5 Configuring Oracle Unified Directory

You can configure Oracle Unified Directory as the back-end directory for Oracle Directory Integration Platform synchronization or provisioning.

Topics:

5.1 Before You Configure Oracle Unified Directory as the Back-End Directory

Before you can configuring Oracle Unified Directory as the as the back-end directory, you must configure Oracle Directory Integration Platform.

For more information about configuring Oracle Directory Integration Platform, see Configuring Oracle Directory Integration Platform in Installing and Configuring Oracle Internet Directory.

5.2 Configuring Oracle Unified Directory (Non-SSL) for Oracle Directory Integration Platform

Use the steps in the following order to configure Oracle Unified Directory (back-end directory) non-SSL communication for Oracle Directory Integration Platform.

5.2.1 Installing Oracle Unified Directory

Install the Oracle Unified Directory either as a collocated configuration or as a standalone configuration.

To install Oracle Unified Directory, see Installing the Oracle Unified Directory Software in Oracle Fusion Middleware Installing Oracle Unified Directory.

For OUD Oracle home directory location, Oracle recommends that you specify the Oracle Directory Integration Platform home directory, as the Middleware home.

When you set up an Oracle Unified Directory server instance using either the graphical user interface (GUI) or the command-line interface (CLI), ensure that you select one of the following options:

  • Enable for DIP: Select this option if you want this server instance to be enabled for Oracle Directory Integration Platform (DIP) only.

  • Enable for EBS (E-Business Suite), Database Net Services and DIP: Select this option if you want this server instance to be enabled for Oracle E-Business Suite (EBS), Oracle Database Net Services, and Oracle Directory Integration Platform (DIP).

  • Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP: Select this option if you want this server instance to be enabled for Oracle Enterprise User Security (EUS), Oracle E-Business Suite (EBS), Oracle Database Net Services, and Oracle Directory Integration Platform (DIP).

Note:

All the above options are valid for Oracle Directory Integration Platform. Oracle recommends you to use Enable for DIP option for integrating Oracle Unified Directory with Oracle Directory Integration Platform and if you are not integrating with EBS, EUS, or Database Net Service.

5.2.2 Configuring Oracle Unified Directory

Configure the Oracle Unified Directory, before you use it as the back-end directory for Oracle Directory Integration Platform.

See Introduction to Oracle Unified Directory in Oracle Fusion Middleware Administering Oracle Unified Directory.

5.2.3 Creating Oracle Unified Directory Suffixes

If you have not created the suffixes during the Oracle Unified Directory installation, then you must create them using the the setup-oracle-context command.

Create the cn=oraclecontext and cn=oracleschemaversion suffixes, by running the setup-oracle-context command on the command line:

UNIX

$ setup-oracle-context -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt --trustAll

Windows

 setup-oracle-context -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt --trustAll

5.2.4 Enabling External Change Log

The External Change Log (ECL) is available by default on any server instance that includes both a directory server and a replication server.

Enable the ECL for the user suffix and cn=oraclecontext using the dsreplication command.

Note:

If you have configured replication during installation then ECL is enabled. For more information, see Setting Up Replication During Installation in Installing Oracle Unified Directory.

Enable ECL for the User Suffix

To enable ECL for the user suffix (For example:dc=example,dc=com):

UNIX

$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b "dc=example,dc=com" --trustAll --no-prompt

Windows

dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b "dc=example,dc=com" --trustAll --no-prompt

Enable ECL for the cn=oraclecontext

To enable ECL for cn=oraclecontext:

UNIX

$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b cn=oraclecontext --trustAll --no-prompt

Windows

dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b cn=oraclecontext --trustAll --no-prompt

The replication port (-r) is required to configure the ECL, even on a standalone server, because the ECL relies on the replication mechanism. You need only specify the replication port if the change log (or replication) was not previously configured on the server. The default value of the replication port is 8989.

