Category Archives: Oracle Internet Directory

Configure DIP to synchronize with Secure LDAP AD using wallets and keystores.

To configure DIP to be used with a secure LDAP AD (SSL), first a certificate store must be created for DIP. It can be created with a tool like keytool or kse. Create a JKS store and call it dip.jks. Get a trusted certificate from the AD server (this can be achieved with an ldap command, I used ldapadmin, browsed for CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,C=nl and exported the certificate to file by right-clicking the Cacertificate attribute of the certificate entry). Import this certificate as a trusted certificate in the jks keystore.
This keystore will be used with DIP. For manual ldapcompare and bind commands (and later for the plugins), you will also need a wallet with this certificate.

Now, we need to tell DIP to use this jks store. This can be achieved with the command
./manageDIPServerConfig set -h -p 7015 -D weblogic -attribute keystorelocation -val /oracle/middleware_OID/keystore/dip.jks
(change servername, port and location as desired). The port must be the port ODSM is using.

We have to create a credential to store the keystore password in OID using wlst:

Run the following commands to create a CSF credential and update the Java Keystore password:

Open the WLST prompt by running the following command:


Connect to the WebLogic Admin Server:

connect(‘Weblogic_User’, ‘Weblogic_password’, ‘t3://Weblogic_Host:Weblogic_AdminServer_Port’)

Create the credential and update the Java Keystore password:

createCred(map=”dip”, key=”jksKey”, user=”jksuser”, password=”JKS_password_created_previously_in_step_2″)

The only thing to change here is the password, copy the rest “as is” .

Then, we create the profile as ‘usual’ , ticking the ssl enabled flag and specifying the ssl port of the AD. After correcting the domain mapping rules, bootstrap the profile with $ORACLE_HOME/bin/syncProfileBootstrap.

Second part is to get the oidexplg plugins working. They are configured like any other oidexplg plugin. I created a new one from scratch, because my AD plugins were alreay in use for synchronising with another AD. I copied all the paramters one by one from the AD plugin. The flexfields can be entered after saving the configuration. Don’t forget the secure flexfields for the wallet.

Yes: we need a wallet, with the same certificate as in the keystore we created. Wallets can be created from the Em-console Menu oid/wallets.

To find the created wallet, look for a file ewallet.p12. This location must be registered with the plugins, inlcuding the ewallet.p12 filename.
The wallet password is stored in a secured flexfield.

Examine OID Replication Human intervention Queue

Oracle recommends using the scripts, $ORACLE_HOME/ldap/bin/ (or but I wasn’t able to get these to work even after modifying as indicated on metalink. I was able to do the following and then confirmed with Oracle Support that this was correct.

Log in to the Database (Replica DB) as ODS user:

Determine what we are dealing with (I wanted to see what columns were in the table)

1. sqlplus ods/password
2. describe asr_chg_log
3. select chg_no, orclguid, chg_seq, retry_cnt from asr_chg_log; Delete entries whose RETRY_CNT is -1 (which means they are in the HIQ):
4. delete from asr_chg_log where RETRY_CNT = ‘-1′;

Restart OID (on both nodes: master and replica)

1. opmnctl stop

2. opmnctl start Use ODM to make change in master.

Confirm by watching for change in Replica.

Tracing the Kerberos Plugin Authentication module in OAM

When I was installing and configuring OAM with WNA using the Kerberos plugin, I had the need to trace what was happening while the plugin was trying to log me on.
Weblogic has loggers configured, and by setting the log level of oracle.oam.plugin to TRACE:32, the plugin could be traced. Unfortunately, oracle.oam.plugin is a child of the root logger, so all tracing will be mixed with other traces/logs.
A seperate logger for oracle.oam.plugin can be created however. In the enterprise manager console, under Weblogic domain, select the server you want to trace, and select “logs/log configuration”.
Select “view: loggers with persistent log level state”. Below, you’ll find a box “Name” under Specify Loggers.
In this box, type “oracle.oam.plugin”.
Once this logger is defined, a seperate log file can be defined for this logger. Plugin traces are now seperated from other log files and can be tailed with Linux while debugging/tracing.

Change OID port in OID11g from Em console

It is possible to change the OID ports from the Enterprise manager console. Unfortunately, after changing the ports, EM will not be able to change server properties like ports (!).

After changing the ports, an OPMN command must be run to update EM with the right settings:

$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -componentType OID -componentName oid1 -adminHost myoidhostname -adminPort 7001 -adminUsername weblogic -Port 3060 -Sport 3131

(change parameters as suited and restart OPMN)

If you are using DIP (Directory Integration Platform) as well, you will have to change the (SSL) port accordingly in …../config/fmwconfig/servers/wls_ods1/applications/DIP_11.


Debugging Oracle OID/AD java plugin (oidexplg) for OID 10g

It took some time for me to find out how to debug the Oracle Internet Directory plug-in for Active Directory (oidexplg). Finally found this:

To debug operations for oidexplg.jar, use the following ldif file:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orcldebugflag
orcldebugflag: 402653185

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orcldebugop

#———–end of debugon.ldif———–
and use ldapmodify –f <this file> to set the debug flags.

Note: your instance name may differ from the one used here (oid1)

orcldebugflag value =
1 Signature (Heavy Trace Debugging in 10.1.X) +
134217728 (PlugIn Internal) + 268435456 (PlugIn External)

orcldebugop value =
1 (ldapbind) + 64 (ldapcompare)

Debug info is in file(s) oidldapd01s*.log

For less intensive logging use 64 in stead of 65 (a lot of binds are logged)

Actually, the same values go for OID 11g!