5 Configuring Oracle Unified Directory
You can configure Oracle Unified Directory as the back-end directory for Oracle Directory Integration Platform synchronization or provisioning.
Topics:
5.1 Before You Configure Oracle Unified Directory as the Back-End Directory
Before you can configuring Oracle Unified Directory as the as the back-end directory, you must configure Oracle Directory Integration Platform.
For more information about configuring Oracle Directory Integration Platform, see Configuring Oracle Directory Integration Platform in Installing and Configuring Oracle Internet Directory.
5.2 Configuring Oracle Unified Directory (Non-SSL) for Oracle Directory Integration Platform
Use the steps in the following order to configure Oracle Unified Directory (back-end directory) non-SSL communication for Oracle Directory Integration Platform.
5.2.1 Installing Oracle Unified Directory
Install the Oracle Unified Directory either as a collocated configuration or as a standalone configuration.
To install Oracle Unified Directory, see Installing the Oracle Unified Directory Software in Oracle Fusion Middleware Installing Oracle Unified Directory.
For OUD Oracle home directory location, Oracle recommends that you specify the Oracle Directory Integration Platform home directory, as the Middleware home.
When you set up an Oracle Unified Directory server instance using either the graphical user interface (GUI) or the command-line interface (CLI), ensure that you select one of the following options:
-
Enable for DIP: Select this option if you want this server instance to be enabled for Oracle Directory Integration Platform (DIP) only.
-
Enable for EBS (E-Business Suite), Database Net Services and DIP: Select this option if you want this server instance to be enabled for Oracle E-Business Suite (EBS), Oracle Database Net Services, and Oracle Directory Integration Platform (DIP).
-
Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP: Select this option if you want this server instance to be enabled for Oracle Enterprise User Security (EUS), Oracle E-Business Suite (EBS), Oracle Database Net Services, and Oracle Directory Integration Platform (DIP).
Note:
All the above options are valid for Oracle Directory Integration Platform. Oracle recommends you to use Enable for DIP option for integrating Oracle Unified Directory with Oracle Directory Integration Platform and if you are not integrating with EBS, EUS, or Database Net Service.
5.2.2 Configuring Oracle Unified Directory
Configure the Oracle Unified Directory, before you use it as the back-end directory for Oracle Directory Integration Platform.
See Introduction to Oracle Unified Directory in Oracle Fusion Middleware Administering Oracle Unified Directory.
5.2.3 Creating Oracle Unified Directory Suffixes
If you have not created the suffixes during the Oracle Unified Directory installation, then you must create them using the the setup-oracle-context
command.
Create the cn=oraclecontext
and cn=oracleschemaversion
suffixes, by running the setup-oracle-context
command on the command line:
UNIX
$ setup-oracle-context -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt --trustAll
Windows
setup-oracle-context -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt --trustAll
5.2.4 Enabling External Change Log
The External Change Log (ECL) is available by default on any server instance that includes both a directory server and a replication server.
Enable the ECL for the user suffix and cn=oraclecontext
using the
dsreplication
command.
Note:
If you have configured replication during installation then ECL is enabled. For more information, see Setting Up Replication During Installation in Installing Oracle Unified Directory.Enable ECL for the User Suffix
To enable ECL for the user suffix (For example:dc=example,dc=com
):
UNIX
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b "dc=example,dc=com" --trustAll --no-prompt
Windows
dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b "dc=example,dc=com" --trustAll --no-prompt
Enable ECL for the cn=oraclecontext
To enable ECL for cn=oraclecontext
:
UNIX
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b cn=oraclecontext --trustAll --no-prompt
Windows
dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b cn=oraclecontext --trustAll --no-prompt
The replication port (-r
) is required to configure the ECL, even on a standalone server, because the ECL relies on the replication mechanism. You need only specify the replication port if the change log (or replication) was not previously configured on the server. The default value of the replication port is 8989
.
Verify ECL for the User Suffix and cn=oraclecontext
To verify that the ECL is configured on a directory server instance, run the following search command and look for the cn=changelog
naming context:
$ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -s base -b "" "objectclass=*" namingContexts dn: namingContexts: cn=changelog namingcontexts: cn=OracleContext namingcontexts: cn=OracleSchemaVersion namingcontexts: dc=example,dc=com
5.2.5 Configuring the Oracle WebLogic Server Domain for Oracle Directory Integration Platform with Oracle Unified Directory
You must configure Oracle Directory Integration Platform with Oracle Unified Directory either in an existing or in a new WebLogic server Domain.
5.2.5.1 Configuring Oracle Directory Integration Platform with Oracle Unified Directory in an Existing WebLogic Domain
Perform the following steps to configure Oracle Directory Integration Platform with Oracle Unified Directory an existing WebLogic administration domain:
5.2.6 Starting the Servers
After the WebLogic domain configuration is complete, you can start the servers to manage the domain.
Perform the following tasks:
5.2.7 Configuring Oracle Directory Integration Platform for Oracle Unified Directory
After configuring the Oracle WebLogic Server domain, you must configure Oracle Directory Integration Platform for Oracle Unified Directory.
-
Export the certificate for the Oracle Unified Directory Administration Server instance, by running the following command:
UNIX
$ keytool -export-cert -alias admin-cert -keystore config/admin-keystore -storepass:file config/admin-keystore.pin -file oud-server-admin-cert.cer
Windows
keytool -export-cert -alias admin-cert -keystore config\admin-keystore -storepass:file config\admin-keystore.pin -file oud-server-admin-cert.cer
-
Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.
keytool -importcert -trustcacerts -alias
Some_alias_name-file
Path_to_certificate_file-keystore
path_to_keystoreFor example:
keytool -importcert -trustcacerts -alias admin-cert -file /home/Middleware/asinst_1/OUD/admin/oud-server-admin-cert.cer -keystore /home/Middleware/dip.jks
The system will prompt for a keystore password. Type a new password for this keystore.
-
Run the following command to update the Java Keystore location in Oracle Directory Integration Platform.
manageDIPServerConfig set -attribute keystorelocation -val
full_path_to_keystore-h
weblogic_host-p
weblogic_managed_server_port-D
weblogic_userNote:
full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).
For example:
$ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D wlsuser -attribute keystorelocation -val /home/Middleware/dip.jks
The system will prompt for the WebLogic password.
-
Update the Oracle Directory Integration Platform SSL configuration, by running the following command:
UNIX
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 0 -h localhost -p 7005 -D "weblogic"
Windows
ORACLE_HOME\bin\manageDIPServerConfig set -attribute sslmode -val 0 -h localhost -p 7005 -D "weblogic"
For more information, see Arguments for manageDIPServerConfig.
-
Run the following commands to create a CSF credential and update the Java Keystore password:
-
Open the WLST prompt by running the following command:
$ORACLE_HOME/oracle_common/common/bin/wlst.sh
(UNIX) orORACLE_HOME\oracle_common\common\bin\wlst.cmd
(Windows) -
Connect to the WebLogic Admin Server:
connect('
Weblogic_User', '
Weblogic_password', 't3://
Weblogic_Host:Weblogic_AdminServer_Port')
-
Create the credential and update the Java Keystore password:
createCred(map="dip", key="jksKey", user="jksuser", password="
JKS_password")
-
-
Set the
WL_HOME
andORACLE_HOME
environment variables for Oracle Directory Integration Platform. -
Run the
dipConfigurator setup
(<ORACLE_HOME>/bin
) command on the command line and enter the following arguments:Note:
If you are running the
dipConfigurator setup
for a secured LDAP (isldapssl=true
) then you must configure Oracle Directory Integration Platform for Oracle Unified Directory using SSL communication mode. See Configuring Oracle Directory Integration Platform for Oracle Unified Directory SSL.Table 5-1 dipConfigurator Properties for Oracle Unified Directory
Properties Description wlshost
Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default host name is
localhost
.wlsport
Listening port number of the Oracle WebLogic Administration Server where Oracle Directory Integration Platform is deployed. The default port number is
7001
.wlsuser
Oracle WebLogic Server login user name.
ldaphost
Oracle Unified Directory host name. The default host name is
localhost
.ldapport
Oracle Unified Directory server port number. The default value is
636
.isldapssl
Specify
true
orfalse
, to enable or disable SSL. The default value istrue
.ldapuser
The bind DN to connect to the directory.
