Oracle® Fusion Middleware Release Notes 11g Release 1 (11.1.1) for Linux x86 Part Number E10133-04 |
|
|
View PDF |
This chapter describes issues associated with Oracle Directory Integration Platform. It includes the following topics:
This section describes general issues and workarounds. It includes the following topics:
Non-LDAP Profiles Must Be Created and Managed Using manageSyncProfiles
syncProfileBootstrap Not Supported for SSL Mode 2 Server-Only Authentication
DIP Tester Utility Not Currently Supported for 11g Release 1 (11.1.1)
Validate All Map Rules Feature Not Supported in SSL Mode 2 - Server Only Authentication
Erroneous Exception or Error Messages When Deleting and Deregistering Profiles After Upgrade
When configuring Oracle Directory Integration Platform against an existing Oracle Internet Directory—using either the installer's Install and Configure installation option or the Oracle Identity Management 11g Release 1 (11.1.1) Configuration Wizard—you must specify the hostname for Oracle Internet Directory using only its fully qualified domain name (such as myhost.example.com). Do not use localhost
as the Oracle Internet Directory hostname even if Oracle Directory Integration Platform and Oracle Internet Directory are collocated on the same host.
If you use localhost
as the Oracle Internet Directory hostname, you will not be able to start the Oracle WebLogic Managed Server hosting Oracle Directory Integration Platform.
All non-LDAP synchronization profiles, such as for databases, must be created and managed using the manageSyncProfiles
command-line utility. Do not attempt to create or manage non-LDAP synchronization profiles using Fusion Middleware Control.
The syncProfileBootstrap
utility, which performs the initial migration of data between a connected target directory and Oracle Internet Directory based on a synchronization profile or LDIF file, is not supported for SSL mode 2 (Server-Only Authentication).
The syncProfileBootstrap
utility is supported only for SSL mode 0 (No SSL) and SSL mode 1 (No Authentication).
At the time of publication of these Release Notes, the DIP Tester utility is not supported for Oracle Directory Integration Platform 11g Release 1 (11.1.1).
Monitor My Oracle Support (formerly MetaLink) for updates regarding DIP Tester support for Oracle Directory Integration Platform 11g Release 1 (11.1.1). You can access My Oracle Support at http://metalink.oracle.com
.
While the DIP Tester utility is not currently supported for Oracle Directory Integration Platform 11g Release 1 (11.1.1), you can use the manageSyncProfiles command and its testProfile operation to test a disabled synchronization profile to ensure it will successfully perform synchronization. Refer to the "Managing Synchronization Profiles Using manageSyncProfiles" section in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management for more information about the testProfile operation.
The Validate All Map Rules feature available on a synchronization profile's Mapping tab in Fusion Middleware Control, is not supported for profiles configured to use SSL Mode 2 - Server Only Authentication. Do not use the Validate All Map Rules feature if the profile is configured for SSL Mode 2 - Server Only Authentication is configured.
Note:
The Validate All Map Rules feature is supported for profiles configured for SSL Mode 0 - No SSL.After upgrading Oracle Directory Integration Platform to 11g Release 1 (11.1.1), you may see exception messages after deregistering a profile using the manageSyncProfiles command-line utility or after deleting a profile using Fusion Middleware Control. These messages are erroneous and can be ignored, as the profile is deleted despite the exception or error message that appear.
This section describes configuration issues and their workarounds. It includes the following topics:
Controlling the Frequency of DBConnection Failure Exceptions in Log Files
Foreign Security Principal File for Microsoft Active Directory Not Included
If Oracle Directory Integration Platform cannot communicate with the database for Oracle Internet Directory, DBConnection failure exceptions are written to the Oracle Directory Integration Platform log file. You can control the frequency of these exceptions by using the manageDIPServerConfig command-line utility to adjust the quartzdbretryinterval parameter. This parameter determines how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the database. For example:
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D login_ID \ -attr quartzdbretryinterval -val 30
Oracle Directory Integration Platform components must be configured with the correct Oracle Internet Directory host, port, and SSL mode connection information to be visible in the Fusion Middleware Control interface. You can view these configuration settings using the manageDIPServerConfig command-line utility and its list operation. If you find any errors, you can update the settings using manageDIPServerConfig and its set operation.
