration steps in this section only if you want to configure Oracle Directory Integration Platform and Oracle Internet Directory in a new Oracle WebLogic Server domain.
6.3 Configuring Oracle Internet Directory (SSL) for Oracle Directory Integration Platform
Use the steps in the following order to configure Oracle Internet Directory (back-end directory) SSL communication for Oracle Directory Integration Platform.
6.3.1 Configuring Oracle Internet Directory for SSL
Configure Oracle Internet Directory (back-end directory) in SSL mode. You can use the SSL No Authentication Mode or SSL Server Authentication Only Mode options to configure the SSL port.
Note:
-
Oracle recommends that you use SSL Server Authentication Only Mode option configured on an LDAPS port for Oracle Internet Directory.
-
If Java Development Kit (JDK) 1.8.0_201 or higher is installed on your system then the anonymous ciphers are disabled by default. If Oracle Internet Directory SSL is configured in SSL No Authentication Mode then you must enable the anonymous ciphers in the JDK by editing the
java.security
file (JAVA_HOME/lib/security
) and removinganon
,NULL
,DES
, and3DES_EDE_CBC
from thejdk.tls.disabledAlgorithms
security property.
See Configuring Secure Sockets Layer (SSL) in Oracle Fusion Middleware Administering Oracle Internet Directory.
6.3.2 Configuring Oracle Directory Integration Platform for Oracle Internet Directory SSL Authentication
After configuring the Oracle Internet Directory (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform.
Topics:
-
Note:
Oracle recommends that you use SSL Server Authentication Only Mode option configured on an LDAPS port for Oracle Internet Directory.
6.3.2.1 Configuring Oracle Directory Integration Platform for Oracle Internet Directory SSL Server Authentication Only Mode
Note:
If you change the configuration from Oracle Internet Directory No
Authentication Mode to SSL Server Authentication Only Mode, then you must delete
the TLS_DH_anon_WITH_AES_128_GCM_SHA256
and
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
cipher suites from Oracle
Directory Integration Platform using the Oracle Fusion Middleware System MBean
Browser.
This ensures that all the ciphers supported in Oracle Directory Integration Platform for the Java Development Kit (JDK) 1.8.0_201 or higher are enabled.
6.3.2.2 Configuring Oracle Directory Integration Platform for Oracle Internet Directory SSL No Authentication Mode
Note:
Oracle does not recommend using No Authentication (SSL Mode 1).
-
Ensure that the Oracle WebLogic Administration Server and Oracle Directory Integration Platform managed server is running. If they are not running, then start as follows:
Administration Server:
DOMAIN_NAME/bin/startWebLogic.sh
Note:
WhereDOMAIN_NAME
is the root directory of the domain. (The name of this directory is the name of the domain.). By default, this directory isORACLE_HOME\user_projects\domains\DOMAIN_NAME
.Managed Server:
DOMAIN_NAME/bin/startManagedWebLogic.sh managed_server_name admin_url
See Starting the Stack.
-
Run the
manageDIPServerConfig
utility to update the Oracle Directory Integration Platform SSL configuration to use the Oracle Internet Directory SSL No Authentication Mode:Unix
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 1 -h localhost -p 7005 -D "weblogic"
WindowsORACLE_HOME\bin\manageDIPServerConfig set -attribute sslmode -val 1 -h localhost -p 7005 -D "weblogic"
For more information, see Arguments for manageDIPServerConfig.
You can also Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration.
Choose DIP > Server Properties, then set SSL Mode to
1
and the port value to the Oracle Internet Directory SSL port.
6.3.3 Adding Cipher Suites Configured for Oracle Internet Directory into Oracle Directory Integration Platform
If the cipher suites configured for Oracle Internet Directory are not available or recognized in Oracle Directory Integration Platform then you must add those suites into Oracle Directory Integration Platform using the Oracle Fusion Middleware System MBean Browser.
For example, if Oracle Internet Directory SSL is configured in No
Authentication Mode then by default anonymous ciphers are not recognized by Oracle
Directory Integration Platform. Add the
TLS_DH_anon_WITH_AES_128_GCM_SHA256
and
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
cipher suites into Oracle
Directory Integration Platform using the Oracle Fusion Middleware System MBean
Browser.
To add cipher suites into Oracle Directory Integration Platform, complete the following steps:
Note:
In a cluster environment, you must repeat the below steps for all of the Oracle Directory Integration Platform managed servers in the cluster.6.4 Configuring Oracle Directory Integration Platform for Oracle Internet Directory
Use the dipConfigurator
command to configure Oracle Directory Integration Platform for Oracle Internet Directory.
Note:
Before running dipConfigurator
to configure Oracle Internet Directory as the back-end directory, ensure that you have completed the following configuration based on the SSL implementation modes:
-
No Authentication (SSL Mode 1):
-
SSL Server Authentication (SSL Mode 2): Configuring Oracle Directory Integration Platform for Oracle Internet Directory SSL Server Authentication Only Mode
6.5 Verifying Oracle Directory Integration Platform
Verify the Oracle Directory Integration Platform installation using the dipStatus
and dipConfigurator
commands, located in the $ORACLE_HOME/bin/
directory.
Note:
You must set the WL_HOME and ORACLE_HOME environment variables before executing the dipStatus
and dipConfigurator
commands.
The following is the syntax for the dipStatus
command:
$ORACLE_HOME/bin/dipStatus -h <hostName> -p <port> -D <wlsuser> [-ssl -keyStorePath <path> -keyStoreType <type>] [-help]
-
-h | -host
identifies the Oracle WebLogic Server where Oracle Directory Integration Platform is deployed. -
-p | -port
identifies the listening port of the Oracle Directory Integration Platform Managed Server. -
-D | -wlsuser
identifies the Oracle WebLogic Server login ID. -
-ssl
executes the command in SSL mode. -
keystorePath
identifies the full path to the keystore. -
keyStoreType
identifies the type of the keystore identified by-keystorePath
. For example:-keystorePath jks
or-keystorePath PKCS12
. The default value isjks
. -
-help
provides usage help for the command.
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.
Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus
from a script, you can redirect input from a file containing the Oracle WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
After you install and configure Oracle Directory Integration Platform , refer to the Getting Started with Oracle Directory Integration Platform.
After configuring Oracle Internet Directory (back-end directory) SSL communication for Oracle Directory Integration Platform, you can synchronize or provision it with a connected directory, as described in Synchronization Using Oracle Directory Integration Platform or Provisioning with the Oracle Directory Integration Platform.