Directory Integration Platform
4 Managing the Oracle Directory Integration Platform
This chapter discusses the Oracle Directory Integration Platform and explains how to configure and manage it. It contains these topics:
■ Operational Information About the Oracle Directory Integration Platform
■ Viewing Oracle Directory Integration Platform Status and Registration Information
■ Managing Oracle Directory Integration Platform Using Fusion Middleware Control
■ Starting and Stopping Oracle Directory Integration Platform Using WLST
■ Managing Oracle Directory Integration Platform Using manageDIPServerConfig
■ Configuring Oracle Directory Integration Platform for SSL Mode 2 Server-Only Authentication
■ Managing the SSL Certificates of Oracle Internet Directory and Connected Directories
■ Oracle Directory Integration Platform in a High Availability Scenario
■ Managing Oracle Directory Integration Platform in a Replicated Environment
4.1 Operational Information About the Oracle Directory Integration Platform
This section introduces structural and operational information about the Oracle Directory Integration Platform and contains these topics:
■ Directory Integration Profiles
See Also: "Oracle Directory Integration Platform" on page 1-4 for a summary of the functions performed by the Oracle Directory Integration Platform
Note: For security reasons, Oracle recommends that you run the Oracle Directory Integration Platform on the same host as the Oracle Internet Directory. If you run Oracle Directory Integration Platform and Oracle Internet Directory on different hosts, Oracle recommends running them using SSL, as described in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
Operational Information About the Oracle Directory Integration Platform
■ Oracle Directory Integration Platform Event Propagation in a Multimaster Oracle Internet Directory Replication Environment
4.1.1 Directory Integration Profiles
In Oracle Directory Integration Platform, you can create two types of profiles: a directory synchronization profile and a directory provisioning profile. A directory synchronization profile describes how synchronization is carried out between Oracle Internet Directory and an external system. You can create two types of directory synchronization profiles: an import profile and an export profile. An import profile imports changes from a connected directory to Oracle Internet Directory while an export profile exports changes from Oracle Internet Directory to a connected directory.
A directory provisioning profile describes the nature of provisioning-related
notifications that Oracle Directory Integration Platform sends to the directory-enabled applications. Sometimes a provisioning profile is also configured to notify Oracle Internet Directory about the changes happening in the application's data source.
Each type of profile is special kind of directory integration profile, which is an entry in Oracle Internet Directory that describes how Oracle Directory Integration Platform communicates with external systems and what is communicated.
4.1.2 Oracle Directory Integration Platform Event Propagation in a Multimaster Oracle Internet Directory Replication Environment
In a multimaster Oracle Internet Directory replication environment, changes to directory integration profiles on one Oracle Internet Directory node are not
automatically replicated on other Oracle Internet Directory nodes. For this reason, you must observe the considerations that are outlined in this section when you implement Oracle Directory Integration Platform in a multimaster Oracle Internet Directory replication environment.
4.1.2.1 Directory Synchronization in an Oracle Internet Directory Multimaster Replication Environment
Because directory synchronization profiles on a primary Oracle Internet Directory node are not automatically replicated to secondary Oracle Internet Directory nodes, you should manually copy the profiles on the primary node to any secondary nodes on a periodic basis. This allows a directory synchronization profile to execute on a secondary node in the event of a problem on the primary node. However, the value assigned to the orcllastapplicedchangenumber attribute in a directory
synchronization profile is local to the Oracle Internet Directory node where the profile is located. This means that if you copy a directory synchronization profile from one Oracle Internet Directory node to another, the correct state of synchronization or event propagation will not be preserved.
When copying import profiles from one node to another, the lastchangenumber attribute is irrelevant because the value is obtained from the connected directory.
However, after copying an export profile to a target node, you must update the lastchangenumber attribute with the value from the target node, as follows:
1. Disable the synchronization profile.
2. Get the value of the lastchangenumber attribute on the target node using the ldapsearch command.
3. Use ldapsearch to get the LDIF dump of the profile entry.
4. Use ldapadd to add the profile to the other Oracle Internet Directory instance.
Viewing Oracle Directory Integration Platform Status and Registration Information
5. Use the updatechgnum operation of the manageSyncProfiles command to update the lastchangenumber attribute in the export profile you copied to the target node with the value you obtained in Step 2.
6. Enable the synchronization profile.
4.1.2.2 Directory Provisioning in an Oracle Internet Directory Multimaster Replication Environment
In a default multimaster Oracle Internet Directory replication environment, the Oracle Directory Integration Platform is installed in the same location as the primary Oracle Internet Directory. If the primary node fails, event propagation stops for all profiles located on the node. Although the events are queued and not lost while the primary node is stopped, the events will not be propagated to any applications that expect them. To ensure that events continue to be propagated even when the primary node is down, you must copy the version 1.0 and version 2.0 directory provisioning profiles to other secondary nodes in a multimaster Oracle Internet Directory environment.
