This chapter describes how to configure Oracle Directory Server Enterprise Edition as the back-end directory for Oracle Directory Integration Platform. It contains the following sections:
You must install Oracle Directory Integration Platform, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Note:
Ensure that you do not select Install Software -Do not configure option during the installation process.You can configure Oracle Directory Server Enterprise Edition (back-end directory) non-SSL communication for Oracle Directory Integration Platform by completing the following steps:
Task 1: Installing and Configuring Oracle Directory Server Enterprise Edition
Task 2: Installing Oracle Directory Server Enterprise Edition Plug-In
Task 3: Creating Oracle Directory Server Enterprise Edition Suffixes
Task 4: Enabling the Retro Change Log for Oracle Directory Server Enterprise Edition
Task 8: Adding Access Control Instructions (ACIs) for Oracle Directory Server Enterprise Edition
Ensure that Oracle Directory Server Enterprise Edition is installed and configured, as described in the Oracle Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition and Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
Note:
You must create a Directory Server instance, as described in "Creating Server Instances From Command Line" in the Oracle® Fusion Middleware Installation Guide for Oracle Directory Server Enterprise Edition.You can synchronize the password for Oracle Directory Server Enterprise Edition, as described in Section 9.8.3, "Configuring Password Synchronization for Oracle Directory Server Enterprise Edition". To synchronize the password, you must install the Oracle Directory Server Enterprise Edition plug-in, as follows:
Select the dip-plugin.so or dip-plugin.dll depending on your platform, from Disk1\utils\dip-plugin (Windows) or Disk1/utils/dip-plugin (UNIX) directory in the Oracle Identity Management distribution package.
Copy it in:
32-bit system:INSTALL-PATH/dsee7/lib (UNIX) or INSTALL-PATH\dsee7\lib or (Windows).
64-bit system: INSTALL-PATH/dsee7/lib64 (UNIX).
For more information about Oracle Directory Server Enterprise Edition plug-in, see Oracle Fusion Middleware Developer's Guide for Oracle Directory Server Enterprise Edition.
You must create the following suffixes for the server's Directory Information Tree (DIT):
cn=OracleContext: This suffix is used for storing the Oracle Directory Integration Platform configuration details.
Create a suffix for storing the synchronized data.
To create the suffixes, run the dsconf command on the command line:
dsconf create-suffix -i -c -h host -p port -D "cn=Directory Manager" cn=OracleContext dsconf create-suffix -i -c -h host -p port -D "cn=Directory Manager" <data_suffix_name>
After creating the suffixes, you must do the following:
Create a products.ldif file with the following content for cn=Products:
dn: cn=Products,cn=OracleContext changetype: add cn: Products objectclass: top objectclass: extensibleObject
Run ldapadd command, to add the cn=Products entries:
ldapadd -h host -p port -D "cn=Directory Manager" -w <pwd> -v -f products.ldif
For more information, see "Creating Suffixes" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
To enable the retro change log for Oracle Directory Server Enterprise Edition, do the following:
Run the dsconf command on the command line:
dsconf set-server-prop -h host -p port retro-cl-enabled:on
Restart the directory server instance, as described in "Starting, Stopping, and Restarting a Directory Server Instance" in the Oracle Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition.
Note:
Enabling the retro change log for Oracle Directory Server Enterprise Edition may impact Directory Server performance.You must configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition. It includes the following topics:
Note:
Ensure that Oracle Directory Integration Platform is installed using Install Software - Do Not Configure option.Perform the following steps to configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition an existing WebLogic administration domain:
Run the <MW_HOME>/oracle_Home/bin/config.sh script (UNIX) or <MW_HOME>\oracle_Home\bin\config.cmd (Windows).
The Welcome screen is displayed.
Select Extend an existing WebLogic domain, and click Next.
The Select a WebLogic Domain Directory screen is displayed.
Browse to the directory that contains the WebLogic domain in which you want to configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition, and click Next.