Verify ECL for the User Suffix and cn=oraclecontext

To verify that the ECL is configured on a directory server instance, run the following search command and look for the cn=changelog naming context:

$ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -s base -b "" "objectclass=*" namingContexts
dn:  
namingContexts: cn=changelog 
namingcontexts: cn=OracleContext
namingcontexts: cn=OracleSchemaVersion
namingcontexts: dc=example,dc=com

5.2.5 Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Unified Directory

You must configure Oracle Directory Integration Platform with Oracle Unified Directory either in an existing or in a new WebLogic server Domain.

5.2.5.1 Configuring Oracle Directory Integration Platform with Oracle Unified Directory in an Existing WebLogic Domain

Perform the following steps to configure Oracle Directory Integration Platform with Oracle Unified Directory an existing WebLogic administration domain:

  1. Run the ORACLE_HOME/oracle_common/common/bin/config.sh script (UNIX) or ORACLE_HOME\oracle_common\common\bin\config.cmd (Windows).

    The Configuration Type screen is displayed.

  2. Select Update an existing domain, and click Next.

    The Templates screen is displayed.

  3. On the Templates screen, select Update Domain Using Product Templates and then select Oracle Directory Integration Platform - 12.2.1.3.0[dip] domain configuration option.

    Note:

    When you select Oracle Directory Integration Platform - 12.2.1.3.0 [dip] option, Oracle Enterprise Manager 12.2.1.3.0 [em] is automatically selected.

    Click Next.

    The JDBC Data Sources screen is displayed.

  4. Make changes if required and then click Next

    The JDBC Data Sources Test screen is displayed.

  5. Select the data sources to test, and click Test Selected Connections.

    Click Next.

    The Database Configuration Type screen is displayed.

  6. Make changes if required and then click Get RCU Configuration to retrieve the schema information. After successfully retrieving the schema information, click Next to continue.

    The JDBC Component Schema screen is displayed.

  7. Verify that the values populated are correct for all schemas and click Next.

    The JDBC Component Schema Test screen is displayed.

  8. You can select the component schema to test, and click Test Selected Connections. Wait for one or more connection tests to complete. If you do not want to test connections, deselect all data sources.

    Note:

    In order to test connections, the database to which you are trying to connect must be running.

    Click Next.

    The Advanced Configuration screen is displayed.

  9. Select Managed Servers, Clusters, and Machines option. Click Next.

    The Managed Servers screen is displayed.

  10. Specify the Managed Server name and click Next.

    The Clusters screen is displayed.

  11. Configure Clusters as required and click Next.

    The Machines screen is displayed.

  12. Select the Machine tab (for Windows) or Unix Machine tab. Click on Add and specify the machine name. Click Next.
  13. If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.
  14. On the Configuration Summary screen, review the domain configuration, and click Update to start extending the domain.
  15. Click Finish, once the domain is extended.

    Your existing Oracle Unified Directory domain is extended to support Oracle Directory Integration Platform.

5.2.5.2 Configuring Oracle Directory Integration Platform and Oracle Unified Directory in a New Oracle WebLogic Server Domain
To configure Oracle Directory Integration Platform and Oracle Unified Directory in a new WebLogic domain:
  1. Run the ORACLE_HOME/oracle_common/common/bin/config.sh script (UNIX) or ORACLE_HOME\oracle_common\common\bin\config.cmd (Windows).

    The Configuration Type screen is displayed.

  2. On the Configuration Type screen, select Create a new domain and enter the full path for the domain or use the Browse button to navigate to the directory in which your domains are located. Click Next.

    The Templates screen is displayed.

  3. On the Templates screen, make sure Create Domain Using Product Templates is selected, and then select Oracle Directory Integration Platform - 12.2.1.3.0[dip].

    Note:

    When you select Oracle Directory Integration Platform - 12.2.1.3.0 [dip] option, the following components are automatically selected:

    • Oracle Enterprise Manager 12.2.1.3.0 [em]

    • Oracle JRF - 12.2.1.3.0 [oracle_common]

    • Weblogic Coherence Cluster Extension 12.2.1.3 [wlserver]

    Click Next.

