9 Managing System Configuration Attributes
wlst
), LDAP tools, and Oracle Directory Services Manager (ODSM).For information about the attributes that control the Oracle Internet Directory replication server, see Managing Replication Configuration Attributes.
This chapter includes the following sections:
9.1 Managing System Configuration Attributes
Understand about managing various system configuration attributes.
This section contains the following topics:
9.1.1 About Configuration Attributes
Most Oracle Internet Directory configuration information is stored in the directory itself. The information is stored as attributes of specific configuration entries. You must have superuser privileges to set system configuration attributes.
Some configuration attributes are specific to an individual instance of the Oracle Internet Directory server. Instance-specific attributes are located in the instance-specific configuration entry, a specific subentry of the Oracle Internet Directory instance entry. Figure 8-1 shows the location of these entries in the DIT.
Some configuration attributes are shared by all Oracle Internet Directory server instances in a WebLogic Server domain that are connected to the same database. Shared attributes reside in the DSA Configuration entry. Replication-specific attributes reside in the Replica Subentry, Replication Configuration, and Replication Agreement Entry.
Some attributes reside in the DSE Root. Most of those are non-configurable.
See Understanding Process Control of Oracle Internet Directory Components
Note:
Oracle Internet Directory configuration attributes, either instance-specific or shared attributes, are not replicated. For example, computed attribute definitions from OrclComputedAttribute
are stored in the DSA Configuration entry and are not replicated. If your deployment requires configuration attributes to be replicated, you must replicate them manually.
You can manage all the configuration attributes from the command-line. In addition, many of the configuration attributes have specific, task-oriented management interfaces in Oracle Enterprise Manager Fusion Middleware Control or Oracle Directory Services Manager. You can also use the Data Browser feature of Oracle Directory Services Manager to manage the entries directly.
9.1.2 About Operational Attributes
Do not confuse configuration attributes with operational attributes. Operational attributes have special meaning to the directory server and they are used for storing information needed for processing by the server itself or for holding other data maintained by the server that is not explicitly provided by clients. These are attributes that are maintained by the server and either reflect information the server manages about an entry or affect server operation.
Operational attributes are not returned by a search operation unless you specifically request them by name or with the "+" option in the search request. See Listing Operational Attributes by Using ldapsearch for more information.
Examples of operational attributes include the time stamp for an entry and the state values needed for enforcing password policies, described in Operational Attributes of User Entry. You cannot modify operational attributes.
From 11g Release 1 (11.1.1.9.0) onward, Oracle Internet Directory server returns numsubordinate
operational attribute. It specifies the count of number of child entries under the given base DN.
Note:
By default the numsubordinate
operational attribute is not returned when you specify the + option in the search request. You must explicitly set the orcldseecompatible
flag to 1
in the cn=dsaconfig,cn=configsets,cn=oracle internet directory
entry.
9.1.3 Attributes of the Instance-Specific Configuration Entry
During installation, Oracle Identity Management Installer creates an instance-specific configuration entry for the first Oracle Internet Directory instance.
It copies default values from a read-only entry under cn=configset0
. (You can specify different values for the SSL port and non-SSL during the install.)
The DN of an instance-specific configuration entry has the form:
cn=componentname,cn=osdldapd,cn=subconfigsubentry
For example, if the component name for a server instance is oid1
,then the DIT of the instance-specific configuration entry would be:
cn=oid1,cn=osdldapd,cn=subconfigsubentry
Table 9-1 lists the attributes of the instance-specific configuration entry. The Update Mechanism column contains the following abbreviations:
-
EM
– Oracle Enterprise Manager Fusion Middleware Control. See Managing System Configuration Attributes by Using Fusion Middleware Control. -
WLST
–WebLogic Scripting tool. See Managing System Configuration Attributes by Using WLST. -
LDAP
–LDAP command-line tools, such asldapmodify
andldapadd
. See Managing System Configuration Attributes by Using LDAP Tools.