The Select Extension Source screen is displayed.
Select the following domain configuration options:
Oracle Enterprise Manager - 11.1.1.0 [oracle_common]
Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1]
Notes:
When you select Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1] option, Oracle Identity Management - 11.1.1.2.0 [Oracle_IDM1] and Oracle JRF 11.1.1.0 [oracle_common] is also selected by default.
You can ignore the Oracle Directory Integration Platform version number appearing in the Select Extension Source screen.
Click Next.
The Specify Domain Name and Location screen is displayed.
The Specify Domain Name and Location screen automatically selects the application location. Click Next.
The Select Optional Configuration screen is displayed.
Select Managed Servers, Clusters, and Machines option. Click Next.
The Configure Managed Servers screen is displayed.
Specify the Managed Server name and click Next.
The Configure Clusters screen is displayed.
Configure Clusters as required and click Next.
The Configure Machines screen is displayed.
Select the Machine or Unix Machine tab. Click on Add and specify the machine name. Click Next.
If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Click Done, once the domain is extended.
Your existing Oracle Directory Server Enterprise Edition domain is extended to support Oracle Directory Integration Platform.
Run the Oracle Fusion Middleware Configuration Wizard to create a new Oracle WebLogic domain:
Run the <MW_HOME>/oracle_common/common/bin/config.sh script (UNIX) or <MW_HOME>\oracle_common\common\bin\config.cmd (Windows).
The Welcome screen is displayed.
Select Create a new WebLogic domain, and click Next.
The Select Domain Source screen is displayed.
Select Generate a domain configured automatically to support the following products: and then select the following domain configuration options:
Oracle Enterprise Manager - 11.1.1.0 [oracle_common]
Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1]
Notes:
When you select Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1] option, Oracle Identity Management - 11.1.1.2.0 [Oracle_IDM1] and Oracle JRF 11.1.1.0 [oracle_common] is also selected by default.
You can ignore the Oracle Directory Integration Platform version number appearing in the Select Domain Source screen.
Click Next.
The Specify Domain Name and Location screen is displayed.
Enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next.
The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.
The Configure Server Start Mode and JDK screen is displayed.
Select the following:
From WebLogic Domain Startup Mode, select Production Mode.
From Available JDKs, select a JDK.
Click Next.
The Select Optional Configuration screen is displayed.
Select Administration Server and Managed Servers, Clusters, and Machines options. Click Next.
The Configure the Administration Server screen is displayed.
Specify the Administration Server name and the Listen port (the default port is 7001). Click Next. The Configure Managed Servers screen appears.
Note:
Ensure that you use a dedicated Administration Server name and Listen port for the Oracle WebLogic Server domain managing Oracle Directory Server Enterprise Edition configured and Oracle Directory Integration Platform. For example, you can use8001 as the Listen port for the Administration Server.On the Configure Managed Servers screen, specify the Managed Server name and the Listen port (the default port is 7005). Click Next.
Note:
Ensure that you use a dedicated Managed Server name and the Listen port for the Oracle WebLogic Server domain managing Oracle Directory Server Enterprise Edition configured and Oracle Directory Integration Platform. For example, you can use wls_odsee as the Managed Server name and8005 as the Listen port for the Managed Server.On the Configure Clusters screen, configure Clusters as required. Click Next.
On the Configure Machines screen, select the Machine or Unix Machine tab. Click on Add and specify the machine name. Click Next.
If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
Click Done, once the domain is created successfully.
A new WebLogic domain (for example: domain1) is created to support Oracle Directory Integration Platform (ODIP) and Fusion Middleware Control in the <MW_HOME>\user_projects\domains directory (Windows) or in <MW_HOME>/user_projects/domains directory (UNIX).
After configuring the Oracle WebLogic Server domain, perform the following tasks:
Run the <MW_HOME>/oracle_common/common/bin/setNMProps.sh script (on UNIX) or <MW_HOME>\oracle_common\common\bin\setNMProps.cmd (on Windows).
