Home > General > Synchronization of Identities from Active Directory to Oracle Internet Directory for Enterprise User Security

Synchronization of Identities from Active Directory to Oracle Internet Directory for Enterprise User Security


Problem Statement:

We want to achieve 2 things:

  1. Synchronize identities between Active Directory (AD)  and Oracle Internet Directory (OID). i.e. A user created/edited/deleted/updated should seamlessly get reflected in the Oracle Internet Directory. For the demo case Synchronization is only from Active Directory to OID i.e. changes made at OID will not be reflected on Active Directory
  2. Connect to oracle database using domain active directory credentials

Few things you should be aware of:

  • For Enterprise User Security to work, AD’s username and password should be synchronized in OID
  • AD uses native algorithm to store the password in hash format, which is not possible to decrypt. Hence for the synchronization to start, Administrator has to trigger a change password request for all the users of interest
  • Once user changes or reset password happens, Oracle Password Filter installed on the AD side would ensure to create password in OID as well.
  • SSL connection should be established between AD and OID

Prerequisites:

  • Oracle Identity management is installed and configured
  • Enterprise User Security working with OID

High-Level Deployment Diagram:

Here is the high-level deployment diagram.

Image

Software Versions:

  • Oracle Identity Management 11.1.1.5
  • Oracle weblogic 10.5
  • Oracle database 11.2.0.2.0
  • Windows Enterprise server Active Directory

High-level configuration steps:

  • Install Oracle Password Filter on Active Directory
  • Create a new OID instance that has port working on SSL Server Mode 2 (Server authentication mode)
  • Create SSL connection between OID and AD
  • Reset password in Active Directory
  • See if uid and userPassword fields are populated in OID
  • Connect using sqlplus with AD uid and password. Connection creation should be suucessful
  • End

Detailed configuration steps:

Configuring new OID Instance

Why do we need a new OID instance?

  • Oracle database for Enterprise User Security with OID need a port on “SSL No Authentication Mode 1”.
  • Active Directory to synchronize AD password need OID with a port on “SSL Server authentication mode 2”
  • To cater to above requirements, we need to configure another OID instance
  • $> opmnctl createcomponent -componentType OID -componentName oid3 -adminPort 7003 -Db_info “localhost:1521:ORCL”
  • Provide passwords for ODS, ODSSM users
  • Provide password for OID admin user i.e. orcladmin
  • Now you should see OID instance created successfully message. Below is the screenshot run on Oracle Enterprise Linux for your reference

Image

Steps to create new oid instance

  • $> “opmnctl status –l”
  • You should see that the new oid3 instance, which is down
  • Start the new oid3 instance by issuing
  • $> ./opmnctl startproc ias-component=oid3
  • $>./opmnctl status –l
  • It should show that 2 oid instances are up and running but the new oid3 instance running on different port (may be 3061 Non SSL, 3132 SSL No authentication mode)
  • Sql>conn orcladmin/<pwd>
  • Connection should be successful
  • That’s it! Your new oid instance is ready

Steps to configure new OID instance as “SSL Server Auth Mode 2”

  • Make sure to start weblogic server, wls_ods1, wls_oif instances
  • Once your managed servers are up and running go to the Enterprise Manager
  • Go to oracle fusion middle ware enterprise manager http:// <server>:7001/em
  • OID–>Security–>Wallets
  • Create a new wallet ‘selfsigned’ as shown in screenshots below

Image

  • Go to OID–>Administrator–>Server Settings
  • Restart OID server now by going to Controls–>Restart server
  • SSL configuration for OID is complete now. We need to test the SSL connection
  • Got to http:// <server>:7005/odsm
  • Create a new connection with SSL port 3132 on test a pop-up should show up. Accept the certificates and click on OK. A new SSL connection should be visible on ODSM.
  • In the ODSM go to the tab “Data Browser”
Note:

In the case of Oracle Internet Directory and Microsoft Active Directory integration, Oracle Internet Directory is the server and Microsoft Active Directory is the client. The Oracle Password Filter for Microsoft Active Directory uses SSL to protect the password during transmission between the Microsoft Active Directory domain controller and the Oracle Internet Directory server.

