Skip to main content

Enterprise User Security (EUS) with OVD and AD (High Level Steps)

Enterprise User Security-
Enterprise User Security (EUS) leverages the Directory Services and gives you the 
ability to centrally manage database users and role memberships in an LDAP directory. 
Enterprise User Security reduces administration cost, increases security, and improves
compliance through centralized database user account management, centralized
provisioning and de-provisioning of database users, centralized password
management and self-service password reset, and centralized management of
authorizations using global database roles.

EUS Setup -

1.     Login to ODSM and click on the Adapters tab. Click the Configure adapters for Enterprise User Security (EUS) icon. Provide the connection details of AD and the mapping base and adapter is created.
2.     Open a command prompt and run the below command to extend AD schema:
Navigate to $Middleware_Home/Oracle_IDM1/ovd/eus :
java extendAD -h <AD_Host_Name> -p 389 -D <AD_Administrator_DN> -w <AD_Administrator_Password> -AD <root_context>  -commonattr
This will add the orclcommonatr that holds the hashed password that is used to authenticate the AD user to the DB.
3.     Login to AD machine and Copy the oidpwd.dll from
$ORACLE_HOME /ovd/eus/win/oidpwdcn.dll
(For 64bit go to $ORACLE_HOME/ovd/eus/win64/oidpwdcn.dll)
To C:/Windows/system32 on all AD machines.
4.     Run regedit and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Double click on Notification Packages in the right pane and add oidpwdcn to the list
Click ok Close and restart servers.
5.     Login to DB machine (which has to be configured for EUS) and run netca. From the options select “Directory usage configuration”. On the next window provide OVD hostname and port.
This will create a ldap.ora file in $ORACLE_HOME/network/admin with OVD connection details.
6.      Run DBCA and select “configure database options”. Select Register the database option and provide OVD admin credentials.  Leave it on to ‘Dedicated server mode’ and click finish.
7.     Shutdown the database and before starting it again make sure ORACLE_BASE is set. Cwallet.sso file should be present in {ORACLE_BASE}/admin/{Oracle_SID}/wallet folder.
8.     Create a role and user identified globally.
Create Role AD_SESSION identified GLOBALLY;  
Create user global_schema identified Globally;
Grant connect to role and user:-
GRANT connect to AD_SESSION;
Grant connect to global_schema;
9.     Start em console by running ‘emctl start dbconsole’. Login as a dba and click on server. Click on Enterprise user security and login with OVD admin credentials.
10.  Click on Manage Enterprise Domains > configure > User-schema mappings > create
11.  Select subtree and search for the root context from OVD under which all the users are present.
12. Enter schema as global_schema (created above ) and click continue.
Steps are done now create a user in AD and try to login to DB with created user credentials.
Labels:

Comments

  1. Anonymous21 August 2013 at 13:52

    1. Login to ODSM and click on the Adapters tab. Click the Configure adapters for Enterprise User Security (EUS) icon. Provide the connection details of OVD and the mapping base and adapter is created.

    May be here we need to provide AD details?

    ReplyDelete
    Replies
    1. Shikhar Mishra22 August 2013 at 05:35

      Sorry Philipp. It was my mistake connection details has to be of AD that time. I have corrected the mistake. Thanks for pointing it out.

      Delete
  2. Philipp21 August 2013 at 15:06

    5. Login to DB machine (which has to be configured for EUS) and run netca. From the options select “Directory usage configuration”. On the next window provide OVD hostname and port.

    This step doesn't work unless you extended AD schema

    ReplyDelete
  3. Philipp23 August 2013 at 12:57

    For an unknown reason netca can't connect to OVD and OVD reports in its log bad certificate. I wonder where can I find more detailed info about that topic?

    ReplyDelete

Post a Comment

Popular posts from this blog

Developing Prepopulate Adapter with OIM 11g R2

1.      Prepopulate Adapter in OIM uses the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. 2.      Write the Java code which returns the value which has to be populated on the form. 3.      This code will implement the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. Code Snippet: - package com.oracle.oim.utility.eventhandler; import java.io.Serializable; import java.util.Iterator; import java.util.List; import java.util.logging.Logger; import oracle.iam.identity.exception.NoSuchUserException; import oracle.iam.identity.exception.UserLookupException; import oracle.iam.identity.usermgmt.api.UserManager; import oracle.iam.identity.usermgmt.vo.User; import oracle.iam.platform.Platform; import oracle.iam.platform.authz.exception.AccessDeniedException; import oracle.iam.request.exception.RequestServiceException; import oracle.iam.request.vo.Beneficiary; import oracle.iam.request.vo.RequestData; public c
5 comments
Read more

OIM Tuning

Application Module tuning is a critical setting which will affect the UI performance. Following are the recommended application module settings for OIM and these are already set out-of-box (OOB) in later releases of OIM 11g R2. Ensure that these settings are implemented as recommended in your environment. -Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60 - Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true - Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1 - Djbo.connectfailover=false -Djbo.max.cursors=5 - Doracle.jdbc.implicitStatementCacheSize=5 - Doracle.jdbc.maxCachedBufferSize=19 open DOMAIN_HOME/bin/setDomainEnv.sh file for the WebLogic Server instance.find these lines: JAVA_OPTIONS="${JAVA_OPTIONS}" export JAVA_OPTIONS and change it to: JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -D
Post a Comment
Read more

What is Application Instance

Application instance is a provisionable entity. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism) . Creating and managing application instances are performed by using the Oracle Identity System Administration. Once Created Application Instance can be requested from the catalog. Application instances can be connected or disconnected.  Connected application  instance -It has a connector defined for the provisioning of entities. Account is created in the target system real time in case of connected Application Instance. Disconnected  application instance - It is used for the provisioning of a disconnected resource, for which  a connector is not defined, and therefore, the provisioning is performed manually by the administrator. A mail trigger system can also be attached which sends the account creation/modification/deletion mails to the application owner.
Post a Comment
Read more