Managing the Oracle Directory Integration Platform 4-13 manageDIPServerConfig set -attr keystorelocation -val homeMiddlewaredip.jks -h host -p 7005 -wlsuser weblogic The system will prompt for the WebLogic password. 4. Run the following commands to create a CSF credential and update the Java Keystore password: a. Open the WLST prompt by running the following command: ORACLE_HOMEcommonbinwlst.sh b. Connect to the WebLogic Admin Server: connectWeblogic_User, Weblogic_password, t3:Weblogic_Host:Weblogic_AdminServer_Port c. Create the credential and update the Java Keystore password: createCredmap=dip, key=jksKey, user=jksuser, password=JKS_password_created_previously_in_step_2 5. Log in to the Fusion Middleware user interface and update the Oracle Directory Integration Platform SSL configuration. Choose DIP Server Properties, then set SSL Mode to 2 and the port value to the Oracle Internet Directory SSL port. 6. Restart the Oracle WebLogic managed server. Oracle Directory Integration Platform will now connect to Oracle Internet Directory in SSL Server authentication mode. 4.6.3 To Configure Oracle Directory Integration Platform for SSL Authentication With Third-Party Directories This section describes how to configure Oracle Directory Integration Platform for SSL authentication with third-party directories, including Oracle Directory Server Enterprise Edition previously Sun Java System Directory Server. 1. Export the trusted certificate from the third-party directory and save it to a file. 2. Import the trusted certificate from the third-party directory into the Java Keystore JKS. keytool -importcert -trustcacerts -alias Some_alias_name -file Path_to_certificate_file -keystore path_to_keystore For example: keytool -importcert -trustcacerts -alias sunone -file homeMiddlewaresunone.cert -keystore homeMiddlewaredip.jks Notes: ■ If you use the -keystore option and the keystore does not exist, keytool creates the keystore. 4-14 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 3. During profile creation, select the SSL option and provide the third-party directory SSL port.

4.7 Managing the SSL Certificates of Oracle Internet Directory and Connected Directories

The Oracle Directory Integration Platform can use SSL to connect to Oracle Internet Directory and connected directories. When using SSL with no authentication to connect to Oracle Internet Directory, no certificate is required. However, when connecting to Oracle Internet Directory using SSL with server authentication, you need a trust-point certificate to connect to the LDAP server. The Oracle Directory Integration Platform expects the certificate to be in a Java Keystore JKS. You can use the manageDIPServerConfig command with the keystorelocation argument to manage the keystore location and you can use the WLST Credential Store commands with map=dip and key=jksKey to manage the keystore password.

4.7.1 Detecting and Removing an Expired Certificate

You can use the keytool utility in the JAVA_HOMEbin directory to detect and remove expired certificates for Oracle Directory Integration Platform. To list the valid dates for a trusted certificate in the keystore, execute the keytool utility as follows: JAVA_HOMEbinkeytool -list -v -keystore PATH_TO_KEYSTORE To delete a trusted certificate from the keystore, execute the keytool utility as follows: JAVA_HOMEbinkeytool -delete -alias mycert -keystore PATH_TO_KEYSTORE For general information about certificate expiration, see Chapter 7, Managing Keystores, Wallets, and Certificates, of the Oracle Fusion Middleware Administrators Guide.

4.8 Oracle Directory Integration Platform in a High Availability Scenario

In a high availability architecture, Oracle Directory Integration Platform is deployed on a Oracle WebLogic Cluster that has at least two servers as a part of the cluster. The Oracle WebLogic Server starts, stops and monitors Oracle Directory Integration Platform in the cluster. By default, Oracle Directory Integration Platform leverages the high availability features of the underlying Oracle WebLogic Clusters. In case of hardware or other failures, session state is available to other cluster nodes that can resume the work of the failed node. See Also: ■ Managing Oracle Directory Integration Platform Using manageDIPServerConfig for more information about the manageDIPServerConfig command. ■ Oracle Fusion Middleware Administrators Guide for more information about managing keystores using WLST. Note: You will be prompted for the password to the keystore while executing these commands. Managing the Oracle Directory Integration Platform 4-15 In a high availability environment, Node Manager is configured to monitor the Oracle WebLogic Servers. In case of failure, Node Manager restarts the Oracle WebLogic Server. If Node Manager cannot restart the server, then the front-ending load balancing router detects failure of a WebLogic instance in the Cluster and routes traffic to surviving instances. When Oracle Internet Directory is deployed in an active-active high availability configuration, all the Oracle Internet Directory instances belonging to the cluster share the same database. Any changes made to Oracle Directory Integration Platform on one Oracle Internet Directory node would automatically be propagated to all the Oracle Internet Directory instances in the cluster.

4.9 Managing Oracle Directory Integration Platform in a Replicated Environment

For provisioning and synchronization, the replicated directory is different from the master directory. Any profiles created in the original directory need to be re-created in the new directory, and all configurations must be performed as in the original directory. See: Oracle Fusion Middleware High Availability Guide for complete information on Oracle Directory Integration Platform in a high availability scenario. 4-16 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform