19-2 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform ■ How Do I Deploy the Oracle Password Filter for Microsoft Active Directory? 19.1.1 What is the Oracle Password Filter for Microsoft Active Directory? Oracle Directory Integration Platform enables synchronization between Oracle Internet Directory and Microsoft Active Directory. The Oracle Directory Integration Platform can retrieve all Microsoft Active Directory attributes with the exception of user passwords. Oracle Application Server Single Sign-On uses an external authentication plug-in to verify user credentials in Microsoft Active Directory and automatically store the updated password in Oracle Internet Directory. Applications such as Oracle Database Enterprise User Security that do not use Oracle Application Server Single Sign-On can use the Oracle Password Filter for Microsoft Active Directory to retrieve passwords from Microsoft Active Directory into Oracle Internet Directory. When users change their passwords from their desktops, the updated password is automatically synchronized with Oracle Internet Directory. More specifically, the Oracle Password Filter for Microsoft Active Directory monitors Microsoft Active Directory for password changes, which it then stores in Oracle Internet Directory. This allows Oracle Internet Directory users to be authenticated with their Microsoft Active Directory credentials and authorized to access resources by using information stored in Oracle Internet Directory. Storing Microsoft Active Directory user credentials in Oracle Internet Directory also provides a high availability solution in the event that the Microsoft Active Directory server is down. The Oracle Password Filter is installed on each Microsoft Active Directory server and automatically forwards password changes to Oracle Internet Directory. The Oracle Password Filter for Microsoft Active Directory does not require the Oracle Directory Integration Platform to synchronize passwords from Microsoft Active Directory to Oracle Internet Directory. The only requirement is that users synchronized from Microsoft Active Directory to Oracle Internet Directory must include the ObjectGUID attribute value to identify the user in both directories. The Oracle Password Filter for Microsoft Active Directory does not enforce password policies, or differences in password policies, between Microsoft Active Directory and Oracle Internet Directory. Instead, the system administrator must ensure that the password policies are consistent in both directories. Password change requests occur when an account is created, an administrator resets a user’s password, or when a user changes his or her own password. In order for the Oracle Password Filter for Microsoft Active Directory to capture Microsoft Active Directory passwords, one of these events must occur. Passwords that were set prior to installing the Oracle Password Filter for Microsoft Active Directory cannot be captured unless a system administrator forces a global password change request to all users. Note: Enterprise User Security can only verify user credentials that are stored in Oracle Internet Directory. For this reason, to verify user credentials in Microsoft Active Directory with Enterprise User Security, you must use the Oracle Password Filter to retrieve passwords from Microsoft Active Directory into Oracle Internet Directory. Note: The Oracle Password Filter for Microsoft Active Directory only captures password changes for 32-bit or higher Windows systems that have been integrated with Microsoft Active Directory. Deploying the Oracle Password Filter for Microsoft Active Directory 19-3 19.1.2 How Does the Oracle Password Filter for Microsoft Active Directory Work? This section describes how the Oracle Password Filter for Microsoft Active Directory works. It contains these topics: ■ How Clear Text Password Changes are Captured ■ Password Changes are Stored when Oracle Internet Directory is Unavailable ■ Password Synchronization is Delayed Until Microsoft Active Directory Users are Synchronized with Oracle Identity Management ■ Password Bootstrapping

19.1.2.1 How Clear Text Password Changes are Captured

When a password change request is made, the Local Security Authority LSA of the Windows operating system calls the Oracle Password Filter for Microsoft Active Directory package that is registered on the system. When the LSA calls the Oracle Password Filter for Microsoft Active Directory package, it passes to it the user name and changed password. The Oracle Password Filter for Microsoft Active Directory then performs the synchronization.

