This chapter describes how to configure Oracle Unified Directory as the back-end directory for Oracle Directory Integration Platform. It contains the following sections:
You must install Oracle Directory Integration Platform as described in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
Note:
Ensure that you select Install Software -Do not configure option during the installation process.You can configure Oracle Unified Directory (back-end directory) non-SSL communication for Oracle Directory Integration Platform by completing the following steps:
Task 7: Configuring Oracle Directory Integration Platform for Oracle Unified Directory
Task 8: Adding Access Control Instructions (ACIs) for Oracle Unified Directory
Ensure that Oracle Unified Directory is installed, as described in the Installing Oracle Unified Directory.
For OUD Base Location Home, Oracle recommends that you specify the Oracle Directory Integration Platform home directory, as the Middleware home.
When you set up an Oracle Unified Directory server instance using either the graphical user interface (GUI) or the command-line interface (CLI), ensure that you select one of the following options:
Enable for DIP: Select this option if you want this server instance to be enabled for Oracle Directory Integration Platform (DIP) only.
Enable for EBS (E-Business Suite), Database Net Services and DIP: Select this option if you want this server instance to be enabled for Oracle E-Business Suite (EBS), Oracle Database Net Services, and Oracle Directory Integration Platform (DIP).
Enable for EUS (Enterprise User Security), EBS, Database Net Services and DIP: Select this option if you want this server instance to be enabled for Oracle Enterprise User Security (EUS), Oracle E-Business Suite (EBS), Oracle Database Net Services, and Oracle Directory Integration Platform (DIP).
Note:
All the above options are valid for Oracle Directory Integration Platform. Oracle recommends you to use Enable for DIP option for integrating Oracle Unified Directory with Oracle Directory Integration Platform and if you are not integrating with EBS, EUS, or Database Net Service.You must configure the Oracle Unified Directory, as described in the Administering Oracle Unified Directory.
If the suffixes are not created during installation as described in Task 1: Installing Oracle Unified Directory, then you must create the cn=oraclecontext
and cn=oracleschemaversion
suffixes, by running the setup-oracle-context
command on the command line as follows:
UNIX
$ setup-oracle-context -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt --trustAll
Windows
setup-oracle-context -h localhost -p 4444 -D "cn=directory manager" -j pwd-file --no-prompt --trustAll
You must enable External Change Log (ECL) for the directory server instance, by running the following two commands on the command line:
Note:
If you have configured replication during installation then the External Change Log (ECL) is enabled. For more information, see "Setting Up Replication During Installation" in the Installing Oracle Unified Directory.UNIX
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b <user_suffix> --trustAll --no-prompt
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b cn=oraclecontext --trustAll --no-prompt
Windows
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b <user_suffix> --trustAll --no-prompt
$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -j pwd-file -r 8989 -b cn=oraclecontext --trustAll --no-prompt
The replication port (-r
) is required to configure the ECL, even on a standalone server, because the ECL relies on the replication mechanism. You need only specify the replication port if the change log (or replication) was not previously configured on the server. The default value of the replication port is 8989.
To verify that the ECL is configured on a directory server instance, run the following search command and look for the cn=changelog
naming context:
$ ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd-file -s base -b "" "objectclass=*" namingContexts dn: namingContexts: cn=changelog namingcontexts: cn=OracleContext namingcontexts: cn=OracleSchemaVersion namingcontexts: dc=example,dc=com
You must configure Oracle Directory Integration Platform with Oracle Unified Directory. It includes the following topics:
Perform the following steps to configure Oracle Directory Integration Platform with Oracle Unified Directory an existing WebLogic administration domain:
Run the <MW_HOME>/oracle_common/common/bin/config.sh
script (UNIX) or <MW_HOME>\oracle_common\common\bin\config.cmd
(Windows).
The Welcome screen is displayed.
Select Extend an existing WebLogic domain, and click Next.
The Select a WebLogic Domain Directory screen is displayed.
Browse to the directory that contains the WebLogic domain in which you want to configure Oracle Directory Integration Platform with Oracle Directory Server Enterprise Edition, and click Next.
The Select Extension Source screen is displayed.
Select the following domain configuration options:
Oracle Enterprise Manager - 11.1.1.0 [oracle_common]
Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1]
Notes:
When you select Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1] option, Oracle Identity Management - 11.1.1.2.0 [Oracle_IDM1] and Oracle JRF 11.1.1.0 [oracle_common] is also selected by default.
You can ignore the Oracle Directory Integration Platform version number appearing in the Select Extension Source screen.
Click Next.
The Specify Domain Name and Location screen is displayed.
The Specify Domain Name and Location screen automatically selects the application location. Click Next.
The Select Optional Configuration screen is displayed.
Select Managed Servers, Clusters, and Machines option. Click Next.
The Configure Managed Servers screen is displayed.
Specify the Managed Server name and click Next.
The Configure Clusters screen is displayed.
Configure Clusters as required and click Next.
The Configure Machines screen is displayed.
Select the Machine or Unix Machine tab. Click on Add and specify the machine name. Click Next.
