Integration With Oracle Identity Management 10-7 configuration, refer to the OPSS Authorization and the Policy Store chapter in the Oracle Fusion Middleware Security Guide. Oracle Fusion Middleware Security Guide.

10.1.3.1 Prerequisites to Using an LDAP-Based Policy Store

In order to ensure the proper access to an LDAP server directory Oracle Internet Directory used as a policy store, you must set a node in the server directory. An Oracle Internet Directory administrator must follow these steps to create the appropriate node in an Oracle Internet Directory Server:

1. Create an LDIF file assumed to be jpstestnode.ldif in this example

specifying the following DN and CN entries: dn: cn=jpsroot_wc cn: jpsroot_wc objectclass: top objectclass: OrclContainer The distinguished name of the root node illustrated by the string jpsroot_wc above must be distinct from any other distinguished name. One root node can be shared by multiple WebLogic domains. It is not required that this node be created at the top level, as long as read and write access to the subtree is granted to the Oracle Internet Directory administrator. 2. Import this data into Oracle Internet Directory server using the command ldapadd, as illustrated in the following example the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line: OIDHOST1 ORACLE_HOMEbinldapadd -h ldap_host -p ldap_port -D cn=orcladmin -w password -c -v -f jpstestnode.ldif 3. Verify that the node has been successfully inserted using the command ldapsearch, as illustrated in the following example the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line: OIDHOST1 ORACLE_HOMEbinldapsearch -h ldap_host -p ldap_port -D cn=orcladmin -w password -b cn=jpsroot_wc objectclass=orclContainer 4. When using Oracle internet Directory as the LDAP-Based Policy Store run the utility oidstats.sql in the INFRADBHOSTs to generate database statistics for optimal database performance: ORACLE_HOMEbinsqlplus Enter ODS as a user name. You will be prompted for credentials for the ODS user. Inside sqlplus, enter the command to gather the statistics info: SQLPLUS ORACLE_HOMEldapadminoidstats.sql The oidstats.sql utility must be run just once after the initial provisioning. For details about this utility, consult the Oracle Fusion Middleware User Reference for Oracle Identity Management.

10.1.3.2 Reassociating the Domain Policy Store

Reassociating the policy store consists in migrating policy data from a file- or LDAP-based repository to an LDAP-based repository, that is, reassociation changes the repository preserving the integrity of the data stored. For each policy in the source 10-8 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter policy store, reassociation searches the target LDAP directory and, if it finds a match, it updates the matching policy as appropriate. If none is found, it simply migrates the policy as is. At any time, after a domain policy store has been instantiated, a file- or LDAP-based policy store can be reassociated into an LDAP-based policy store storing the same data. To support it, the domain has to be configured, as appropriate, to use an LDAP policy store. The reassociation of both the credential and the policy stores is accomplished as a unit using Enterprise Manager or the WLST command reassociateSecurityStore. See Section 10.1.4, Reassociation of Credentials and Policies for detailed steps.

10.1.4 Reassociation of Credentials and Policies

To reassociate the policy and credential store with Oracle Internet Directory, use the WLST reassociateSecurityStore command. Follow these steps: 1. From SOAHOST1, start the wlst shell: SOAHOST1cd ORACLE_COMMONHOMEcommonbin SOAHOST1.wlst.sh 2. Connect to the WebLogic Administration Server using the wlst connect command shown below: Syntax: connectAdminUser,AdminUserPassword,t3:hostname:port For example: connectweblogic,welcome1,t3:ADMINVHN:7001 3. Run the reassociateSecurityStore command as shown below: Syntax: reassociateSecurityStoredomain=domainName,admin=cn=orcladmin, password=orclPassword,ldapurl=ldap:LDAPHOST:LDAPPORT,servertype=OID, jpsroot=cn=jpsroot_wc For example: wls:WCEDGDomainserverConfigreassociateSecurityStoredomain=soaedg_domain, admin=cn=orcladmin,password=welcome1,ldapurl=ldap:oid.mycompany.com:389 ,servertype=OID,jpsroot=cn=jpsroot_wc The output for the command is shown below: {servertype=OID,jpsroot=cn=jpsroot_wc_idm_idmhost1,admin=cn=orcladmin, domain=IDMDomain,ldapurl=ldap:oid.mycompany.com:389,password=welcome1} Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use helpdomainRuntime Starting Policy Store reassociation. LDAP server and ServiceConfigurator setup done. Schema is seeded into LDAP server Data is migrated to LDAP server Service in LDAP server after migration has been tested to be available