19.1.2.2 Password Changes are Stored when Oracle Internet Directory is Unavailable

When Oracle Internet Directory is unavailable, the password change events are archived securely and the encrypted passwords are stored in the Microsoft Active Directory. The Oracle Password Filter for Microsoft Active Directory attempts to synchronize these entries until it reaches the specified maximum number of retries. 19.1.2.3 Password Synchronization is Delayed Until Microsoft Active Directory Users are Synchronized with Oracle Identity Management The Oracle Password Filter for Microsoft Active Directory is notified immediately when a new user is created in Microsoft Active Directory. However, Oracle Directory Integration Platform will not synchronize entries until the next scheduled synchronization interval. For this reason, passwords for new user entries are stored in encrypted format in Microsoft Active Directory until the next synchronization. The Oracle Password Filter for Microsoft Active Directory then attempts to synchronize these entries until it reaches the specified maximum number of retries.

19.1.2.4 Password Bootstrapping

Because the original clear text form of a password is not retrievable by the Oracle Password Filter for Microsoft Active Directory, you cannot perform initial bootstrapping to synchronize passwords from Microsoft Active Directory to Oracle Internet Directory. However, you can instruct users to change their passwords or force a password change for all users in Microsoft Active Directory by changing the password expiration policy. 19.1.3 How Do I Deploy the Oracle Password Filter for Microsoft Active Directory? The general procedures for installing and configuring the Oracle Password Filter for Microsoft Active Directory are as follows; 1. Enable synchronization between Oracle Internet Directory and Microsoft Active Directory by following the instructions described in Chapter 18, Integrating with Microsoft Active Directory . 19-4 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 2. Configure and test Oracle Internet Directory in SSL server authentication mode by following the instructions in Configuring and Testing Oracle Internet Directory with SSL Server-Side Authentication on page 19-4. 3. Import the Oracle Internet Directory trusted server certificate into the Microsoft Active Directory domain controller by following the instructions in Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller on page 19-5. 4. Verify that Oracle Internet Directory and Microsoft Active Directory can communicate with SSL server authentication by following the instructions in Testing SSL Communication Between Oracle Internet Directory and Microsoft Active Directory on page 19-6. 5. Install the Oracle Password Filter for Microsoft Active Directory by following the instructions in Installing the Oracle Password Filter for Microsoft Active Directory on page 19-8. 6. Configure the Oracle Password Filter for Microsoft Active Directory by following the instructions in Reconfiguring the Oracle Password Filter for Microsoft Active Directory on page 19-15.

19.2 Configuring and Testing Oracle Internet Directory with SSL Server-Side Authentication

The Oracle Password Filter communicates password changes from Microsoft Active Directory to Oracle Internet Directory using the Secure Socket Layer SSL protocol, which provides data encryption and message integrity for a TCPIP connection. More specifically, to synchronize password changes between Oracle Internet Directory and Microsoft Active Directory, you must use SSL server authentication mode, which allows a client to confirm a server’s identity. When combined with digital certificates, SSL also provides both server authentication and client authentication. Server authentication with SSL requires that you install a digital certificate on the server side of the communications link. When an SSL transaction is initiated by a client, the server sends its digital certificate to the client. The client examines the certificate to validate that the server has properly identified itself, including verifying that the certificate was issued by a trusted Certificate Authority CA. The subject attribute of the Oracle Internet Directory server certificate must match the Oracle Internet Directory server hostname. For example, if the Oracle Internet Directory server hostname is oid.oracle.com, then the subject attribute of the Oracle Internet Directory server certificate must also be oid.oracle.com. If the subject attribute of the Oracle Internet Directory server certificate does not match the Oracle Internet Directory server hostname, the Microsoft Active Directory password filter API will not accept the Oracle Internet Directory server certificate as being valid, despite the ldapbind -U 2 commands success. Oracle Internet Directory configured for Server authentication is also referred to as SSL type 2. In the case of Oracle Internet Directory and Microsoft Active Directory integration, Oracle Internet Directory is the server and Microsoft Active Directory is the client. The Oracle Password Filter for Microsoft Active Directory uses SSL to protect the password during transmission between the Microsoft Active Directory domain controller and the Oracle Internet Directory server. Deploying the Oracle Password Filter for Microsoft Active Directory 19-5 To configure and test Oracle Internet Directory with SSL server-side authentication, refer to Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory.