Table 9-1 Attributes of the Instance-Specific Configuration Entry
Attribute | Description | Update Mechanism | Default | Possible Values |
---|---|---|---|---|
|
Number of Server Processes. Restart the server after changing. See Understanding Process Control of Oracle Internet Directory Components. |
EM, LDAP, WLST |
1 |
Integer, up to 1024. |
|
Preserve the case of required attribute names specified in an |
EM, LDAP |
0 |
0: Do not preserve attribute case 1: Preserve attribute case |
|
Hostname or IP address. |
LDAP |
Set during install |
Host or IP address |
|
Non-SSL port See Configuring Server Properties. If you change the port number, restart the server. See Managing Oracle Internet Directory Instances. |
EM, LDAP, WLST |
3060 |
Port number |
|
SSL port See Configuring Server Properties. If you change the port number, restart the server. See Managing Oracle Internet Directory Instances. |
EM, LDAP, WLST |
3131 |
Port number |
|
Distinguished name (DN) of a connection that causes Oracle Internet Directory server to log messages for operations performed by the specified connection DN, if |
EM, LDAP, WLST |
None |
Multi-valued attribute that can specify one or more connection DNs. |
|
Connection IP address that causes Oracle Internet Directory server to log messages for operations performed by the specified connection IP address, if |
EM, LDAP, WLST |
None |
Multi-valued attribute that can specify one or more connection IP addresses. |
|
Maximum time allowed in a transaction (seconds). See Using LDAP Transactions in Application Developer's Guide for Oracle Identity Management and Configuring Server Properties. |
EM, LDAP, WLST |
0 |
Positive integer (seconds) |
|
Maximum number of operations allowed in a transaction. See Using LDAP Transactions in Application Developer's Guide for Oracle Identity Management and Configuring Server Properties. |
EM, LDAP, WLST |
0 |
Positive integer |
|
Server Mode |
EM, LDAP, WLST |
rw |
R: read-only rw: read/write rm: read-modify |
|
A comma-separated list of events and category names to be audited. Custom events are only applicable when |
EM, LDAP, WLST |
Empty |
Examples include: Authentication.SUCCESSESONLY, Authorization(Permission -eq 'CSFPermission') |
|
Replaces the audit levels used in 10g (10.1.4.0.1) and earlier releases. See Managing Auditing. |
EM, LDAP, WLST |
None |
|
|
A comma separated list of users for whom auditing is always enabled, even if |
EM, LDAP, WLST |
Empty |
Valid users. For example: cn=orcladmin |
|
Associates a port number with an IP address in order to allow Oracle Internet Directory servers to communicate with each other in a cluster environment when cached data is changed. |
LDAP |
None |
Port number and IP address See Configuring IP Addresses for Notifications in a Cluster. |
|
Debug Flag See Managing Logging. |
EM, LDAP, WLST |
0 |
0 ~ 117440511 See Table 24-3. |
|
Force flush debug messages See Managing Logging. |
LDAP |
0 |
0: Disable 1: Enable |
|
Operations Enabled for Debug See Managing Logging. |
EM, LDAP, WLST |
511 |
See Table 24-4. |
|
Maximum Number of Log Files to Keep in Rotation See Managing Logging. |
EM, LDAP, WLST |
100 |
Integer |
|
Maximum Log File Size (MB) See Managing Logging. |
EM, LDAP, WLST |
1 MB |
Size, in MB |
|
Statistics collection event level |
EM, LDAP, WLST |
0 |
See Table 25-5. |
|
Security event tracking level |
EM, LDAP, WLST |
0 |
|
|
Flag to turn on or off OID statistics data |
EM, LDAP, WLST |
1 |
0: disable 1: enable |
|
Enable user statistics collection |
EM, LDAP, WLST |
0 |
0: disable 1: enable |
|
Frequency of flushing statistics to data bases |
EM, LDAP, WLST |
30 |
60 |
|
SSL Authentication Restart the server after changing. |
EM, LDAP, WLST |
1 |
1: No SSL authentication 32: One-way authentication 64: Two-way authentication |
|
SSL Cipher Suite Restart the server after changing. |
EM, LDAP, WLST |
Empty |
See Table 28-1, left column. |
|
SSL Enable Restart the server after changing. Set |
EM, LDAP, WLST |
2 |
0: Non-SSL only 1: SSL only, 2: Non-SSL & SSL mode |
|
SSL Interoperability Mode Restart the server after changing. |
LDAP |
0 |
0: disabled 1: enabled |
|
SSL Version Restart the server after changing. |
EM, LDAP, WLST |
3 |
3 |
|
SSL Wallet URL Restart the server after changing. |
EM, LDAP, WLST |