The foreign security principal file for Microsoft Active Directory, activeimp.cfg.fsp, that was included in Oracle Directory Integration Platform Release 10g, is not included in 11g Release 1 (11.1.1). This file is required if you are synchronizing entries from multiple domain controllers and also global groups involving foreign security principals as members. The activeimp.cfg.fsp should be in the $ORACLE_HOME/ldap/odi/conf/ directory.
To workaround this issue, create the activeimp.cfg.fsp file by opening a text file and entering the following information
Note:
In the following example, DOMAIN_B and DOMAIN_C represent the trusted domains for DOMAIN_A. PROFILE_NAME_FOR_DOMAIN_B and PROFILE_NAME_FOR_DOMAIN_C represent the profiles used to synchronized domains B and C respectively.[INTERFACEDETAILS] Reader: oracle.ldap.odip.gsi.ActiveReader [TRUSTEDPROFILES] prof1: PROFILE_NAME_FOR_DOMAIN_B prof2: PROFILE_NAME_FOR_DOMAIN_C [FSPMAXSIZE] val: 1000 *
This section describes documentation errata. It includes the following topics:
Correction for Adding Mapping Plug-Ins When Extending Mappings Using Custom Plug-ins
Missing Documentation for Detecting and Removing an Expired Certificate
Missing Information for quartzdbretryinterval Parameter in manageDIPServerConfig Documentation
Correction for Oracle Directory Integration Platform Installation Options
Clarification for Directory Synchronization Service Terminology
Correction for Location of Sample Bootstrapping Parameter Files
Correction for Example of One-to-One Distinguished Name Mapping
Corrections for Supported Attribute Mapping Rules and Examples Documentation
Correction for Tasks After Configuring with a Third-Party Directory Documentation
Correction for Installing the Oracle Password Filter for Microsoft Active Directory
The location for the Oracle Directory Integration Platform log file that is documented in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management is incorrect.
The correct location of the Oracle Directory Integration Platform log file is:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/NAME_OF_MANAGED_SERVER/logs/NAME_OF_MANAGED_SERVER-diagnostic.log
The Oracle Fusion Middleware Integration Guide for Oracle Identity Management contains some incorrect references for the path to the user_projects directory. The user_projects directory is located under the MW_HOME directory, where MW_HOME represents the root directory where Oracle Fusion Middleware is installed.
In Chapter 4, "Managing the Oracle Directory Integration Platform," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the procedure for "Configuring Oracle Directory Integration Platform for SSL Mode 2 Server-Only Authentication" requires a clarification.
Step 8 should be as follows:
Use the keytool
to put the certificate in the java keystore. You can find keytool in the $JAVA_HOME/bin directory. For example:
keytool –importcert –trustcacerts –alias ALIAS –file PATH_TO_CERTIFICATE \ -keystore LOCATION_OF_JKS_FILE
In Chapter 17, "Configuring Synchronization with a Third-Party Directory," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the procedure for "Configuring the Third-Party Directory Connector for Synchronization in SSL Mode" is incorrect.
The correct procedure is as follows:
Generate a certificate for the connected directory. Only the trust point certificate from the server is required. Put the certificate in the connected directory's certificate store.
Export the trusted Certificate Authority (CA) certificates to Base 64 encoded format.
Import the trusted CA certificates to the Java KeyStore (JKS) using the keytool command. If Oracle Directory Integration Platform is already using an existing JKS, identify the location of it using the -keystore
PATH_TO_JKS
option. If Oracle Directory Integration Platform does not already have a JKS to use, keytool will create one at the location identified by the -keystore
PATH_TO_JKS
option.