Start the Administration Server, Node Manager and Managed Server as described in Appendix C, "Starting and Stopping the Oracle Stack".
Start the Oracle Directory Server Enterprise Edition instance:
$ dsadm start instance-path
After configuring the Oracle WebLogic Server domain, you must configure Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition by Setting the WL_HOME and ORACLE_HOME environment variables and running the dipConfigurator setup (<ORACLE_HOME>/bin) command on the command line and enter the following arguments:
Table 7-1 dipConfigurator Properties for Oracle Directory Server Enterprise Edition
| Properties | Description |
|---|---|
|
|
Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. |
|
|
Listening port number of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed. |
|
|
Oracle WebLogic Server login user name. |
|
|
Oracle Directory Server Enterprise Edition host name. |
|
|
Oracle Directory Server Enterprise Edition server port number. The default value is |
|
|
Specify |
|
|
The bind DN to connect to the Oracle Directory Server Enterprise Edition. |
|
|
Specify if the Oracle Directory Integration Platform instance is in a cluster environment. |
|
|
Specify the frequency (milliseconds) at which an instance checks for server status (For example, detecting failed instances) with the other instances of the cluster. |
Example:
UNIX:
$ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false
Windows:
ORACLE_HOME\bin\dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost odseehost -ldapport 389 -ldapuser "cn=Directory Manager" -isldapssl false
Note:
You can synchronize the password for Oracle Directory Server Enterprise Edition, as described in Section 9.8.3, "Configuring Password Synchronization for Oracle Directory Server Enterprise Edition".You must add an ACI in an LDIF file by running the ldapmodify command on the command line:
ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w secret12 <<EOF dn: dc=<suffix_name>,dc=com changetype: modify add: aci aci: (target="ldap:///dc=<suffix_name>,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; ) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) EOF
For more information, see Section 5.2.9, "Task 9: Verifying Oracle Directory Integration Platform".
After configuring Oracle Directory Server Enterprise Edition (back-end directory) non-SSL communication for Oracle Directory Integration Platform, you can synchronize or provision it with a connected directory, as described in Part III, "Synchronization Using Oracle Directory Integration Platform" or Part III, "Provisioning with the Oracle Directory Integration Platform".
You can configure Oracle Directory Server Enterprise Edition (back-end directory) SSL communication for Oracle Directory Integration Platform by completing the following steps:
Configuring Oracle Directory Server Enterprise Edition for SSL
Configuring Oracle Directory Integration Platform for Oracle Directory Server Enterprise Edition SSL
You can configure Oracle Directory Server Enterprise Edition (back-end directory) SSL communication for Oracle Directory Integration Platform by completing the following steps:
Configure Oracle Directory Server Enterprise Edition, as described in Section 7.2, "Configuring Oracle Directory Server Enterprise Edition (Non-SSL) for Oracle Directory Integration Platform".
You can disable non-SSL communications so that the Oracle Directory Server Enterprise Edition communicates only through SSL. To do so, run the dsconf command on the command line:
UNIX:
$ dsconf set-server-prop -h host -P 1636 ldap-port:disabled
Windows:
dsconf set-server-prop -h host -P 1636 ldap-port:disabled
Restart the Oracle Directory Server Enterprise Edition instance:
dsadm restart instance-path
You can now no longer bind on the non secure port 389.
Create the Oracle Directory Integration Platform credentials, by doing the following:
Open the WLST prompt by running the following command:
$ORACLE_HOME/common/bin/wlst.sh (UNIX) or ORACLE_HOME\common\bin\wlst.sh (Windows)
Run the following command on the command line:
createCred(map="dip", key="jksKey", user="jksUser", password="welcome1", desc="DIP SSL JKS")
Example:
createCred -wlshost localhost -wlsport 7001 -wlsuser weblogic -csfmap dip -csfkey jksKey -csfuser "cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=products,cn=oraclecontext" -csfpassword welcome1
For more information, see Section 2.6, "Credential Storing".