File |
SSL wallet file location. |
|
Allow Anonymous binds |
EM, LDAP, WLST |
2 |
See Table 34-5. |
|
SASL Authentication Restart the server after changing Mode. |
EM, LDAP, WLST |
1 |
auth, auth-int, auth-conf. Specify all three or a subset of these 3 as a comma separated string. |
|
SASL Cipher Choice Restart the server after changing. |
EM, LDAP, WLST |
Rc4-56,rc4-40,rc4,des,3des |
Any combination of Rc4-56, des, 3des, rc4, rc4-40 |
|
SASL Mechanism Restart the server after changing. |
EM, LDAP, WLST |
DIGEST-MD5, EXTERNAL |
DIGEST-MD5, EXTERNAL |
|
DIT Masking See Managing DIT Masking. |
LDAP |
No value |
List of DIT subtrees. |
|
DIT Masking See Managing DIT Masking. |
LDAP |
No value |
LDAP attribute filter. |
|
DIT Masking See Managing DIT Masking. |
LDAP |
No value |
List of attributes, possibly preceded by |
|
Maximum number of dispatcher threads per server process. See Oracle Internet Directory Performance Tuning in Tuning Performance. Restart server after changing. |
EM, LDAP, WLST |
1 |
Integer (Max 16) |
|
LDAP Connection Timeout, in minutes See LDAP Server Attributes in Tuning Performance. |
EM, LDAP, WLST |
0 |
Integer Note: Users configured for statistics tracking do not time out as per this setting. |
|
Maximum Number of DB Connections See Oracle Internet Directory Performance Tuning in Tuning Performance. Restart the server after changing. |
EM, LDAP, WLST |
2 |
Integer, maximum128 |
|
Maximum number of cached user group connections See Oracle Internet Directory Performance Tuning in Tuning Performance. |
EM, LDAP, WLST |
100000 |
Integer |
|
Maximum number of concurrent connections per server process See Oracle Internet Directory Performance Tuning in Tuning Performance. |
EM, LDAP, WLST |
1024 |
Int (Max system max file descriptors per process) |
|
Maximum Time in seconds for Server process to respond back to Dispatcher process See Oracle Internet Directory Performance Tuning in Tuning Performance. |
EM, LDAP, WLST |
0 seconds |
Number of Seconds 0: Dispatcher does not detect the server hang. |
|
Maximum time in seconds for OID Server to wait for LDAP client respond to a Read/Write operation. See Timeout for Write Operations in Tuning Performance. |
EM, LDAP, WLST |
30 seconds |
Integer |
|
Maximum number of bytes of RAM that security events tracking can use for each type of operation. See Tuning Security Event Tracking in Tuning Performance. |
LDAP |
100000000 Bytes |
Available RAM, in bytes |
Subtype: |
Number of in-memory cache containers for storing information about users performing operations. See Tuning Security Event Tracking in Tuning Performance. |
LDAP |
256 |
Integer |
Subtype: |
Number of in-memory cache containers for storing information about users whose user password is compared and tracked when detailed compare operation statistics is programmed. See Tuning Security Event Tracking in Tuning Performance. |
LDAP |
256 |
Integer |
|
Maximum number of plug-in worker threads per server process Restart the server after changing. See Oracle Internet Directory Performance Tuning in Tuning Performance. |
EM, LDAP, WLST |
2 |
Int (Max 64) |
|
Number of entries that can be returned in an See Number of Entries to be Returned by a Search in Tuning Performance. |
LDAP |
10000 |
Integer |
|
Maximum time that server can spend for a given |
EM, LDAP, WLST |
3600 |
Integer (seconds) |
|
Generate stack dump. |
LDAP |
0 |
0: Generate stack trace file. 1: Do not generate stack. trace file, but generate a core file. |
|
Evaluates whether Oracle Internet Directory should skip the processing of special characters specified in filter values during a search operation. |
LDAP |
0 |
0: Process the special characters specified in the filter value. 1: Do not process the special characters specified in the filter value. |
|
Allows you to specify the SSL/TLS version to be used. |
LDAP |
24 |
0: All Supported Protocols 2: For SSL v3.0 4: For TLS 1.0 8: For TLS 1.1 16: For TLS 1.2 24: For TLS 1.1 or TLS 1.2 Note: The attribute is additive in nature. This implies that it allows you to add more than one protocol by specifying the corresponding value. For more information, see Supported Protocol Versions. |
9.1.4 Attributes of the DSA Configuration Entry
Understand about the attributes in the DSA configuration entry.
The DSA configuration entry has the DN:
cn=dsaconfig,cn=configsets,cn=oracle internet directory
Table 9-2 shows shared attributes in the DSA configuration entry. The Update Mechanism column contains the following abbreviations:
-
EM
– Oracle Enterprise Manager Fusion Middleware Control. See Managing System Configuration Attributes by Using Fusion Middleware Control. -
LDAP
–LDAP command-line tools, such asldapmodify
andldapadd
. See Managing System Configuration Attributes by Using LDAP Tools.
Note:
DSA is an X.500 term for the directory server.Table 9-2 Attributes in the DSA Configuration Entry
Attribute | Description | Update Mechanism | Default | Possible Values |
---|---|---|---|---|
|
Maximum number of connections allowed for an LDAP persistent search operation. |
EM, LDAP, WLST |
0 |
Integer, up to 1024. |
|
IP address that causes Oracle Internet Directory server to reject any new connections and close any existing connections from that IP address. |
EM,LDAP |
None |
IP address |
|
Mechanism to dynamically compute a configurable attribute and its value based on specific rules. |
LDAP |
None |
Multi-valued attribute |
|
Time in microseconds after which any Oracle Internet Directory server operations that exceed this time are logged to the alert log. |
EM,LDAP |
10000000 microseconds. Minimum is 10 microseconds. |
Microseconds |
|
Frequency in minutes at which Oracle Internet Directory server calls |
LDAP |
20 minutes |
Integer 0: No |
For zero downtime patching, The value of this attribute is in minutes. |
LDAP |
0 |
Integer 0: Disabled |
|
|
Maximum Filter Size |
EM, LDAP |
24576 |
Integer |
|
Refresh Dynamic Group Memberships. See Managing Dynamic and Static Groups in Oracle Internet Directory. |
LDAP |
0 |
1: Cause a refresh. Server will reset it to 0. |
|
Index attributes on first search. See Index option in Oracle Internet Directory to Search Attributes. |
EM, LDAP |
1 |
0: Disabled 1: Enabled |
|
Referential Integrity. See Configuring Referential Integrity. |
EM, LDAP |
0 |
0: Disabled 1: Enabled |
|
User DNs for statistics collection. See Monitoring Oracle Internet Directory. |
EM, LDAP |
Empty |
DNs of entries |
|
Sensitive attributes encrypted when returned |
LDAP |
0 |
0: Disabled 1: Enabled |
|
Sensitive attributes stored in encrypted format. |
LDAP |
See Table 29-1. |
Attributes |
|
Attributes stored in hashed format. |
EM, LDAP |
Empty |
Attributes |
|
PKI Matching Rule for mapping user's PKI certificate DN to the user's entry DN. See Managing Authentication. |
EM, LDAP |
2 |
0: Exact match. 1: Certificate search. 2: Combination of 0 and 1. 3: Mapping rule only. 4: Try in order: 3, 2 |
|
Whether to generate change logs for user operations. See Managing and Monitoring Replication and Oracle Internet Directory Performance Tuning in Tuning Performance. |
LDAP |
1 |
1: enable 0: disable |
|
Options passed to the JVM when a server plug-in is invoked. See Developing Plug-ins for the Oracle Internet Directory Server. |
EM, LDAP |
-Xmx64M |
Valid JVM options |
|
Search Filters to be processed in memory See Optimizing Performance of Complex Search Filters in Tuning Performance. |
EM, LDAP |
See list in Tuning Performance |
Valid search filters |
|