If you added a machine on the Configure Machines screen, then the Assign Servers to Machines screen appears. On the Assign Servers to Machines screen, assign the Administration Server and the Managed server to the specified machine. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Click Done, once the domain is extended.
Your existing Oracle Unified Directory domain is extended to support Oracle Directory Integration Platform.
You must run the Oracle Fusion Middleware Configuration Wizard to create a Oracle WebLogic domain as follows:
Note:
Ensure that Oracle Directory Integration Platform is installed using Install Software - Do Not Configure option.Run the <MW_HOME>/oracle_common/common/bin/config.sh
script (on UNIX) or <MW_HOME>\oracle_common\common\bin\config.cmd
(on Windows).
The Welcome screen is displayed.
Select Create a new WebLogic domain, and click Next.
The Select Domain Source screen is displayed.
Select Generate a domain configured automatically to support the following products: and then select the following domain configuration options:
Oracle Enterprise Manager - 11.1.1.0 [oracle_common]
Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1]
Notes:
When you select Oracle Directory Integration Platform - 11.1.1.2.0 [Oracle_IDM1] option, Oracle Identity Management - 11.1.1.2.0 [Oracle_IDM1] and Oracle JRF 11.1.1.0 [oracle_common] is also selected by default.
You can ignore the Oracle Directory Integration Platform version number appearing in the Select Domain Source screen.
Click Next.
The Specify Domain Name and Location screen is displayed.
Enter a name and location for the domain to be created. In addition, enter a location to store applications for the domain. Click Next.
The Configure Administrator User Name and Password screen is displayed.
Configure a user name and a password for the administrator. The default user name is weblogic. Click Next.
The Configure Server Start Mode and JDK screen is displayed.
Select Production Mode and a valid JDK.
The Optional Configuration screen is displayed.
Click Next.
The Configuration Summary screen is displayed.
Verify the domain details and click Create.
The Creating Domain screen is displayed.
When the domain creation process completes, click Done to close the Configuration Wizard.
A new WebLogic domain (for example: domain1) is created to support Oracle Directory Integration Platform and Fusion Middleware Control in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
After configuring the Oracle WebLogic Server domain, perform the following tasks:
Run the <MW_HOME>/oracle_common/common/bin/setNMProps.sh
script (on UNIX) or <MW_HOME>\oracle_common\common\bin\setNMProps.cmd
(on Windows).
Start the Administration Server, Node Manager and Managed Server as described in Appendix C, "Starting and Stopping the Oracle Stack".
Start the Oracle Unified Directory using the start-ds
command:
UNIX: $ start-ds
Windows: C:\> start-ds
After configuring the Oracle WebLogic Server domain, you must configure Oracle Directory Integration Platform for Oracle Unified Directory by setting the WL_HOME
and ORACLE_HOME
environment variables running the dipConfigurator setup
(<ORACLE_HOME>/bin
) command on the command line and enter the following arguments:
Note:
You can view thedipConfig.log
file, located at <ORACLE_HOME>/ldap/log/
.Table 5-1 dipConfigurator Properties for Oracle Unified Directory
Properties | Description |
---|---|
|
Oracle WebLogic Server host name where Oracle Directory Integration Platform is deployed. The default host name is |
|
Listening port number of the Oracle WebLogic Administration Server where Oracle Directory Integration Platform is deployed. The default port number is |
|
Oracle WebLogic Server login user name. |
|
Oracle Unified Directory host name. The default host name is |
|
Oracle Unified Directory server port number. The default value is |
|
Specify |
|
The bind DN to connect to the directory. The default value is |
|
The administration port number of the Oracle Unified Directory to which you want to connect. The default port number is |
|
Specify if the Oracle Directory Integration Platform instance is in a cluster environment. The default value is |
|
Specify the frequency (milliseconds) at which an instance checks for server status (For example, detecting failed instances) with the other instances of the cluster. The default value is |
Example:
UNIX
$ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 1389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
Windows
ORACLE_HOME/bin/dipConfigurator setup -wlshost localhost -wlsport 7001 -wlsuser weblogic -ldaphost oudhost -ldapport 1389 -ldapuser "cn=Directory Manager" -isldapssl false -ldapadminport 4444
You must add the ACIs in an LDIF file by running the ldapmodify
command on the command line:
ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w <password> <<EOF dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "Entry-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; ) - add: aci aci: (targetattr="*")(version 3.0; acl "Attribute-level DIP permissions"; allow (all,proxy) groupdn="ldap:///cn=dipadmingrp,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext"; allow (all,proxy) groupdn="ldap:///cn=odipigroup,cn=DIPadmins,cn=Directory Integration Platform,cn=Products,cn=oraclecontext";) EOF
Note:
This is an example, and you need to replace thedc=example,dc=com
ACI with your profile configuration.Verify the Oracle Directory Integration Platform (ODIP) installation using the dipStatus
command, which is located in the $ORACLE_HOME/bin/ directory.