Import the Oracle Directory Server Enterprise Edition certificate into Oracle Directory Integration Platform, by running the following command:
bin/dsadm show-cert -F der -o dsee-cert instance-path keytool -importcert -noprompt -trustcacerts -alias mycompany.com -file ~/dsee-cert -keystore ~/keystores/DIPKeyStore.jks -storepass <password> keytool -list -keystore ~/DIPKeyStore.jks -storepass <password>
After configuring the Oracle Directory Server Enterprise Edition (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform, by completing the following steps:
Update the Oracle Directory Server Enterprise Edition host name and port number, by running the manageDIPServerConfig utility (ORACLE_HOME/bin directory):
manageDIPServerConfig set -h host -p port -D wlsuser -attribute {sslmode |
refreshinterval | quartzthreadcount | quartzdbretryinterval | backendhostport |
keystorelocation} [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE]
[-value ATTRIBUTE_VALUE] [-help]
Example:
manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute backendhostport -val odseehost:1636
For more information, see Section 4.5.2, "Arguments for manageDIPServerConfig".
Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.
keytool -importcert -trustcacerts -alias Some_alias_name
-file-keystore path_to_keystore
For example:
keytool -importcert -trustcacerts -alias OID2
-file /home/Middleware/asinst_1/OID/admin/oidcert.txt -keystore /home/Middleware/dip.jks
The system will prompt for a keystore password. Type a new password for this keystore.
Notes:
If you use the -keystore option and the keystore does not exist, keytool creates the keystore.
If you are using the Microsoft Active Directory as the connected directory, then you must do the following:
Export the Microsoft Active Directory certificate, as described in LDAP over SSL (LDAPS) Certificate.
Import the Microsoft Active Directory certificate to the Oracle Directory Integration Platform, by running the following command:
keytool -importcert -noprompt -trustcacerts -alias mycompany.com -file ~/jpi-ad.cer -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
Verify the certificate, by running the following command:
keytool -list -keystore ~/keystores/DIPKeyStore.jks -storepass <password>
Update the Keystore location in Oracle Directory Integration Platform:
./Oracle/Middleware/Oracle_IDM1/bin/manageDIPServerConfig set -attribute keystorelocation -val ~/keystores/DIPKeyStore.jks -h host -p 7005 -D "weblogic"
Import the Microsoft Active Directory certificate to the Oracle Directory Server Enterprise Edition, by running the following command:
dsee7/bin/dsadm add-cert -C instance-path
Restart the directory server instance:
dsadm restart instance-path
Verify the certificate, by running the following command:
/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd-/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd- -n certAD/dsee7/bin/certutil -L -d $INSTANCE/alias/ -P slapd- -n host
Run the following command to update the Java Keystore location in Oracle Directory Integration Platform:
manageDIPServerConfig set -attr keystorelocation full_path_to_keystore
-val-h weblogic_host -p weblogic_managed_server_port -wlsuser weblogic_user
Note:
full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).For example:
manageDIPServerConfig set -attr keystorelocation
-val /home/Middleware/dip.jks -h localhost -p 7005
-wlsuser weblogic
The system will prompt for the WebLogic password.
Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration, by running the following command:
manageDIPServerConfig set -h weblogic_host -p weblogic_managed_server_port -wlsuser weblogic_user -attribute sslmode [-value ATTRIBUTE_VALUE] [-help]
For example:
manageDIPServerConfig set -h localhost -p 7005 -D weblogic -attribute sslmode -val 2
For more information, see Section 4.5.2, "Arguments for manageDIPServerConfig".
Restart the Oracle WebLogic managed server.
Oracle Directory Integration Platform will now connect to Oracle Directory Server Enterprise Edition in SSL Server authentication mode.