Whether to provide detailed MatchDN information when base DN of a search is not present. See Oracle Internet Directory Performance Tuning in Tuning Performance. |
EM, LDAP |
1 |
0: Do not match, but validates if baseDN exists in the database 1: Match 2: Perform no DB check for existence of base DN |
|
Skewed attributes. Server restart recommended after changing. See Optimizing Searches for Skewed Attributes in Tuning Performance. |
EM, LDAP |
objectclass |
List of attributes |
|
Skip referral for search. Server restart recommended after changing. See LDAP Server Attributes in Tuning Performance. |
EM, LDAP |
0 |
0: Disabled 1: Enabled |
|
Specify search time limit mode to be either accurate or approximate. See Oracle Internet Directory Performance Tuning in Tuning Performance. |
LDAP |
0 |
0: Accurate 1: Approximate |
|
Size in bytes of the Result Set cache or Metadata cache, as indicated by the subtype (rs or md). Requires a server restart to take effect. |
LDAP |
Result Set cache: 64 MB (64 MB is also the minimum cache size) Metadata cache: 128 MB (128 MB is also the minimum cache size). |
Subtype: rs (Result Set cache) or md (Metadata cache) Size: M (megabytes) or G (gigabytes). |
|
Enable or disable the Entry Cache or Result Set Cache.. See Server Entry Cache in Tuning Performance. |
EM, LDAP, WLST |
2 |
0: Disable both caches 1: Enable Entry Cache only 2: Enable both caches 4: Pre-load cache data during server start up time or when cache is destroyed. Oracle Internet Directory servers rebuild the cache when Note: Entry cache pre-load is based on |
|
Maximum Entries in Entry Cache. See Server Entry Cache in Tuning Performance. |
EM, LDAP, WLST |
100000 |
Integer |
|
Entry Cache Size in bytes. See Server Entry Cache in Tuning Performance. |
EM, LDAP, WLST |
1024 Megabytes or 1 Gigabyte |
Size: M (megabytes) or G (gigabytes). For example: 1024M |
|
Result Set Cache Attributes See Result Set Cache in Tuning Performance. |
EM, LDAP, WLST |
cn uid orclguid |
Multi-valued attribute that specifies the Result Set Cache attributes. Typically these attributes are not modified for the life of the entry. If an attribute has referential integrity enabled, that attribute should not be used. |
|
Enable/Disable Group cache See Enabling the Group Cache in Tuning Performance. |
LDAP |
1 |
1: Enable, 0: Disable |
|
If |
None |
||
|
Mechanism to dynamically configure throttling polices. |
LDAP |
None |
Multi-valued attribute |
9.1.5 Attributes of the DSE
The DSA-specific entry (DSE) is the root of the DIT. This is where Oracle Internet Directory publishes information about itself, such as naming contexts, supported controls, and matching rules. Most attributes of the DSE should not be modified directly.
Note:
Beginning with Oracle Internet Directory 11g Release 1 (11.1.1.6.0), the orclcompatibleversion
DSE attribute contains the Oracle Internet Directory version. This attribute is multi-valued. The values can be:
-
orclcompatibleversion: 11.1.1.6.0
-
orclcompatibleversion: 11.1.1.7.0
-
orclcompatibleversion: 11.1.1.9.0
-
orclcompatibleversion: 12.2.1.3.0
Do not modify orclcompatibleversion
. It must be present for Oracle Internet Directory to work with its respective schema.