For example:
keytool –importcert –trustcacerts –alias mycert –file PATH_TO_CERTIFICATE \ -keystore PATH_TO_JKS
If this is the first time you are using the JKS identified by the -keystore
PATH_TO_JKS
option, you must provide its password and also perform the following steps a and b:
Update the Directory Integration Platform configuration with the location and password used in step 3 by using the manageDIPServerConfig
command. For example:
manageDIPServerConfig set -h HOST –p PORT -D WLS_USER \ -attribute keystorelocation -value PATH_TO_CERTIFICATE
Update the credential in the Credential Store Framework (CSF) using the following WLST command and replacing the PASSWORD variable with the password used when the keystore was created:
createCred(map="dip", key="jksKey", user="jksUser",
password="PASSWORD",desc="jks password")
Modify the third-party directory connection information, including the host name, profile, and connectedDirectoryURL
attribute, using the modify operation of the manageSyncProfiles command.
manageSyncProfiles update -profile profile_name -file myMapFile
When you configure the connectedDirectoryURL
attribute, use the following format:
host:port:sslmode
Supported values for sslmode
are as follows:
Table 26-1 Supported Values for sslmode in connectedDirectoryURL Attribute
Supported sslmode Value | Description |
---|---|
0 |
No SSL mode. Supported for all directory types. |
1 |
No Authentication mode. No certificate. Supported only for Oracle Internet Directory. |
2 |
Server-Only Authentication mode. Requires certificate. Supported for all directory types. |
If you used a new JKS in step 3, you must restart the Oracle Directory Integration Platform in SSL mode. If you used an existing JKS in step 3, go to step 6 now.
Add a test user and verify that it synchronizes successfully. If the test user does not synchronize successfully, then troubleshoot your SSL configuration.
Note:
The Oracle Directory Integration Platform does not support SSL in client/server authentication mode.In Chapter 6, "Configuring Directory Synchronization," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the procedure for adding mapping plug-ins when extending mappings using custom plug-ins is incorrect.
The following is the correct procedure:
Copy the mapping plug-in JAR file to the following location on the Oracle Directory Integration Platform component.
On UNIX systems:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/MANAGED_SERVER_NAME/ stage/DIP/11.1.1.1.0/DIP/APP-INF/lib/
On Windows systems:
MW_HOME\user_projects\domains\DOMAIN_NAME\servers\MANAGED_SERVER_NAME\tmp\ _WL_user\DIP_11.1.1.1.0\RANDOM_CHARACTERS\APP-INF\lib\
Note:
On Windows systems, the Java ClassLoader locks jar files it has loaded classes from, which prevents you from overwriting jar files in exploded applications. Copying the mapping plug-in JAR file to the directory described above on Windows systems allows you to overwrite jar files in exploded applications.Restart the WebLogic Managed Server hosting Oracle Directory Integration Platform.
The Oracle Fusion Middleware Integration Guide for Oracle Identity Management does not include information about detecting and removing an expired certificate. Use the keytool utility in the $JAVA_HOME/bin directory to manage Oracle Directory Integration Platform certificates.
To list the valid dates for a trusted certificate in the keystore, execute the keytool utility as follows:
$JAVA_HOME/bin/keytool -list -v -keystore PATH_TO_KEYSTORE
To delete a trusted certificate from the keystore, execute the keytool utility as follows:
$JAVA_HOME/bin/keytool -delete -alias mycert -keystore PATH_TO_KEYSTORE
Note:
You will be prompted for the password to the keystore while executing these commands.For general information about certificate expiration, see Chapter 7, "Managing Keystores, Wallets, and Certificates," of the Oracle Fusion Middleware Administrator's Guide.
In Chapter 3, "Administering Oracle Directory Integration Platform," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Using Fusion Middleware Control" procedure contains an error.