    Click The Application Location screen is displayed.

  4. Click Browse and specify the full path to the directory in which you want to store the applications that are associated with the domain.

    Click Next.

    The Administrator Account screen is displayed.

  5. Specify the user name and password for the default WebLogic Administrator account for the domain.
    The password must be at least eight characters and must contain at least one number or special character. Confirm the password and click Next.
    Make a note of these details as you will need them to start or restart the WebLogic domain in the following procedure.
    The Domain Mode and JDK screen is displayed.
  6. Specify the domain mode and Java Development Kit (JDK).
    1. Select Production in the Domain Mode field.

      Note:

      If you select Production mode as the domain, the node manager has a random username and password assigned to it. Use the WebLogic Server Administration Console to reset the password.

    2. Accept Oracle Hotspot as a default JDK location.
    3. Click Next.
    The Database Configuration Type screen is displayed.
  7. Select RCU Data. This option instructs the Configuration Wizard to connect to the database’s Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.

    Note:

    Ensure that you have created the database schemas required for Oracle Unified Directory. See Creating Database Schemas for the Infrastructure Domain Using the Repository Creation Utility in Oracle Fusion Middleware Installing Oracle Unified Directory

    After selecting RCU Data:

    1. Enter the name of the server hosting the database in the Host Name field.

      Note:

      Ensure that you do not specify localhost in the Host Name field.
    2. Enter the database DBMS name, or service name if you selected a service type driver in the DBMS/Service field.
    3. Enter the port number on which the database listens.
    4. Enter the username and password for connecting to the database's Service Table schema.
    5. Click Get RCU Configuration to retrieve the schema information. After successfully retrieving the schema information, click Next to continue.
    The JDBC Component Schema screen is displayed.
  8. Verify that the values populated are correct for all schemas, and Click Next.
    The JDBC Component Schema Test screen is displayed.
  9. Test datasource connections that you just configured.
    A green check mark in the Status column indicates a successful test. If you encounter issues, see the error message in the Connection Result Log section of the screen, fix the problem, then test the connection again.

    The Advanced Configuration screen is displayed.

  10. To complete domain configuration, select any of these options:
    • Administration Server: Required to properly configure the Administration Server’s listen address.
    • Node Manager: Required to configure Node Manager.
    • Topology: Required to configure the Managed Servers and cluster, and for configuring the machine and targeting Managed Servers to the machine.
    • Deployments and Services: Required to target to servers or clusters.
    Click Next.
  11. Review each item on the Configuration Summary screen and verify that the information is correct.
    To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.
    A new WebLogic domain (for example: base_domain) is created to support Oracle Directory Integration Platform and Fusion Middleware Control in the <ORACLE_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <ORACLE_HOME>/user_projects/domains directory.

5.2.6 Starting the Servers

After the WebLogic domain configuration is complete, you can start the servers to manage the domain.

Perform the following tasks:

  1. Start the Administration Server, Node Manager and Managed Server as described in Starting and Stopping the Oracle Stack.
  2. Start the Oracle Unified Directory using the start-ds command:

    UNIX: $ start-ds

    Windows: C:\> start-ds

5.2.7 Configuring Oracle Directory Integration Platform for Oracle Unified Directory

After configuring the Oracle WebLogic Server domain, you must configure Oracle Directory Integration Platform for Oracle Unified Directory.

Complete the following steps:
  1. Export the certificate for the Oracle Unified Directory Administration Server instance, by running the following command:

    UNIX

    $ keytool -export-cert -alias admin-cert -keystore config/admin-keystore -storepass:file config/admin-keystore.pin -file oud-server-admin-cert.cer
    

    Windows

    keytool -export-cert -alias admin-cert -keystore config\admin-keystore -storepass:file config\admin-keystore.pin -file oud-server-admin-cert.cer 
    
  2. Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.

    keytool -importcert -trustcacerts -alias Some_alias_name -file Path_to_certificate_file -keystore path_to_keystore

    For example:

    keytool -importcert -trustcacerts -alias admin-cert -file /home/Middleware/asinst_1/OUD/admin/oud-server-admin-cert.cer -keystore /home/Middleware/dip.jks

    The system will prompt for a keystore password. Type a new password for this keystore.