ldapadminport
The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is
4444
.isclustered <BOOLEAN>
Specify if the Oracle Directory Integration Platform instance is in a cluster environment. The default value is
false
.clustercheckininterval <INT>
Specify the frequency (milliseconds) at which an instance checks for server status (For example, detecting failed instances) with the other instances of the cluster. The default value is
120000
milliseconds.Example:
UNIX
$ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 1389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
Windows
ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 1389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
Note:
You can view the
dipConfig.log
file, located at<ORACLE_HOME>/ldap/log/
.
5.2.8 Adding Access Control Instructions (ACIs) for Oracle Unified Directory
Add the ACIs in an LDIF file for Oracle Unified Directory using the ldapmodify
command.
Run the ldapmodify
command on the command line:
ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w <password> <<EOF dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; ) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) EOF
Note:
This is an example, and you need to replace the dc=example,dc=com
ACI with your profile configuration.
5.3 Configuring Oracle Unified Directory (SSL) for Oracle Directory Integration Platform
Use the steps in the following order to configure Oracle Unified Directory (back-end directory) SSL communication for Oracle Directory Integration Platform.
5.3.1 Configuring Oracle Unified Directory for SSL
You can configure Oracle Unified Directory (back-end directory) SSL communication for Oracle Directory Integration Platform by completing the following steps:
5.3.2 Configuring Oracle Directory Integration Platform for Oracle Unified Directory SSL
After configuring the Oracle Unified Directory (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform.
Completing the following steps:
-
Import the trusted certificate that you have exported in Configuring Oracle Unified Directory for SSL into the Oracle Directory Integration Platform JKS (The Java Keystore you created in Step 2).
keytool -importcert -trustcacerts -alias
Some_alias_name-file
Path_to_certificate_file-keystore
path_to_keystoreFor example:
keytool -importcert -trustcacerts -alias OUD2 -file /home/Middleware/asinst_1/OUD/config/server-cert.txt -keystore /home/Middleware/dip.jks
The system will prompt for a keystore password. Type the password for this keystore (Enter the Java Keystore password that you created in Step 5).
-
Update the Oracle Directory Integration Platform SSL configuration, by running the following command:
UNIX
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D "weblogic"
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D "weblogic"
Windows
ORACLE_HOME\bin\manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D "weblogic"
ORACLE_HOME\bin\manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D "weblogic"
For more information, see Arguments for manageDIPServerConfig.
You can also Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration.
Choose DIP > Server Properties, then set SSL Mode to 2 and the port value to the Oracle Unified Directory SSL port.
-
Restart the Oracle WebLogic managed server.
Oracle Directory Integration Platform will now connect to Oracle Unified Directory in SSL Server authentication mode.
5.4 Verifying Oracle Directory Integration Platform
Verify the Oracle Directory Integration Platform installation using the dipStatus
command, located in the $ORACLE_HOME/bin/
directory.
Note:
You must set the WL_HOME and ORACLE_HOME environment variables before executing the dipStatus
and dipConfigurator
commands.
The following is the syntax for the dipStatus
command:
$ORACLE_HOME/bin/dipStatus -hlocalhost
-p7005
-D weblogic [-help]
-
-h | -host
identifies the Oracle WebLogic Server where Oracle Directory Integration Platform is deployed. -
-p | -port
identifies the listening port of the Oracle Directory Integration Platform Managed Server. -
-D | -wlsuser
identifies the Oracle WebLogic Server login ID.
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.
Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus
from a script, you can redirect input from a file containing the Oracle WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
You can also verify the Oracle Directory Integration Platform installation using the Oracle Enterprise Manager Fusion Middleware Control, as follows:
After you install and configure Oracle Directory Integration Platform , refer to the Getting Started with Oracle Directory Integration Platform.
After configuring Oracle Unified Directory (back-end directory) non-SSL communication for Oracle Directory Integration Platform, you can synchronize or provision it with a connected directory, as described in Synchronization Using Oracle Directory Integration Platform or Provisioning with the Oracle Directory Integration Platform.