19.3 Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller

Server-authenticated SSL communication between a Microsoft Active Directory domain controller and Oracle Internet Directory will fail if the domain controller does not recognize the Oracle Internet Directory SSL certificate as valid. In order for a domain controller to accept an Oracle Internet Directory SSL certificate, you must use the Microsoft Management Console to import the certificate authority’s trusted certificate into the domain controller. To use the Microsoft Management Console to import the certificate authority’s trusted certificate into the domain controller:

1. Select Run from the Windows Start menu. The Run dialog box displays. In the

Run dialog box, type mmc, and then click OK. The Microsoft Management Console window displays.

2. Select AddRemove Snap-in from the File menu. The AddRemove Snap-in

dialog box displays.

3. In the AddRemove Snap-in dialog box, click Add. The Add Standalone Snap-in

dialog box displays.

4. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

The Certificates snap-in dialog box displays, prompting you to select an option for which the snap-in will manage certificates.

5. In the Certificates snap-in dialog box, select Computer Account, and then click

Next . The Select Computer dialog box displays.

6. In the Select Computer dialog box, select Local Computer, and then click Finish.

7. Click Close in the Add Standalone Snap-in dialog box, and then click OK in the

AddRemove Snap-in dialog box. The new console displays Certificates Local Computer in the console tree.

8. In the console tree, expand Certificates Local Computer, and then click Trusted

Root Certification Authority .

9. Point to All Tasks on the Action menu, and then select Import. The Welcome page

of the Certificate Import Wizard displays. Click Next to display the File to Import page.

10. On the File to Import page, enter the path and file name of the certificate

authority’s trusted root certificate, or click Browse to search for a file, and then click Next. The Certificate Store page displays.

11. On the Certificate Store page, select Place all certificates in the following store. If

Trusted Root Certification Authorities is not already selected as the certificate Note: The certificate you use with the Oracle Password Filter for Microsoft Active Directory can be generated by any X.509-compliant certificate authority capable of accepting PKCS10 standard certificate requests and producing certificates compliant with the X.509, Version 3, ISO standard and with RFC 2459. 19-6 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform store, click Browse and select it. Click Next. The Completing the Certificate Import page displays.

12. On the Completing the Certificate Import page, click Finish. A dialog box displays

indicating that the import was successful. Click OK. 13. Click Save from the File menu. The Save As dialog box displays. Enter a name for the new console, and then click Save.

14. Close Microsoft Management Console.

19.4 Testing SSL Communication Between Oracle Internet Directory and Microsoft Active Directory

The Oracle Password Filter for Microsoft Active Directory installs a command named ldapbindssl on the domain controller that you can use to test SSL communication between Oracle Internet Directory and Microsoft Active Directory. The syntax for the ldapbindssl is as follows: ldapbindssl -h oid_hostname -p ssl_port -D binddn -w password To test SSL connectivity from Microsoft Active Directory to Oracle Internet Directory: 1. Open a command prompt window on the domain controller and navigate to the folder where you installed the Oracle Password Filter for Microsoft Active Directory. 2. Enter the ldapbindssl command to test SSL communication with Oracle Internet Directory. For example, the following command attempts to bind to an Oracle Internet Directory host named oraas.mycompany.com on SSL port 3133: ldapbindssl -h oraas.mycompany.com -p 3133 -D binddn -w password If the ldapbindssl command is successful, the following response is returned: bind successful If the ldapbindssl command is not successful, the following response is returned: Cannot connect to the LDAP server If you cannot connect from Microsoft Active Directory to Oracle Internet Directory in SSL mode, verify that you successfully imported a trusted certificate into your Microsoft Active Directory domain controller, as described in Importing a Trusted Certificate into a Microsoft Active Directory Domain Controller on page 19-5. Note: For help on importing a trusted certificate with Microsoft Management Console, refer to your Windows product documentation or visit Microsoft Help and Support at http:support.microsoft.com . Note: The ldapbindssl binary is included in the Oracle Password Filter for Microsoft Active Directory installation. You cannot execute the ldapbindssl command without first installing the Oracle Password Filter for Microsoft Active Directory.