Note:
You must set the WL_HOME and ORACLE_HOME environment variables before executing thedipStatus
command.The following is the syntax for the dipStatus
command:
$ORACLE_HOME/bin/dipStatus -h localhost -p 7005 -D weblogic [-help]
-h | -host
identifies the Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.
-p | -port
identifies the listening port of the Oracle Directory Integration Platform Managed Server.
-D | -wlsuser
identifies the Oracle WebLogic Server login ID.
Note:
You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus
from a script, you can redirect input from a file containing the Oracle WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
You can also verify the Oracle Directory Integration Platform (ODIP) installation using the Oracle Enterprise Manager Fusion Middleware Control, as follows:
Log in to the Oracle Enterprise Manager Fusion Middleware Control.
In the navigation panel on the left, click or expand Identity and Access and then select the DIP component.
Click the DIP Server menu, point to Administration, and then select Server Properties.
Click Test Connection and verify the instance.
After you install and configure Oracle Directory Integration Platform (ODIP), refer to the Part III, "Getting Started with Oracle Directory Integration Platform".
After configuring Oracle Unified Directory (back-end directory) non-SSL communication for Oracle Directory Integration Platform, you can synchronize or provision it with a connected directory, as described in Part III, "Synchronization Using Oracle Directory Integration Platform" or Part III, "Provisioning with the Oracle Directory Integration Platform".
You can configure Oracle Unified Directory (back-end directory) SSL communication for Oracle Directory Integration Platform by completing the following:
You can configure Oracle Unified Directory (back-end directory) SSL communication for Oracle Directory Integration Platform by completing the following steps:
Configure Oracle Unified Directory, as described in Section 5.2, "Configuring Oracle Unified Directory (Non-SSL) for Oracle Directory Integration Platform".
Configure Oracle Unified Directory to accept SSL-based connections using a self-signed certificate, as described in "Getting SSL Up and Running Quickly" in the Administering Oracle Unified Directory.
Export the private key for the Oracle Unified Directory instance, by running the following command:
UNIX
$ keytool -exportcert -alias server-cert -file config/server-cert.txt -rfc \ -keystore config/keystore -storetype JKS
Windows
keytool -exportcert -alias server-cert -file config/server-cert.txt -rfc \ -keystore config/keystore -storetype JKS
After configuring the Oracle Unified Directory (back-end directory) SSL communication, you must configure Oracle Directory Integration Platform, by completing the following steps:
Create a Java Keystore (JKS) using the keytool, and import the trusted certificate exported in the previous step into the JKS.
keytool -importcert -trustcacerts -alias
Some_alias_name
Path_to_certificate_file
-file-keystore
path_to_keystore
For example:
keytool -importcert -trustcacerts -alias OUD2
-file /home/Middleware/asinst_1/OUD/admin/server-cert.txt -keystore /home/Middleware/dip.jks
The system will prompt for a keystore password. Type a new password for this keystore.
Run the following command to update the Java Keystore location in Oracle Directory Integration Platform.
manageDIPServerConfig set -attribute keystorelocation
full_path_to_keystore
-val-h
weblogic_host -p
weblogic_managed_server_port -D
weblogic_user
Note:
full_path_to_keystore represents the absolute path to the Java Keystore (JKS) based on the host where Oracle Directory Integration Platform is deployed. When you specify the absolute path to the JKS, use the appropriate path separators (that is, / for UNIX and Linux platforms, and \ for Windows platforms).For example:
$ORACLE_HOME/bin/manageDIPServerConfig set -h localhost -p 7005 -D wlsuser -attribute keystorelocation -val /home/Middleware/dip.jks
The system will prompt for the WebLogic password.
Run the following commands to create a CSF credential and update the Java Keystore password:
Open the WLST prompt by running the following command:
$ORACLE_HOME/common/bin/wlst.sh
(UNIX) or ORACLE_HOME\common\bin\wlst.sh
(Windows)
Connect to the WebLogic Admin Server:
connect('
Weblogic_User', '
Weblogic_password',
Weblogic_Host:Weblogic_AdminServer_Port
't3://')
Create the credential and update the Java Keystore password:
createCred(map="dip", key="jksKey", user="jksuser", password="
JKS_password")
Update the Oracle Directory Integration Platform SSL configuration, by running the following command:
UNIX
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D "weblogic"
$ORACLE_HOME/bin/manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D "weblogic"
Windows
ORACLE_HOME\bin\manageDIPServerConfig set -attribute sslmode -val 2 -h localhost -p 7005 -D "weblogic"
ORACLE_HOME\bin\manageDIPServerConfig set -attribute backendhostport -val localhost:1636 -h localhost -p 7005 -D "weblogic"
For more information, see Section 4.5.2, "Arguments for manageDIPServerConfig".
You can also Log in to the Enterprise Manager and update the Oracle Directory Integration Platform SSL configuration.
Choose DIP > Server Properties, then set SSL Mode to 2 and the port value to the Oracle Unified Directory SSL port.
Restart the Oracle WebLogic managed server.
Oracle Directory Integration Platform will now connect to Oracle Unified Directory in SSL Server authentication mode.