Active Directory Configuration

Importing OID’s trusted certificate to Active Directory‘s Trust store

  • Login to Oracle Fusion middle ware Enterprise Manager http:// <server>:7001/em
  • Export Trusted Certificate of OID. We will add this to Active Directory for SSL synch
  • Select “Trust” certificate as shown in below screenshot and click on “Export” button
  • Save the certificate in your file system. We will be adding this certificate to Microsoft Active Directory’s trust store.
  • Server-authenticated SSL communication between a Microsoft Active Directory domain controller and Oracle Internet Directory will fail if the domain controller does not recognize the Oracle Internet Directory SSL certificate as valid. In order for a domain controller to accept an Oracle Internet Directory SSL certificate, you must use the Microsoft Management Console to import the certificate authority’s trusted certificate into the domain controller.
  • To use the Microsoft Management Console to import the certificate authority’s trusted certificate into the domain controller:
  1. Select Run from the Windows Start menu. The Run dialog box displays. In the Run dialog box, type mmc, and then click OK. The Microsoft Management Console window displays.
  2. Select Add/Remove Snap-in from the File menu. The Add/Remove Snap-in dialog box displays.
  3. In the Add/Remove Snap-in dialog box, click Add. The Add Standalone Snap-in dialog box displays.
  4. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add. The Certificates snap-in dialog box displays, prompting you to select an option for which the snap-in will manage certificates.
  5. In the Certificates snap-in dialog box, select Computer Account, and then click Next. The Select Computer dialog box displays.
  6. In the Select Computer dialog box, select Local Computer, and then click Finish.
  7. Click Close in the Add Standalone Snap-in dialog box, and then click OK in the Add/Remove Snap-in dialog box. The new console displays Certificates (Local Computer) in the console tree.
  8. In the console tree, expand Certificates (Local Computer), and then click Trusted Root Certification Authority.
  9. Point to All Tasks on the Action menu, and then select Import. The Welcome page of the Certificate Import Wizard displays. Click Next to display the File to Import page.
  10. On the File to Import page, enter the path and file name of the certificate authority’s trusted root certificate, or click Browse to search for a file, and then click Next. The Certificate Store page displays. In this step add the TrustServer certificate we extracted from OID’s EM console’s wallet.
  11. On the Certificate Store page, select Place all certificates in the following store. If Trusted Root Certification Authorities is not already selected as the certificate store, click Browse and select it. Click Next. The Completing the Certificate Import page displays.
  12. On the Completing the Certificate Import page, click Finish. A dialog box displays indicating that the import was successful. Click OK.
  13. Click Save from the File menu. The Save As dialog box displays. Enter a name for the new console, and then click Save.
  14. Close Microsoft Management Console.
  • Now install “Oracle Password Filter” on Microsoft AD
  • Locate the setup.exe file in the <Oracle IDM Patch>/utils/adpwdfilter directory on the Oracle Application Server CD-ROM (Disk 1). Run the setup.exe command to extract the installation files to a directory on your domain controller. Use setup.exe from 64-bit folder if Active Directory is 64 bit or else use setup.exe that is outside of 64-bit folder or at utils/adpwdfilter
  • If AD is 64 bit then set the following environment variable: Righ-click on system–>Administrative Properties–>Environment variables–> Path
    • Path=c:\windows\SysWOW64
    • Navigate to the directory where you extracted the installation files and double-click setup.exe. The Welcome page of the Oracle Password Filter for Microsoft Active Directory installation program displays, informing you that the program will install the Oracle Password Filter for Microsoft Active Directory.

To install the Oracle Password Filter for Microsoft Active Directory

  • On the Welcome page, click Next. The Installation Requirements page displays, notifying you that SSL must be enabled between Oracle Internet Directory and Microsoft Active Directory and that installing the Oracle Password Filter for Microsoft Active Directory must restart your computer at the end of the installation process.
  • On the Installation Requirements page, click Next. The Installation Options page displays.
  • On the Installation Options page, select Typical (Recommended)
  • For AD, admin has to provide appropriate values. Below screenshot is only for reference, the values should be Active Directory specific entries.
  • Click Next. The Microsoft Active Directory Domain Controller Information page displays. Provide Active Directory domain username and password. Also define a Log location appropriately.
  • Click Next to continue. The Oracle Internet Directory Configuration Parameters page displays.
  • Click Next to continue. The Oracle Password Filter Configuration Parameters page displays.
  • Click Next to continue. If you chose Advanced on the Installation Options page, the Specify Attributes page displays.
  • Next
  • When prompted whether or not to upload schema extensions to Oracle Internet Directory, always select No. You do not want to upload schema extensions to Oracle Internet Directory because it comes preloaded with the schema extension attributes required for the Microsoft Active Directory Password filter.

The Reboot Domain Controller page displays.

  • After the computer restarts, log in as an administrator.
  • For 64 bit Active Directory OS, following extra step need to be executed
    • Locate the following 2 dll files in C:\WINDOWS\syswow64 and copy them into C:\WINDOWS\system32
      • Oraidmpwf11.dll
      • Orclmessages.dll
  • Restart Active Directory again
  • Now verify whether SSL connection between AD and OID is correctly configured or not …
    • C:\oracle\ADPasswordFilter>ldapbindssl -h gs-db.rolta.com -p 3131 -D cn=orcladmin -w Welcome1

Connecting server in SSL Mode

Checking if SSL is enabled

SSL not enabled.

