4 Managing the Oracle Directory Integration Platform
This chapter discusses the Oracle Directory Integration Platform and explains how to configure and manage it.
Topics:
-
Understanding Operational Information About the Oracle Directory Integration Platform
-
Viewing Oracle Directory Integration Platform Status and Registration Information
-
Managing Oracle Directory Integration Platform Using Fusion Middleware Control
-
Starting and Stopping Oracle Directory Integration Platform Using WLST
-
Manage Oracle Directory Integration Platform Using manageDIPServerConfig
-
About Oracle Directory Server Enterprise Edition Configuration for SSL Mode
-
Managing the SSL Certificates of Back-End Directories and Connected Directories
-
About Oracle Directory Integration Platform in a High Availability Scenario
-
Understanding How to Manage Oracle Directory Integration Platform in a Replicated Environment
See Also:
"About Oracle Directory Integration Platform" for a summary of the functions performed by the Oracle Directory Integration Platform
Note:
For synchronizing the password, Oracle recommends using the SSL communication to connect the Oracle Directory Integration Platform to the back-end directory and any connected directory.
4.1 Understanding Operational Information About the Oracle Directory Integration Platform
Know more about the Oracle Directory Integration Platform structural and operational information.
Topics:
4.1.1 What are Directory Integration Profiles?
In Oracle Directory Integration Platform, you can create two types of profiles: a directory synchronization profile and a directory provisioning profile.
A directory synchronization profile describes how synchronization is carried out between the Oracle back-end directory and a connected directory. You can create two types of directory synchronization profiles: an import profile and an export profile. An import profile imports changes from a connected directory to the Oracle back-end directory while an export profile exports changes from the Oracle back-end directory to a connected directory. A directory provisioning profile describes the nature of provisioning-related notifications that Oracle Directory Integration Platform sends to the directory-enabled applications. Sometimes a provisioning profile is also configured to notify the Oracle back-end directory about the changes happening in the application's data source. Multiple profiles can be used at the same time.
Each type of profile is special kind of directory integration profile, which is an entry in the Oracle back-end directory that describes how Oracle Directory Integration Platform communicates with external systems and what is communicated.
4.1.2 Understanding Oracle Directory Integration Platform Event Propagation in a Multimaster Oracle Back-end Directory Replication Environment
In a multimaster Oracle back-end directory environment, changes to directory synchronization profiles on one Oracle back-end directory node must be replicated or copied to any secondary nodes. This allows a directory synchronization profile to execute on a secondary node in the event of a problem on the primary node.
In a multimaster Oracle Universal Directory or Oracle Directory Server Enterprise Edition environment, if a suffix containing DIP meta-data is chosen for replication, the profiles are automatically replicated.
In a multimaster Oracle Internet Directory replication environment, however, changes to directory synchronization profiles on one Oracle Internet Directory node are not automatically replicated on other Oracle Internet Directory nodes. For this reason, you must copy the profiles on the primary node to any secondary nodes. For instructions, see the following section.
Note:
The value assigned to the orcllastapplicedchangenumber
attribute in a directory synchronization profile is local to the Oracle Internet Directory node where the profile is located. This means that if you copy a directory synchronization profile from one Oracle Internet Directory node to another, the correct state of synchronization or event propagation will not be preserved.
4.1.2.1 Synchronizing Directory in an Oracle Back-end Directory Multimaster Replication Environment
If you copy the profiles on the primary node to any secondary nodes, update the lastchangenumber
attribute with the value from the target node, as follows. This step needs to be done once after the profile is set up.
This update is required if your Oracle back-end directory is Oracle Internet Directory. If your Oracle back-end directory is either Oracle Unified Directory or Oracle Directory Server Enterprise Edition, this step is only required if you copy the suffix containing DIP metadata from a primary node to secondary nodes instead of using replication.
- Disable the synchronization profile.
- Get the value of the
lastchangenumber
attribute on the target node using theldapsearch
command. - Use
ldapsearch
to get the LDIF dump of the profile entry. - Use
ldapadd
to add the profile to the other Oracle back-end directory instance. - Use the
updatechgnum
operation of the manageSyncProfiles command to update thelastchangenumber
attribute in the export profile you copied to the target node with the value you obtained in Step 2. - Enable the synchronization profile.
4.1.2.2 About Directory Provisioning in an Oracle Unified Directory or Oracle Internet Directory Multimaster Replication Environment
In a default multimaster Oracle Unified Directory or Oracle Internet Directory replication environment, the Oracle Directory Integration Platform is installed in the same location as the primary Oracle Unified Directory or Oracle Internet Directory. If the primary node fails, event propagation stops for all profiles located on the node. Although the events are queued and not lost while the primary node is stopped, the events will not be propagated to any applications that expect them. To ensure that events continue to be propagated even when the primary node is down, you must copy the version 1.0 and version 2.0 directory provisioning profiles to other secondary nodes in a multimaster Oracle Unified Directory or Oracle Internet Directory environment. Version 3.0 directory provisioning profiles are automatically replicated.
Note:
Directory provisioning profiles should be copied from the primary node to any secondary nodes only immediately after an application is installed and before any user changes are made in Oracle Internet Directory.
To copy the directory provisioning profiles from a primary node to any secondary nodes, use the update
operation of the manageSyncProfiles command.
Note:
The "Oracle Directory Integration Platform Tools" chapter in Oracle Fusion Middleware Reference for Oracle Identity Management for more information on the manageSyncProfiles command.
4.2 Viewing Oracle Directory Integration Platform Status and Registration Information
You can use the dipStatus
utility and ldapsearch
utility to view the Oracle Directory Integration Platform status and registration information.
Topics:
4.2.1 Viewing the Status of Oracle Directory Integration Platform Using the dipStatus Utility
Run the dipStatus
utility to view the status of Oracle Directory Integration Platform.
For more information, see dipStatus Utility.
4.2.2 Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility
You can view registration information for the Oracle Directory Integration Platform component by running the ldapsearch
utility and perform a base search on its entry.
Example:
ldapsearch -h backend_host -p backend_port
-D cn=orcladmin -q -s base -b
"cn=odisrv,cn=Registered Instances,cn=Directory Integration
Platform,cn=Products,cn=OracleContext" objectclass=*
Note:
You will be prompted for the password.
This example search returns the following:
Dn: cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=Products,cn=OracleContext userpassword: {SHA}+vk5wSvnVoXCBCRyBWJnH0S33zc= orclaci: access to entry by self (add,delete,browse,proxy); access to attr=(*) by self (search,read,write,compare) orclversion: 3.0 cn: odisrv objectclass: orclodiserver; top; authpassword;oid: {SASL/MD5}2NOnGTWkSP9c1w7R/o9Djw== {SASL/MD5-DN}ezUTC3k7rSL41ZxdxhlXxw==;{SASL/MD5-U}kEQcl+/AZEXVukeA5YPnog==
4.3 Managing Oracle Directory Integration Platform Using Fusion Middleware Control
You can use Oracle Enterprise Manager Fusion Middleware Control to manage Oracle Directory Integration Platform.
Topics:
-
Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
-
Starting Oracle Directory Integration Platform with Fusion Middleware Control
-
Stopping Oracle Directory Integration Platform with Fusion Middleware Control
-
Managing the Oracle Directory Integration Platform Server Configuration
-
Managing Oracle Directory Integration Platform Logging Using Fusion Middleware Control
-
Auditing Oracle Directory Integration Platform Using Fusion Middleware Control
4.3.1 Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
You can view runtime information for the Oracle Directory Integration Platform component using Oracle Enterprise Manager Fusion Middleware Control.
To do so, perform the following steps:
Tip:
To return to the Oracle Directory Integration Platform home page after navigating to other Oracle Directory Integration Platform pages in Oracle Enterprise Manager Fusion Middleware Control, click Home on the DIP Server menu.
4.3.2 Starting Oracle Directory Integration Platform with Fusion Middleware Control
You can start Oracle Directory Integration Platform by using Oracle Enterprise Manager Fusion Middleware Control.
Perform the following:
4.3.3 Stopping Oracle Directory Integration Platform with Fusion Middleware Control
You can stop Oracle Directory Integration Platform by using Oracle Enterprise Manager Fusion Middleware Control.