Version 3.0 directory provisioning profiles are automatically replicated.
To copy the directory provisioning profiles from a primary node to any secondary nodes, use the update operation of the manageSyncProfiles command.
4.2 Viewing Oracle Directory Integration Platform Status and Registration Information
This topic explains how to view Oracle Directory Integration Platform status and registration information and contains the following sections:
■ Viewing the Status of Oracle Directory Integration Platform Using the dipStatus Utility
■ Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility
4.2.1 Viewing the Status of Oracle Directory Integration Platform Using the dipStatus Utility
The dipStatus utility, located in the ORACLE_HOME/bin directory, allows you to check the status of Oracle Directory Integration Platform and whether or not it is registered.
Note: Directory provisioning profiles should be copied from the primary node to any secondary nodes only immediately after an application is installed and before any user changes are made in Oracle Internet Directory.
See Also: The Oracle Directory Integration Platform chapter of Oracle Identity Management User Reference for more information on the manageSyncProfiles command.
Viewing Oracle Directory Integration Platform Status and Registration Information
4.2.1.1 Syntax for dipStatus
dipStatus
dipStatus -h HOST -p PORT -D wlsuser [-ssl -keystorePath PATH_TO_KEYSTORE -keystoreType TYPE] [-help]
4.2.1.2 Arguments for dipStatus
-h | -host
Oracle WebLogic Server where Oracle Directory Integration Platform is deployed.
-p | -port
Listening port of the Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed.
-D | -wlsuser
Oracle WebLogic Server login ID.
-ssl
Executes the command in SSL mode.
Notes:
■ Best security practice is to provide a password only in response to a prompt from the command.
■ You must set the WLS_HOME and ORACLE_HOME environment variables before executing any of the Oracle Directory Integration Platform commands.
■ The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
Note: You will be prompted for the Oracle WebLogic Server login password. You cannot provide the password as a command-line argument.
Best security practice is to provide a password only in response to a prompt from the command. If you must execute dipStatus from a script, you can redirect input from a file containing the Oracle
WebLogic Server password. Use file permissions to protect the file and delete it when it is no longer necessary.
Note: The Oracle WebLogic Managed Server where Oracle Directory Integration Platform is deployed must be configured for SSL to execute this command in SSL mode. Refer to the Configuring SSL chapter in Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
Managing Oracle Directory Integration Platform Using Fusion Middleware Control
-keystorePath
The full path to the keystore.
-keystoreType
The type of the keystore identified by -keystorePath. For example:
-keystorePath jks or -keystorePath PKCS12 -help
Provides usage help for the command.
4.2.1.3 Examples for dipStatus
dipStatus -h myhost.mycompany.com -p 7005 -D login_ID dipStatus -help
4.2.2 Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility
To view registration information for the Oracle Directory Integration Platform component using the ldapsearch utility, perform a base search on its entry. For example:
ldapsearch -p 3060 -h my_host -D binddn -q
-b cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=Products,cn=OracleContext -s base "objectclass=*"
This example search returns the following:
Dn: cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=Products,cn=OracleContext
userpassword: {SHA}+vk5wSvnVoXCBCRyBWJnH0S33zc=
orclaci: access to entry by self (add,delete,browse,proxy); access to attr=(*) by self (search,read,write,compare)
orclversion: 3.0 cn: odisrv
objectclass: orclodiserver; top;
authpassword;oid: {SASL/MD5}2NOnGTWkSP9c1w7R/o9Djw==
{SASL/MD5-DN}ezUTC3k7rSL41ZxdxhlXxw==;{SASL/MD5-U}kEQcl+/AZEXVukeA5YPnog==
4.3 Managing Oracle Directory Integration Platform Using Fusion Middleware Control
This section describes how to use Oracle Enterprise Manager Fusion Middleware Control to manage Oracle Directory Integration Platform. It contains these topics:
■ Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
■ Starting Oracle Directory Integration Platform with Fusion Middleware Control
■ Stopping Oracle Directory Integration Platform with Fusion Middleware Control Note: You will be prompted for the password.
Managing Oracle Directory Integration Platform Using Fusion Middleware Control
■ Managing the Oracle Directory Integration Platform Server Configuration
■ Managing Oracle Directory Integration Platform Logging Using Fusion Middleware Control
■ Auditing Oracle Directory Integration Platform Using Fusion Middleware Control
4.3.1 Viewing Oracle Directory Integration Platform Runtime Information Using Fusion Middleware Control
To view runtime information for the Oracle Directory Integration Platform component using Oracle Enterprise Manager Fusion Middleware Control:
1. Open a Web browser and enter the Oracle Enterprise Manager Fusion Middleware Control URL for your environment. The format of the Oracle Enterprise Manager Fusion Middleware Control URL is: https://host:port/em.
2. Log in to Oracle Enterprise Manager Fusion Middleware Control.
3. In the navigation panel on the left, click or expand the Identity and Access entry