  3. Run the following command to update the Java Keystore location in Oracle Directory Integration Platform.

    manageDIPServerConfig set -attribute keystorelocation -val full_path_to_keystore -h weblogic_host -p weblogic_managed_server_port -D weblogic_user

    Note:

    full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).

    For example:

    $ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D wlsuser -attribute keystorelocation -val /home/Middleware/dip.jks

    The system will prompt for the WebLogic password.

  4. Update the Oracle Directory Integration Platform SSL configuration, by running the following command:

    UNIX

    $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 0 -h localhost -p 7005 -D "weblogic"

    Windows

    ORACLE_HOME\bin\manageDIPServerConfig set -attribute sslmode -val 0 -h localhost -p 7005 -D "weblogic"

    For more information, see Arguments for manageDIPServerConfig.

  5. Run the following commands to create a CSF credential and update the Java Keystore password:

    1. Open the WLST prompt by running the following command:

      $ORACLE_HOME/oracle_common/common/bin/wlst.sh (UNIX) or ORACLE_HOME\oracle_common\common\bin\wlst.cmd (Windows)

    2. Connect to the WebLogic Admin Server:

      connect('Weblogic_User', 'Weblogic_password', 't3://Weblogic_Host:Weblogic_AdminServer_Port')

    3. Create the credential and update the Java Keystore password:

      createCred(map="dip", key="jksKey", user="jksuser", password="JKS_password")

  6. Set the WL_HOME and ORACLE_HOME environment variables for Oracle Directory Integration Platform.

  7. Run the dipConfigurator setup (<ORACLE_HOME>/bin) command on the command line and enter the following arguments:

    Note:

    If you are running the dipConfigurator setup for a secured LDAP (isldapssl=true) then you must configure Oracle Directory Integration Platform for Oracle Unified Directory using SSL communication mode. See Configuring Oracle Directory Integration Platform for Oracle Unified Directory SSL.

    Table 5-1 dipConfigurator Properties for Oracle Unified Directory

    Properties Description

    wlshost

    Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default host name is localhost.

    wlsport

    Listening port number of the Oracle WebLogic Administration Server where Oracle Directory Integration Platform is deployed. The default port number is 7001.

    wlsuser

    Oracle WebLogic Server login user name.

    ldaphost

    Oracle Unified Directory host name. The default host name is localhost.

    ldapport

    Oracle Unified Directory server port number. The default value is 636.

    isldapssl

    Specify true or false, to enable or disable SSL. The default value is true.

    ldapuser

    The bind DN to connect to the directory.

    ldapadminport

    The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is 4444.

    isclustered <BOOLEAN>

    Specify if the Oracle Directory Integration Platform instance is in a cluster environment. The default value is false.

    clustercheckininterval <INT>

    Specify the frequency (milliseconds) at which an instance checks for server status (For example, detecting failed instances) with the other instances of the cluster. The default value is 120000 milliseconds.

    Example:

    UNIX

    $ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 1389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
    

    Windows

    ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 1389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
    

    Note:

    You can view the dipConfig.log file, located at <ORACLE_HOME>/ldap/log/.

5.2.8 Adding Access Control Instructions (ACIs) for Oracle Unified Directory

Add the ACIs in an LDIF file for Oracle Unified Directory using the ldapmodify command.

Run the ldapmodify command on the command line:

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w <password> <<EOF
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; )
-
add: aci
aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";)
EOF

Note:

This is an example, and you need to replace the dc=example,dc=com ACI with your profile configuration.

5.3 Configuring Oracle Unified Directory (SSL) for Oracle Directory Integration Platform

Use the steps in the following order to configure Oracle Unified Directory (back-end directory) SSL communication for Oracle Directory Integration Platform.

5.3.1 Configuring Oracle Unified Directory for SSL

You can configure Oracle Unified Directory (back-end directory) SSL communication for Oracle Directory Integration Platform by completing the following steps:

  1. Configure Oracle Unified Directory, as described in Configuring Oracle Unified Directory (Non-SSL) for Oracle Directory Integration Platform.
  2. Configure Oracle Unified Directory to accept SSL-based connections using a self-signed certificate, as described in "Getting SSL Up and Running Quickly" in the Oracle Unified Directory.
  3. Export the private key for the Oracle Unified Directory instance, by running the following command:

    UNIX

    $ keytool -exportcert -alias server-cert -file config/server-cert.txt -rfc \
       -keystore config/keystore -storetype JKS
    

    Windows

    keytool -exportcert -alias server-cert -file config/server-cert.txt -rfc \
       -keystore config/keystore -storetype JKS
    

5.3.2 Configuring Oracle Directory Integration Platform for Oracle Unified Directory SSL

After configuring the Oracle Unified Directory (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform.

Completing the following steps:

  1. Import the trusted certificate that you have exported in Configuring Oracle Unified Directory for SSL into the Oracle Directory Integration Platform JKS (The Java Keystore you created in Step 2).

    keytool -importcert -trustcacerts -alias Some_alias_name -file Path_to_certificate_file -keystore path_to_keystore

    For example:

    keytool -importcert -trustcacerts -alias OUD2 -file /home/Middleware/asinst_1/OUD/config/server-cert.txt -keystore /home/Middleware/dip.jks

    The system will prompt for a keystore password. Type the password for this keystore (Enter the Java Keystore password that you created in Step 5).

  2. Update the Oracle Directory Integration Platform SSL configuration, by running the following command:

    UNIX

    $ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D "weblogic"
    
    $ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D "weblogic"
    

    Windows

    ORACLE_HOME\bin\manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D "weblogic"
    
    ORACLE_HOME\bin\manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D "weblogic"
    

    For more information, see Arguments for manageDIPServerConfig.

    You can also Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration.

    Choose DIP > Server Properties, then set SSL Mode to 2 and the port value to the Oracle Unified Directory SSL port.

  3. Restart the Oracle WebLogic managed server.

    Oracle Directory Integration Platform will now connect to Oracle Unified Directory in SSL Server authentication mode.

5.4 Verifying Oracle Directory Integration Platform

Verify the Oracle Directory Integration Platform installation using the dipStatus command, located in the $ORACLE_HOME/bin/ directory.

Note:

You must set the WL_HOME and ORACLE_HOME environment variables before executing the dipStatus and dipConfigurator commands.

The following is the syntax for the dipStatus command:

$ORACLE_HOME/bin/dipStatus -h localhost -p 7005 -D weblogic [-help]
  • -h | -host identifies the Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.

  • -p | -port identifies the listening port of the Oracle Directory Integration Platform Managed Server.

  • -D | -wlsuser identifies the Oracle WebLogic Server login ID.

Note:

You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.

Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus from a script, you can redirect input from a file containing the Oracle WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.

You can also verify the Oracle Directory Integration Platform installation using the Oracle Enterprise Manager Fusion Middleware Control, as follows:

  1. Open a browser, and access the Oracle Enterprise Manager Fusion Middleware Control using the following URL format:
    http://hostname:port/em
  2. In the navigation panel on the left, click or expand Identity and Access and then select DIP(12.2.1.3.0).
  3. Click the DIP Server menu, point to Administration, and then select Server Properties.
  4. Click Test Connection and verify the instance.

After you install and configure Oracle Directory Integration Platform , refer to the Getting Started with Oracle Directory Integration Platform.

After configuring Oracle Unified Directory (back-end directory) non-SSL communication for Oracle Directory Integration Platform, you can synchronize or provision it with a connected directory, as described in Synchronization Using Oracle Directory Integration Platform or Provisioning with the Oracle Directory Integration Platform.