SSL being enabled…

Binding …

Bind Successful

  • If you see above message then the configuration is successful.
  • You are good to go into next step.
  • Oracle password filter installation is now complete.
Note:

If you see issue connecting to OID first time, try to add entry into hosts file for hostname and ip mapping at c:\windows\system32\drivers\etc\host file

If you still see the issue connecting to OID over SSL, click on retry and see if all the entries are correct or not. For some reason I see that non-ssl port is wrongly typed as 389 instead of 3060.

Configuring Oracle Directory Integration Platform

SSL Server Authentication Configuration (Mode 2) Steps

  • In the enterprise manager go to oid1àCreate wallet and go to selfsigned. Export the trust store certificate and save it in your filesystem.
  • Check OID connection with ssl is working fine or not by issuing below command
  • Cmd>ldapbind –p 3131 –D cn=orcladmin –w Welcome1 –U 2 –W <selfsigned cert path> -P “”
  • Result of the above command should be “bind successful”
  • Got EM, “Identity and Access”–> dip–>Administration–>Server Properties
  • You will see OID connect SSL mode “SSL_ENCRYPT (MODE 1)”. This need to be changed to 2
  • To change to option 2, use below command
  • Cmd> manageDIPServerConfig set -attribute sslmode -h <hostname> -p <ODSM PORT i.e. 7005> -D weblogic -value 2
  • Above command asks for password, provide weblogic password.
  • You should see result “The attribute sslmode is successfully changed to 2”
  • Now time to create a DIP keystore for connecting to OID over SSL. Follow below steps.
  • Cmd>keytool –importcert –alias oid-cert –trustcacerts –file TrustedServer –keystore dip_keystore
  • Enter password as say ‘Welcome1’
  • Say yes
  • Keystore dip_keystore successfully created.
  • Now copy the dip_keystore and paste it in <ORACLE_IDM1> location
  • You may check the dip_keystore has the oid trust certificate by issuing below query.
  • Cmd> keytool –list –keystore dip_keystore
  • Above command should list the certificate of OID.
  • Now it’s time to set the password using WLST prompt
  • Navigate to the path $ORACLE_IDM1/commons/bin
  • Cmd> <ORACLE_IDM1>\common\bin>./wlst.sh
  • Wls>connect()
  • Provide weblogic username, password and t3://<hostname>:7001
  • Wls:/IDMDomain/domainRunTime>createCred(map=“dip”,key=”jksKey”,user=”jksuser”,password=”Welcome1”)
  • Above command should store the password for opening the dip_keystore we created in previous step
  • Now set the keystore location for DIP
  • Cmd>manageDIPServerConfig set –attribute keystorelocation –value <ORACLE_IDM1/dip_keystore> -h <hostname> -p <ODSM PORT> -D weblogic
  • About command asks for password, provide weblogic password
  • You should see result “The attribute keystorelocation is successfully changed to <path>”
  • Now go to weblogic –> Servers –> restart wls_ods1
  • Now go to EM –> Identity and Access –> DIP, you should see quartz scheduler and MBean in Green color up and running
  • Now it’s time to setup “Synchronization Profile” on DIP
  • Go to EM –> Identity and Access –> Administration –> Synchronization Profile
  • Click ‘Create’. Don’t enable the profile at this stage.
  • Go to Mappings Tab
  • Edit Domain Mapping Rules, Source Container: cn=users,dc=test,dc=com, DIP-OID Container: <leave the default value>
  • Click on ‘Validate all mapping rules’
  • Ignore warnings. If errors then they need to be resolved.
  • Now check if synchprofile is correct or not by issuing below commands at same command window where you executed manageDIPServerConfig
  • Cmd> syncProfileBootstrap -host <hostname> -port 7005 -D weblogic -profile ad2oid3 -lp 5
  • Result should show something like “entries read in bootstrap operation:…”
  • From EM, now enable the policy
  • Make changes in AD now by adding a user or changing the password
  • Go to ODSM and check whether newly added user is listed or not
  • Also EM should show you the count of users successfully synchronized. Below the screenshot
  • Now add OID truststore certificate to Oracle Database for successful SSL handshake
  • On the database goto start–>Programs–>Oracle-home–>Integrated Management Tools –> Wallets
  • Add operations–>imported trusted certificate and navigate the folder where TrustedServer is
  • Add ‘TrustedServer’ and save the wallet
  • In EM, make the option ‘skip error to sync next change’ to true.
  • Userpassword synch and uid from AD to OID can now be seen in odsm
  • Now it’s time to test the connection from sqlplus
  • Sqlplus>conn orcladmin/<pwd> Connection should succeed
  • Sqlplus>conn karun13/<pwd> connect should succeed
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: