17-12 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 3. Import the trusted CA certificates to the Java KeyStore JKS using the keytool command. If Oracle Directory Integration Platform is already using an existing JKS, identify the location of it using the -keystore PATH_TO_JKS option. If Oracle Directory Integration Platform does not already have a JKS to use, keytool will create one at the location identified by the -keystore PATH_TO_JKS option. For example: keytool –importcert –trustcacerts –alias mycert –file PATH_TO_CERTIFICATE \ -keystore PATH_TO_JKS If this is the first time you are using the JKS identified by the -keystore PATH_ TO_JKS option, you must provide its password and also perform the following steps a and b: a. Update the Directory Integration Platform configuration with the location and password used in step 3 by using the manageDIPServerConfig command. For example: manageDIPServerConfig set -h HOST –p PORT -D WLS_USER \ -attribute keystorelocation -value PATH_TO_CERTIFICATE b. Update the credential in the Credential Store Framework CSF using the following WLST command and replacing the PASSWORD variable with the password used when the keystore was created: createCredmap=dip, key=jksKey, user=jksUser, password=PASSWORD,desc=jks password 4. Modify the third-party directory connection information, including the host name, profile, and connectedDirectoryURL attribute, using the modify operation of the manageSyncProfiles command. manageSyncProfiles update -profile profile_name -file myMapFile When you configure the connectedDirectoryURL attribute, use the following format: host:port:sslmode Supported values for sslmode are as follows:

5. If you used a new JKS in step 3, you must restart the Oracle Directory Integration

Platform in SSL mode. If you used an existing JKS in step 3, go to step 6 now.

6. Add a test user and verify that it synchronizes successfully. If the test user does

not synchronize successfully, then troubleshoot your SSL configuration. Table 17–1 Supported Values for sslmode in connectedDirectoryURL Attribute Supported sslmode Value Description No SSL mode. Supported for all directory types. 1 No Authentication mode. No certificate. Supported only for Oracle Internet Directory. 2 Server-Only Authentication mode. Requires certificate. Supported for all directory types. Note: The Oracle Directory Integration Platform does not support SSL in clientserver authentication mode. Configuring Synchronization with a Third-Party Directory 17-13

17.3.5 Enabling Password Synchronization from Oracle Internet Directory to a Third-Party Directory

To synchronize passwords from Oracle Internet Directory to a third-party directory, you must enable the password policy and you may have to enable reversible password encryption in the Oracle Internet Directory server. Enable reversible password encryption in the Oracle Internet Directory server only if the hashing algorithm between Oracle Internet Directory and the third-party directory is incompatible or unsupported. For example, IBM Tivoli Directory Server and Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server support similar hashing algorithms as Oracle Internet Directory. Therefore, to synchronize passwords from Oracle Internet Directory to IBM Tivoli Directory Server or Oracle Directory Server Enterprise Edition, you must enable only the password policy in the Oracle Internet Directory server. However, to synchronize passwords from Oracle Internet Directory to Microsoft Active Directory or Novell eDirectory, which both do not support similar hashing algorithms as Oracle Internet Directory, you must enable the password policy and reversible password encryption in the Oracle Internet Directory server. To enable the password policy, assign a value of 1 to the orclPwdPolicyEnable attribute in the appropriate container. To enable reversible password encryption in the Oracle Internet Directory server, assign a value of 1 to the orclpwdEncryptionEnable attribute in the appropriate container. For example, to enable the password policy and reversible password encryption on the default policy for a realm, assign a value of 1 to the orclPwdPolicyEnable and orclpwdEncryptionEnable attributes in the following entry: cn=default,cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,Realm_DN You can do this by using ldapmodify and uploading an LDIF file containing the following entries: dn: cn=default,cn=PwdPolicyEntry,cn=common,cn=products,cn=oraclecontext,Realm_DN changetype: modify replace: orclpwdpolicyenable orclpwdpolicyenable: 1 - replace: orclpwdencryptionenable orclpwdencryptionenable: 1 See Also: Managing the SSL Certificates of Oracle Internet Directory and Connected Directories on page 4-14 Note: As of Oracle Internet Directory 10g 10.1.4.0.1, Oracle Internet Directory supports multiple password policies in each realm, commonly known as Fine-Grained Password Policies. Refer to the Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for more information about Fine-Grained Password Policies.