Skip to main content

Enterprise User Security (EUS) with OVD and AD (High Level Steps)

Enterprise User Security-
Enterprise User Security (EUS) leverages the Directory Services and gives you the 
ability to centrally manage database users and role memberships in an LDAP directory. 
Enterprise User Security reduces administration cost, increases security, and improves
compliance through centralized database user account management, centralized
provisioning and de-provisioning of database users, centralized password
management and self-service password reset, and centralized management of
authorizations using global database roles.

EUS Setup -

1.     Login to ODSM and click on the Adapters tab. Click the Configure adapters for Enterprise User Security (EUS) icon. Provide the connection details of AD and the mapping base and adapter is created.
2.     Open a command prompt and run the below command to extend AD schema:
Navigate to $Middleware_Home/Oracle_IDM1/ovd/eus :
java extendAD -h <AD_Host_Name> -p 389 -D <AD_Administrator_DN> -w <AD_Administrator_Password> -AD <root_context>  -commonattr
This will add the orclcommonatr that holds the hashed password that is used to authenticate the AD user to the DB.
3.     Login to AD machine and Copy the oidpwd.dll from
$ORACLE_HOME /ovd/eus/win/oidpwdcn.dll
(For 64bit go to $ORACLE_HOME/ovd/eus/win64/oidpwdcn.dll)
To C:/Windows/system32 on all AD machines.
4.     Run regedit and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Double click on Notification Packages in the right pane and add oidpwdcn to the list
Click ok Close and restart servers.
5.     Login to DB machine (which has to be configured for EUS) and run netca. From the options select “Directory usage configuration”. On the next window provide OVD hostname and port.
This will create a ldap.ora file in $ORACLE_HOME/network/admin with OVD connection details.
6.      Run DBCA and select “configure database options”. Select Register the database option and provide OVD admin credentials.  Leave it on to ‘Dedicated server mode’ and click finish.
7.     Shutdown the database and before starting it again make sure ORACLE_BASE is set. Cwallet.sso file should be present in {ORACLE_BASE}/admin/{Oracle_SID}/wallet folder.
8.     Create a role and user identified globally.
Create Role AD_SESSION identified GLOBALLY;  
Create user global_schema identified Globally;
Grant connect to role and user:-
GRANT connect to AD_SESSION;
Grant connect to global_schema;
9.     Start em console by running ‘emctl start dbconsole’. Login as a dba and click on server. Click on Enterprise user security and login with OVD admin credentials.
10.  Click on Manage Enterprise Domains > configure > User-schema mappings > create
11.  Select subtree and search for the root context from OVD under which all the users are present.
12. Enter schema as global_schema (created above ) and click continue.
Steps are done now create a user in AD and try to login to DB with created user credentials.
Labels:

Comments

  1. Anonymous21 August 2013 at 13:52

    1. Login to ODSM and click on the Adapters tab. Click the Configure adapters for Enterprise User Security (EUS) icon. Provide the connection details of OVD and the mapping base and adapter is created.

    May be here we need to provide AD details?

    ReplyDelete
    Replies
    1. Shikhar Mishra22 August 2013 at 05:35

      Sorry Philipp. It was my mistake connection details has to be of AD that time. I have corrected the mistake. Thanks for pointing it out.

      Delete
  2. Philipp21 August 2013 at 15:06

    5. Login to DB machine (which has to be configured for EUS) and run netca. From the options select “Directory usage configuration”. On the next window provide OVD hostname and port.

    This step doesn't work unless you extended AD schema

    ReplyDelete
  3. Philipp23 August 2013 at 12:57

    For an unknown reason netca can't connect to OVD and OVD reports in its log bad certificate. I wonder where can I find more detailed info about that topic?

    ReplyDelete

Post a Comment

Popular posts from this blog

Adding UDF (User Defined Field) on create user page OIM 11g R2 PS1:-

    Login to Sysadmin console and create a Sandbox and activate it. Click on Form Designer and search for user form. 2.      Create a new field of desired type. 3.      Provide the Required Values for UDF creation and click save and close. UDF field will be added then publish the sand box. 4.      Login to Identity console now and create another sandbox and activate it. After sandbox is activated click on users link and the click on create user. 5.      Provide the mandatory values on the form and then click the customize button on top. Select source from the view. 6.      Select the panel where the field has to be added. Select panel form lay out click add content. Select Data component Catalog from the box. 7.      Select UserVO from the bottom. ...
12 comments
Read more

OIM Tuning

Application Module tuning is a critical setting which will affect the UI performance. Following are the recommended application module settings for OIM and these are already set out-of-box (OOB) in later releases of OIM 11g R2. Ensure that these settings are implemented as recommended in your environment. -Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60 - Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true - Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1 - Djbo.connectfailover=false -Djbo.max.cursors=5 - Doracle.jdbc.implicitStatementCacheSize=5 - Doracle.jdbc.maxCachedBufferSize=19 open DOMAIN_HOME/bin/setDomainEnv.sh file for the WebLogic Server instance.find these lines: JAVA_OPTIONS="${JAVA_OPTIONS}" export JAVA_OPTIONS and change it to: JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -D...
Post a Comment
Read more

OIM Reports : PS3

Oracle Business Intelligence Publisher is Oracle's primary reporting tool for authoring, manag-ing, and delivering all your highly formatted reports. BI Publisher is shipped with Oracle Identity Manager 11g Release 2 PS3. BI Publisher is deployed and configured as a separate managed server within the same Oracle Identity Manager domain. You have the choice of either leveraging the embedded BI Publisher or a standalone BI Publisher. It is recommended that you use the embedded BI Publisher if there are no other reporting requirements and you only need reporting for Oracle Identity Manager. After BI Publisher configuration, you can take advantage of the standard features of BI Publisher, such as:  Access Policy Reports  Request and Approval Reports  Password Reports  Resource and Entitlement Reports  User Reports  Certification Reports  Identity Audit Reports  Exception Reports The Screenshot of all the reports can be seen below: Every Report uses a Da...
Post a Comment
Read more