Step 2 currently states: "In the left panel topology tree, expand the farm, then Fusion Middleware, then Identity and Access. Alternatively, from the farm home page, expand Fusion Middleware, then Identity and Access. Oracle Directory Integration Platform components are listed in both places." However, there is no Fusion Middleware entry in the left panel topology tree, though there is a Fusion Middleware entry on the farm home page.
The correct step 2 is: "In the left panel topology tree, expand the farm, then Identity and Access. Alternatively, from the farm home page, expand Fusion Middleware, then Identity and Access. Oracle Directory Integration Platform components are listed in both places."
In Chapter 4, "Managing the Oracle Directory Integration Platform," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Viewing Oracle Directory Integration Platform Registration Information Using the ldapsearch Utility" section contains an error.
The example command to view registration information for the Oracle Directory Integration Platform component using the ldapsearch utility is missing the required objectclass option.
The correct command to view registration information for the Oracle Directory Integration Platform component using the ldapsearch utility is the following:
ldapsearch -p 3060 -h my_host -D binddn -q -b cn=odisrv,cn=Registered Instances,cn=Directory Integration Platform,cn=Products,cn=OracleContext -s base "objectclass=*"
In Chapter 4, "Managing the Oracle Directory Integration Platform," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Managing Oracle Directory Integration Platform Using manageDIPServerConfig" section does not include information about the quartzdbretryinterval parameter.
You can use the manageDIPServerConfig command-line utility to manage the quartzdbretryinterval parameter, which controls how often Oracle Directory Integration Platform's Quartz scheduler attempts to reconnect to the Oracle Internet Directory database. For example:
manageDIPServerConfig set -h myhost.mycompany.com -p 7005 -D login_ID \ -attr quartzdbretryinterval -val 30
In Chapter 1, "Introduction to Oracle Identity Management Integration," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Oracle Identity Management Installation Options" section contains the following statement:
"By default, Oracle Directory Integration Platform is installed as part of Oracle Directory Services."
Oracle Directory Integration Platform is not installed by default as part of Oracle Directory Services as the document states. Oracle Directory Integration Platform can be installed simultaneously with other Oracle Identity Management components or by itself. To install Oracle Directory Integration Platform by itself, an Oracle Internet Directory component must already be installed.
Refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for complete information about installing Oracle Directory Integration Platform.
The Oracle Fusion Middleware Integration Guide for Oracle Identity Management uses the terms "Oracle Directory Synchronization Service" and "Oracle Directory Integration Platform Synchronization Service" in several places. These terms are a general reference to the DIPSync Enterprise JavaBean (EJB).
In Chapter 9, "Synchronizing with Relational Database Tables," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, Table 9-1, "Directory Integration Profile for TESTDBIMPORT" lists attributes and values for the example TESTDBIMPORT integration profile. Table 26-2 contains clarifications for two attributes and values:
Table 26-2 Clarifications for Directory Integration Profile for TESTDBIMPORT
Attribute | Value |
---|---|
Advanced Configuration Information ( |
Maintains configuration details which are not individually maintained in LDAP attributes. |
Mapping File ( |
Attribute for storing mapping rules. |
In Chapter 6, "Configuring Directory Synchronization," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Configuring Mapping Rules" section contains the following two errors:
The following information included in the section is incorrect:
"Mapping rules are organized in a fixed, tabular format, and you must follow that format carefully. Each set of mapping rules appears between a line containing only the word DomainRules and a line containing only three number signs (###)."
The correct information is:
Mapping rules are organized in a fixed, tabular format, and you must follow that format carefully. Each set of mapping rules appears between a line containing only the word DomainRules or AttributeRules and a line containing only three number signs (###).
In the "Attribute-Level Mapping" sub-section, the document states: "In a newly created synchronization profile, mapping rules are empty."
This is incorrect, as newly created synchronization profiles contain attribute mapping rules by default.
The Oracle Fusion Middleware Integration Guide for Oracle Identity Management states that sample bootstrapping parameter files are located in the $ORACLE_HOME/ldap/odi/samples/ directory. This is incorrect.