Some DSE attributes that you might need to modify are listed in Table 9-3.
Table 9-3 Attributes of the DSE
Attribute | Description | Update Mechanism | Default | Possible Values |
---|---|---|---|---|
|
Naming contexts. See Managing Naming Contexts in Oracle Internet Directory. |
LDAP |
c=us dc=com |
Any valid naming context. |
|
Referral specification. See Managing Knowledge References and Referrals. |
LDAP |
||
|
Access control at the root DSE level. See Managing Directory Access Control. |
LDAP |
||
|
Hashing algorithm for protecting passwords. See Managing Password Verifiers. |
LDAP |
SSHA |
MD4, MD5, SHA, SSHA, SHA256, SHA384, SHA512, SSHA256, SSHA384, SSHA512, SMD5, UNIX Crypt |
|
Contains DN of password policy governing the DSE root. See Managing Password Policies. |
LDAP |
cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext |
|
|
List of multivalued attributes for which change logs contain only changes, not lists of all values. See Change Logs in Directory Replication. |
LDAP |
|
Multivalued attributes |
9.2 Managing System Configuration Attributes by Using Fusion Middleware Control
You can view and set most of the configuration attributes for an Oracle directory server by using Oracle Enterprise Manager Fusion Middleware Control.
This section contains the following topics:
9.2.1 Configuring Server Properties
You can configure attributes using the Oracle Internet Directory Server Properties pages of Fusion Middleware Control. The various options in the Server Properties pages, such as, General and Performance are listed in the following sections.
This section includes the following topics:
9.2.1.1 Configuring Server Properties
You can configure most of the attributes in the instance-specific configuration entry by using the Oracle Internet Directory Server Properties pages of Fusion Middleware Control as follows:
- Select Administration, then Server Properties from the Oracle Internet Directory menu.
- Select General, Performance, SASL, Statistics, or Logging, depending on which parameters you want to configure.
- After changing the configuration, choose Apply.
9.2.1.2 General Options in Configuring Server Properties
The correspondence between server properties and configuration attributes on the General tab of the Server Properties page is shown in Table 9-4.
Table 9-4 Configuration Attributes on Server Properties Page, General Tab.
Field or Heading | Configuration Attribute |
---|---|
Server Mode |
|
Maximum number of entries to be returned by a search |
|
Maximum time allowed for a search to complete (sec) |
|
Preserve Case of Required Attribute Name specified in Search Request |
|
Anonymous Bind |
|
Maximum time allowed in a Transaction (sec) |
|
Maximum Number of Operations allowed in a Transaction |
|
Non-SSL Port |
|
SSL Port |
|
9.2.1.3 Performance Options in Configuring Server Properties
The correspondence between server properties and configuration attributes on the Performance tab of the Server Properties page is shown in Table 9-5
Table 9-5 Configuration Attributes on Server Properties Page, Performance Tab
Field or Heading | Configuration Attribute |
---|---|
Number of OID LDAP Server Processes |
|
Number of DB Connections per Server Process |
|
Number of users in privilege Group membership Cache |
|
LDAP Idle Connection Timeout (minutes) |
|
OID server Network Read/Write Retry Timeout (sec) |
|
Maximum Number of LDAP connections per Server Process |
|
Maximum Time in seconds for Server process to respond back to Dispatcher process |
|
Number of Dispatcher Threads per Server Process |
|
Number of Plug-in Threads per Server Process |
|
Enable Change Log Generation |
|
Restart the server after changing orclserverprocs
, orclmaxcc
, orcldispthreads
, or orclpluginworkers
.
9.2.1.4 SASL Tab of Server Properties
The correspondence between server properties and configuration attributes on the SASL tab of the Server Properties page is shown in Table 34-2.
9.2.1.5 Statistics Tab of Server Properties
The correspondence between server properties and configuration attributes on the Statistics tab of the Server Properties page is shown in Table 25-2.
9.2.1.6 Logging Tab of Server Properties
The correspondence between server properties and configuration attributes on the Logging tab of the Server Properties page is shown in Table 24-2.
9.2.2 Configuring Shared Properties
You can configure some of the shared system configuration attributes in the DSA configuration entry by using the Oracle Internet Directory Shared Properties page of Fusion Middleware Control.
This section contains the following topics:
9.2.2.1 Configuring Shared Properties
To configure some of the shared system configuration attributes in the DSA configuration entry, select Administration, then Shared Properties, then select General, Change Superuser Password, or Replication from the Oracle Internet Directory menu. After changing the configuration, choose Apply.
9.2.2.2 Configuration Attributes in General Properties
Table 9-6 lists the configuration attributes available in the General Tab on the Shared Properties Tab.
Table 9-6 Configuration Attributes on Shared Properties Page, General Tab
Field or Heading | Configuration Attribute |
---|---|
User DN |
|
Skip referral for search |
|
Skewed attributes |
|
Search Filters to be processed in memory |
|
Hashed attributes |
|
Match DN |
|
PKI Matching Rule |
|
Referential Integrity |
|
Maximum Filter Size |
|
Enable Entry Cache |
|
Maximum Entries in Entry Cache |
|
Maximum Entry Cache Size (MB) |
|
Number of users in privilege group membership cache NOT on EM page |
|
Result Set Cache Attributes |
|
Java Plug-in VM Options |
|
A server restart is recommended after changing orclskiprefinsql
or orclskewedattribute
.
9.2.2.4 Replication
Replication-related attributes are described in Managing Replication Configuration Attributes.
9.2.3 SSL and Audit Parameters Configuration
You can configure SSL parameters by using the Oracle Internet Directory SSL Configuration Page.
See Overview of Configuring SSL by Using Fusion Middleware Control. You must restart the server for SSL configuration changes to take effect.
You can configure Audit attributes by using the Oracle Internet Directory Audit Policy Settings page. See Managing Auditing Using Fusion Middleware Control.
9.3 Managing System Configuration Attributes by Using WLST
You can manage system configuration attributes using WLST.
Table 9-7 lists the Related MBeans.
This section includes the following topics:
9.3.1 Managing System Configuration Attributes Using WLST
You can use the WebLogic Scripting Tool (wlst
) in the Oracle Common home to manage the attributes of the Oracle Internet Directory instance-specific configuration entry that have Oracle Enterprise Manager
Fusion Middleware Control interfaces.
A managed bean (MBean) is a Java object that represents a JMX manageable resource in a distributed environment, such as an application, a service, a component or a device. The WebLogic server uses custom MBeans as its interface to system components, such as Oracle Internet Directory.
Note:
WLST manages Oracle Internet Directory through its SSL port. The Oracle Internet Directory SSL port must be configured for no authentication or server authentication. If the Oracle Internet Directory SSL port is configured for mutual authentication, you will not be able to change Oracle Internet Directory attributes by using WLST. See About SSL Authentication Modes.
See Also:
-
Oracle Fusion Middleware Components in Administering Oracle Fusion Middleware
-
Using the WebLogic Scripting Tool in Understanding the WebLogic Scripting Tool
To use WLST, follow the steps below:
9.3.2 Related MBeans Of Oracle Internet Directory
There are three MBeans related to Oracle Internet Directory configuration under oracle.as.management.mbeans.register
and two under oracle.as.oid
.
Table 9-7 lists all the MBeans.