To do so, perform the following steps:
4.3.4 Managing the Oracle Directory Integration Platform Server Configuration
You can configure the Oracle Directory Integration Platform Server Refresh Interval and settings for the connection to the Oracle back-end directory using Oracle Enterprise Manager Fusion Middleware Control
To do so, perform the following:
4.3.5 Managing Oracle Directory Integration Platform Logging Using Fusion Middleware Control
Oracle Enterprise Manager Fusion Middleware Control allows you to list, search, and configure log files across Oracle Fusion Middleware components.
You can view log files from Oracle Enterprise Manager Fusion Middleware Control or download log files and view them using another tool. You can also list and search log files using the WLST command-line tool.
Note:
See Managing Log Files and Diagnostic Data in Oracle Fusion Middleware Administering Oracle Fusion Middleware for complete information on logging using Oracle Enterprise Manager Fusion Middleware Control.
4.3.6 Auditing Oracle Directory Integration Platform Using Fusion Middleware Control
Oracle Directory Integration Platform utilizes the Oracle Fusion Middleware Audit Framework of the Oracle Platform Security Services for compliance, monitoring, and analytic purposes. Using Oracle Enterprise Manager Fusion Middleware Control, you can view, search, and manage audit data and event settings for Oracle Directory Integration Platform.
See Introduction to Oracle Fusion Middleware Audit Framework in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
4.4 Starting and Stopping Oracle Directory Integration Platform Using WLST
You can start and stop Oracle Directory Integration Platform from the command line using the WebLogic Scripting Tool (WLST) by connecting to the WebLogic Admin Server and executing the startApplication("DIP")
and stopApplication("DIP")
commands.
See:
-
The Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command line tool.
-
The Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information WLST command tool syntax.
4.5 Manage Oracle Directory Integration Platform Using manageDIPServerConfig
The Manage DIP Server Configuration utility, manageDIPServerConfig
, allows you to manage the Oracle Directory Integration Platform server configuration.
For more information, see manageDIPServerConfig Utility.
Note:
-
Best security practice is to provide a password only in response to a prompt from the command.
-
You must set the
WLS_HOME
andORACLE_HOME
environment variables before executing any of the Oracle Directory Integration Platform commands -
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
4.6 About Oracle Unified Directory Configuration for SSL Mode
For more information, see Configuring Oracle Unified Directory (SSL) for Oracle Directory Integration Platform.
4.7 About Oracle Directory Server Enterprise Edition Configuration for SSL Mode
For more information, see Configuring Oracle Directory Server Enterprise Edition (SSL) for Oracle Directory Integration Platform.
4.8 About Oracle Internet Directory Configuration for SSL Mode
For more information, see Configuring Oracle Internet Directory (SSL) for Oracle Directory Integration Platform.
Note:
The following information describes SSL configuration for a single component. If you are configuring SSL for multiple components, you can use the Oracle SSL Automation Tool, which enables you to configure SSL for multiple components using a domain-specific CA.
Refer to Configuring SSL in Oracle Fusion Middleware in Oracle Fusion Middleware Administering Oracle Fusion Middleware for complete information about the Oracle SSL Automation Tool.
4.9 Managing the SSL Certificates of Back-End Directories and Connected Directories
The Oracle Directory Integration Platform can use SSL to connect the Oracle back-end directory and connected directories. When using SSL with no authentication to connect to the Oracle back-end directory, no certificate is required. However, when connecting to the Oracle back-end directory using SSL with server authentication, you need a trust-point certificate to connect to the LDAP server. The Oracle Directory Integration Platform expects the certificate to be in a Java Keystore (JKS).
You can use the manageDIPServerConfig
command with the keystorelocation
argument to manage the keystore location and you can use the WLST Credential Store commands with map="dip"
and key="jksKey"
to manage the keystore password.
See Also:
-
"Manage Oracle Directory Integration Platform Using manageDIPServerConfig" for more information about the
manageDIPServerConfig
command. -
Oracle Fusion Middleware Administrator's Guide for more information about managing keystores using WLST.
Detecting and Removing an Expired Certificate
You can use the keytool utility in the $JAVA_HOME/bin directory to detect and remove expired certificates for Oracle Directory Integration Platform.