The sample bootstrapping parameter files are located in the $ORACLE_HOME/ldap/odi/conf/ directory.
In Chapter 17, "Configuring Synchronization with a Third-Party Directory," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory" section requires clarification.
The section states the following: "To synchronize passwords from Oracle Internet Directory to a third-party directory, you must enable the password policy and reversible password encryption in the Oracle Internet Directory server."
To clarify, you must enable reversible password encryption in the Oracle Internet Directory server only if the hashing algorithm between Oracle Internet Directory and the third-party directory is incompatible or unsupported.
For example, IBM Tivoli Directory Server and Sun Java System Directory Server support similar hashing algorithms as Oracle Internet Directory. Therefore, to synchronize passwords from Oracle Internet Directory to IBM Tivoli Directory Server or Sun Java System Directory Server, you must enable only the password policy in the Oracle Internet Directory server.
However, to synchronize passwords from Oracle Internet Directory to Microsoft Active Directory or Novell eDirectory, which both do not support similar hashing algorithms as Oracle Internet Directory, you must enable the password policy and reversible password encryption in the Oracle Internet Directory server.
Refer to the "Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory" section in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management for more information.
Example 6–2, "Example of One-to-One Distinguished Name Mapping," in Chapter 6, "Configuring Directory Synchronization," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, contains an error.
The example includes the following text:
If you plan to synchronize the entry cn=groups,dc=us,dc=mycompany,dc=com
under cn=users,dc=us,dc=mycompany,dc=com
then the domain mapping rule is as follows:
cn=groups,dc=us,dc=mycompany,dc=com:cn=users,dc=us,dc=mycompany,dc=com
This example domain mapping rule is incorrect. The following is the correct domain mapping rule to synchronize the entry cn=groups,dc=us,dc=mycompany,dc=com
under cn=users,dc=us,dc=mycompany,dc=com
:
cn=groups,dc=us,dc=mycompany,dc=com:cn=groups,cn=users,dc=us,dc=mycompany,dc=com
In Chapter 6, "Configuring Directory Synchronization," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the following corrections are needed for the "Supported Attribute Mapping Rules and Examples" section:
truncl(str, char)
: Truncates the string up to and including the first occurrence of the specified char
. For example:
mail : : : : uid : : inetorgperson : truncl(mail,'@')
truncr(str, char)
: Truncates everything in the string that appears on the right side of the specified char
. For example:
mail : : : : uid : : inetorgperson : truncr(mail,'@')
In Chapter 23, "Managing Integration with a Third-Party Directory," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Tasks After Configuring with a Third-Party Directory" section contains an error.
Step 3, which states "Start the Oracle Directory Integration Platform using the configuration set that corresponds to that of the profile," is inaccurate and unnecessary.
You should ignore this step.
In the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, examples for the ldapbindssl
command use the -q
option, which allows you to be prompted for password input, instead of passing it on the command line. The -q
option is not supported for the ldapbindssl
command. You must use the -w
option and identify the password on the command line when executing the ldapbindssl
command.
In Chapter 19, "Deploying the Oracle Password Filter for Microsoft Active Directory," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the procedure for "Installing the Oracle Password Filter for Microsoft Active Directory" contains an error.
Step 16 states the following:
"If this is the first time you have installed the Oracle Password Filter, select Yes to upload schema extensions to Oracle Internet Directory when prompted. Otherwise, select No. The Reboot Domain Controller page displays."
This is incorrect. You should always select No. You do not want to upload schema extensions to Oracle Internet Directory because it comes preloaded with the schema extension attributes required for the Microsoft Active Directory Password filter.
In Chapter 17, "Configuring Synchronization with a Third-Party Directory," of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management, the "Understanding the expressSyncSetup Command" states the following:
"Master domain mapping rules are located in $ORACLE_HOME/ldap/odi/samples."
This is incorrect. Master domain mapping rules are located in the $ORACLE_HOME/ldap/odi/conf/ directory.