Table 9-7 Oracle Internet Directory-Related MBeans
MBean Name | MBean Domain | MBean Format in ls() Output |
---|---|---|
Root Proxy MBean |
oracle.as.management.mbeans.register |
oracle.as.management.mbeans.register:type=component,name=COMPONENT_NAME,instance=INSTANCE |
Non-SSL Port MBean |
oracle.as.management.mbeans.register |
oracle.as.management.mbeans.register:type=component.nonsslport,name=nonsslport1,instance=INSTANCE,component=COMPONENT_NAME |
Audit MBean |
oracle.as.management.mbeans.register |
oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=INSTANCE,component=COMPONENT_NAME |
SSL Port MBean |
oracle.as.oid |
oracle.as.oid:type=component.sslconfig,name=sslport1,instance=INSTANCE,component=COMPONENT_NAME |
Key Store MBean |
oracle.as.oid |
oracle.as.oid:type=component.keystore,name=keystore,instance=INSTANCE,component=COMPONENT_NAME |
9.4 Managing System Configuration Attributes by Using LDAP Tools
From the command line, you can modify most system configuration attributes by using ldapmodify
and list most system configuration by using ldapsearch
.
This section describes:
9.4.1 Setting System Configuration Attributes by Using ldapmodify
You can modify system configuration attributes using ldapmodify.
You can modify most attributes in Table 9-1, Table 9-2, and Table 9-3 by using the command-line:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
The contents of the LDIF file depends on the DN and the operation being performed.
The LDIF file for changing the value of the orclgeneratechangelog
attribute in the instance-specific entry to 1
would be:
dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclgeneratechangelog
orclgeneratechangelog: 1
The LDIF file for adding the orclinmemfiltprocess
attribute to the DSA configuration entry would be:
dn: cn=dsaconfig, cn=configsets, cn=oracle internet directory changetype: modify add: orclinmemfiltprocess orclinmemfiltprocess: (objectclass=inetorgperson)(orclisenabled=TRUE)
Note:
-
Since 11g Release 1 (11.1.1.0.0), consecutive settings of
orcldebugflag
and oforcloptracklevel
are additive. -
Restart the server after changing
orclskiprefinsql
,orclskewedattribute
,orclserverprocs
,orcldispthreads
,orclmaxcc
,orclpluginworkers
, or any attribute with a name that begins with "orclssl
" or "orclsasl
." -
After changing
orclnonsslport
ororclsslport
, restart the server.
See Also:
-
The Oracle Internet Directory Performance Tuning chapter in Tuning Performance for more examples of LDIF files.
-
The command-line tool reference,
.ldapmodify
in Reference for Oracle Identity Management for a more detailed discussion ofldapmodify
, and a list of its options. -
The "Oracle Identity Management " LDAP Attribute Reference in Reference for Oracle Identity Management for descriptions of the modifiable system configuration attributes.
9.4.2 Listing Configuration Attributes with ldapsearch
You can use ldapsearch
to list most attributes.
For example:
-
Instance-Specific Configuration Entry
If the component name for a server instance is
oid1
,then you can list the attributes in the instance-specific configuration entry with a command line such as:ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \ -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" -s base "objectclass=*"
-
DSA Configuration Entry
You can list the attributes with the command line:
ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \ -b "cn=dsaconfig,cn=configsets,cn=oracle internet directory" \ -s base "objectclass=*"
-
DSE
You can list the attributes with the command line:
ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \ -b "" -s base "objectclass=*"
9.5 Managing System Configuration Attributes by Using ODSM Data Browser
Oracle Enterprise Manager Fusion Middleware Control is the recommended graphical user interface for managing system configuration attributes. You can also use ODSM to manage system configuration attributes, which can be useful if Fusion Middleware Control is not available or if you must modify an attribute that has no Fusion Middleware Control interface.
See Managing Entries by Using Oracle Directory Services Manager for detailed instructions for changing the attributes of a directory entry. The following sections explain how to get to the entries that contain system configuration attributes in ODSM.
This section includes the following topics:
9.5.1 Navigating to the Instance-Specific Configuration Entry
You can navigate to the Instance-specific configuration entry from the ODSM Data Browser tab.
On the Data Browser tab, in the navigation tree, expand subconfigsubentry
, then osdldapd
. Then select the name of the Oracle Internet Directory component you want to manage.
9.5.2 Navigating to the DSA Configuration Entry
You can navigate to the DSA configuration entry from the ODSM Data Browser tab.
On the Data Browser tab, in the navigation tree, expand oracle internet directory
, then configsets
, then select the entry dsaconfig
.