To list the valid dates for a trusted certificate in the keystore, execute the keytool utility as follows:
$JAVA_HOME/bin/keytool -list -v -keystore PATH_TO_KEYSTORE
To delete a trusted certificate from the keystore, execute the keytool utility as follows:
$JAVA_HOME/bin/keytool -delete -alias mycert -keystore PATH_TO_KEYSTORE
Note:
You will be prompted for the password to the keystore while executing these commands.
For general information about certificate expiration, see Chapter 7, "Managing Keystores, Wallets, and Certificates," of the Oracle Fusion Middleware Administrator's Guide.
4.10 About Oracle Directory Integration Platform in a High Availability Scenario
For more information, see Oracle Directory Integration Platform High Availability in Oracle Fusion Middleware High Availability Guide.
4.11 Understanding How to Manage Oracle Directory Integration Platform in a Replicated Environment
For provisioning and synchronization, the replicated directory is different from the master directory.
Any profiles created in the original directory need to be re-created in the new directory, and all configurations must be performed as in the original directory.
4.12 dipStatus Utility
The dipStatus
utility, located in the ORACLE_HOME/bin directory, allows you to check the status of Oracle Directory Integration Platform and whether or not it is registered.
Note:
-
Best security practice is to provide a password only in response to a prompt from the command.
-
You must set the
WLS_HOME
andORACLE_HOME
environment variables before executing any of the Oracle Directory Integration Platform commands. -
The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
dipStatus Syntax
dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-help]
Arguments for dipStatus
The following table describes the arguments for dipStatus
utility.
Table 4-1 dipStatus utility Arguments
Argument | Description |
---|---|
-h | -host |
Oracle WebLogic Server where Oracle Directory Integration Platform is deployed. |
-p | -port |
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. |
-D | -wlsuser |
Oracle WebLogic Server login ID. Note: You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.Best security practice is to provide a password only in response to a prompt from the command. If you must execute |
-ssl |
Executes the command in SSL mode. Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. For more information, see "Configuring SSL" in Oracle Fusion Middleware Securing Oracle WebLogic Server. |
-keystorePath |
The full path to the keystore. |
-keystoreType |
The type of the keystore identified by |
-help |
Provides usage help for the command. |
Examples for dipStatus
The following shows an example of dipStatus
utility command.
dipStatus -h myhost.mycompany.com -p 7005 -D login_ID
dipStatus -help
4.13 manageDIPServerConfig Utility
Use the manageDIPServerConfig
utility to manage the Oracle Directory Integration Platform server configuration. This utility is located in the ORACLE_HOME/bin
directory.
manageDIPServerConfig Syntax
manageDIPServerConfig {get | set} -h HOST -p PORT -D wlsuser -attribute {sslmode | refreshinterval | quartzthreadcount | quartzdbretryinterval | backendhostport | keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-value ATTRIBUTE_VALUE] [-help]
Arguments for manageDIPServerConfig
The following table describes the arguments for manageDIPServerConfig
utility.
Table 4-2 dipStatus utility Arguments
Argument | Description |
---|---|
get | set |
Operation to perform.
|
-h | -host |
Oracle WebLogic Server where Oracle Directory Integration Platform is deployed. |
-p | -port |
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. |
-D | -wlsuser |
Oracle WebLogic Server login ID. Note: You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.Best security practice is to provide a password only in response to a prompt from the command. If you must execute |
-attr | -attribute |
Identifies the attribute that
|
-ssl |
Executes the command in SSL mode. Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. For more information, see "Configuring SSL" in Oracle Fusion Middleware Securing Oracle WebLogic Server. |
-keystorePath |
The full path to the keystore. |
-keystoreType |
The type of the keystore identified by |
-val | -value |
The value to set for the attribute This parameter is required with the set operation. |
-help |
Provides usage help for the command. |
Tasks and Examples for manageDIPServerConfig
manageDIPServerConfig get -h myhost.mycompany.com -p 7005 -D login_ID \
-attr sslmode
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D login_ID \
-attr sslmode -val 2
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D login_ID \ -attr backendhostport -value backend_host: backend_SSL_port