Home > Identity Manager, Oracle MiddleWare > Oracle Internet Directory (OID) Synchronization with Active Directory for Enterprise User Security – Part 5

Oracle Internet Directory (OID) Synchronization with Active Directory for Enterprise User Security – Part 5


1          Configuring Oracle Directory Integration Platform

1.1       SSL Server Authentication Configuration (Mode 2) Steps

  • In the enterprise manager go to oid1àCreate wallet and go to selfsigned. Export the trust store certificate and save it in your filesystem.
  • Check OID connection with ssl is working fine or not by issuing below command
  • Cmd>ldapbind –h  –p 3133 –D cn=orcladmin –w **** –U 2 –W file:E:/app/asinst_1/OID/admin/selfsigned -P “”
  • Result of the above command should be “bind successful”
  • Got EM, “Identity and Access” –> dip –> Administration –> Server Properties
  • You will see OID connect SSL mode “SSL_ENCRYPT (MODE 1)”. This need to be changed to 2
  • To change to option 2, use below command
  • Cmd> manageDIPServerConfig set -attribute sslmode -h -p -D weblogic -value 2
  • Above command asks for password, provide weblogic password.
  • You should see result “The attribute sslmode is successfully changed to 2”
  • Cmd>manageDIPServerConfig.bat set –attribute oidhostport –h <server>  –p 7005 –D weblogic –value <servername>:3133
  • Above command should now change the port that DIP is listening to from 3131 to 3133

 

  • Now time to create a DIP keystore for connecting to OID over SSL. Follow below steps.
  • Cmd>keytool –importcert –trustcacerts –file E:/OIDCertificates/<servername>.crt –keystore E:/OIDCertificates/dip_keystore
  • Enter password
  • Say yes
  • Keystore dip_keystore successfully created.
  • Now copy the dip_keystore and paste it in <ORACLE_IDM1> location
  • You may check the dip_keystore has the oid trust certificate by issuing below query.
  • Cmd> keytool –list –keystore dip_keystore
  • Above command should list the certificate of OID.
  • Now it’s time to set the password using WLST prompt
  • Navigate to the path $ORACLE_IDM1/commons/bin
  • Cmd> <ORACLE_IDM1>\common\bin>./wlst.sh
  • Wls>connect()
  • Provide weblogic username, password and t3://:7001
  • Wls:/IDMDomain/domainRunTime>createCred(map=“dip”,key=”jksKey”,user=”jksuser”,password=”****”)
  • Above command should store the password for opening the dip_keystore we created in previous step
  • Now set the keystore location for DIP
  • Cmd>manageDIPServerConfig set –attribute keystorelocation –value E:/app/ORACLE_IDM1/dip_keystore -h <servername> -p 7005 -D weblogic
  • Above command asks for password, provide weblogic password
  • You should see result “The attribute keystorelocation is successfully changed to <path>”
  • Now go to weblogic –> Servers –> restart wls_ods1
  • Now go to EM –> Identity and Access –> DIP, you should see quartz scheduler and MBean in Green color up and running
  • Now it’s time to setup “Synchronization Profile” on DIP
  • Go to EM –> Identity and Access –> Administration –> Synchronization Profile
  • Click ‘Create’. Don’t enable the profile at this stage.

 

  • Go to Mappings Tab
  • Edit Domain Mapping Rules, Source Container: cn=users,dc=test,dc=com (Get this cleared from TEST first, if they want to transfer only GIS Center specific users then you need to point to that particular DN), DIP-OID Container: <leave the default value>

  • Click on ‘Validate all mapping rules’
  • Ignore warnings. If errors then they need to be resolved.
  • Now check if synchprofile is correct or not by issuing below commands at same command window where you executed manageDIPServerConfig
  • Cmd> syncProfileBootstrap -host -port 7005 -D weblogic -profile ad2oid3 -lp 5
  • Result should show something like “entries read in bootstrap operation:…”
  • From EM, now enable the policy
  • Make changes in AD now by adding a user or changing the password
  • Go to ODSM and check whether newly added user is listed or not
  • Also EM should show you the count of users successfully synchronized. Below the screenshot

 

  • Now add OID truststore certificate to Oracle Database for successful SSL handshake
  • On the database goto start–>Programs–>Oracle-home–>Integrated Management Tools –> Wallets
  • Add operations–>imported trusted certificate and navigate the folder where TrustedServer is
  • Add ‘TrustedServer’ and save the wallet
  • In EM, make the option ‘skip error to sync next change’ to true.

  • Userpassword synch and uid from AD to OID can now be seen in odsm

  • Now it’s time to test the connection from sqlplus
  • Sqlplus>conn orcladmin/ Connection should succeed

Sqlplus>conn karun13/ connect should succeed

Note:Let’s say if you create a new user in AD. Oracle password filter may not be able to capture the userPassword and replicate to OID. Sync of password happens only if user changes his domain password.

This ends the series on OID-AD Synchronization…

Let me know your thoughts

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: