8-70 Oracle Fusion Middleware High Availability Guide ■ Notification through Oracle Directory Integration Platform Provisioning Service, which sends notifications to target applications periodically to reflect changes made to a users status or information. Figure 8–6 shows the Oracle Directory Integration Platform architecture. Figure 8–6 Oracle Directory Integration Platform Architecture Figure 8–6 shows the various components of Oracle Directory Integration Platform. Oracle Internet Directory is synchronized with connected directories using Oracle Directory Integration Platforms Synchronization Enterprise JavaBeans EJB and the Quartz Scheduler. Similarly, changes in Oracle Internet Directory are sent to various applications using Oracle Directory Integration Platforms Provisioning Enterprise JavaBeans EJB and the Quartz Scheduler.

8.5.1.1 Oracle Directory Integration Platform Component Characteristics

Oracle Directory Integration Platform is a J2EE application that enables you to integrate your applications and directories, including third-party LDAP directories, with Oracle Internet Directory. Note: Throughout the rest of this chapter, these terms will be used: ■ Synchronization Service for Oracle Directory Integration Platform Synchronization Service ■ Provisioning Service for Oracle Directory Integration Platform Provisioning Service Administration Interface Application Server Oracle Directory Integration Platform Quartz Scheduler Oracle Directory Integration Platform MBeans Synchronization and Provisioning Enterprise JavaBeans EJB Connected Repositories Oracle Internet Directory Database Command-line Tools Oracle Enterprise Manager Fusion Middleware Control Provisioning Management and Configuration oidprovtool Applications Server Management and Profile Configuration WebLogic Scripting Tool WLST Interpreter Configuring High Availability for Identity Management Components 8-71 Oracle Directory Integration Server provides synchronization services through the Synchronization Service and integration services through the Provisioning Service, as described below: ■ The Synchronization Service provides: – Scheduling: Processing a synchronization profile based on a predefined schedule – Mapping: Executing rules for converting data between connected directories and Oracle Internet Directory – Data propagation: Exchanging data with connected directories by using a connector – Error handling ■ The Provisioning Service provides: – Data propagation: Exchanging data with connected directories by using a connector – Event notification: Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory – Error handling Oracle Directory Integration Platform is deployed on Oracle WebLogic Server. By default, Oracle Directory Integration Platform is installed as part of the Oracle Identity Management software stack; however, depending on your architectural requirements, it can also be installed as a standalone application.

8.5.1.1.1 Runtime Processes The Oracle Directory Integration Server provides:

■ The Synchronization Service using the Synchronization Enterprise JavaBeans EJB and the Quartz Scheduler. The Synchronization EJB is stateless in nature. The Quartz scheduler invokes the Synchronization EJBs that synchronize the appropriate change to all the connected directories. The Synchronization Service supplies these changes using the interface and format required by the connected directory. Synchronization through the Oracle Directory Integration Platform connectors ensures that Oracle Internet Directory remains up-to-date with all the information that Oracle Internet Directory clients need. ■ The Provisioning Service uses the Provisioning Enterprise JavaBeans EJB and the Quartz Scheduler. The Provisioning EJB is stateless in nature. The Quartz scheduler invokes the Provisioning EJBs that in turn notify each of the provisioned application of the changes. ■ UpdateJob EJB periodically polls the Oracle Internet Directory changelog for changes in the Synchronization or Provisioning Profiles. When a profile change is detected, the Quartz scheduler jobs are updated accordingly.

8.5.1.1.2 Process Lifecycle Oracle Directory Integration Platform is deployed to an

Oracle WebLogic Server as an externally managed application. By default, the Oracle Directory Integration Platform application leverages the underlying WebLogic Server infrastructure for startup, shutdown, monitoring and other lifecycle events. WebLogic Node Manager can be configured to monitor the server process and restart it in case of failure. Oracle Directory Integration Platform is initialized when the Managed Server it is deployed on starts up. After the Oracle Directory Integration Platform application 8-72 Oracle Fusion Middleware High Availability Guide starts up, the initialization code creates an initial set of jobs for the existing directory integration profiles and then invokes the UpdateJobBean EJB. UpdateJobBean updates the jobs submitted to the Quartz Scheduler. Depending upon the job, the Quartz scheduler invokes either the Provisioning EJB or the Synchronization EJB. If the Provisioning EJB is invoked, it, in turn, notifies each of the provisioned application of the changes to the Oracle Internet Directory. If the Synchronization EJB is invoked, it, in turn, synchronizes the appropriate change to all the connected directories. Starting and Stopping The Oracle Directory Integration Platform lifecycle events can be managed using one or more of the command line tools and consoles listed below: ■ Oracle WebLogic Scripting Tool WLST ■ Oracle Enterprise Manager Fusion Middleware Control ■ Oracle WebLogic Server Administration Console ■ Oracle WebLogic Node Manager

8.5.1.1.3 Request Flow Oracle Directory Integration Platform does not service any

external requests. Its main functionality is to support synchronization or provisioning based on the profiles created. This section describes the information flow during synchronization and provisioning. Oracle Directory Integration Platform Synchronization Service Flow Oracle Directory Integration Platform relies on the directory synchronization profiles to synchronize changes between Oracle Internet Directory and the connected directories. Depending on where the changes are made, synchronization can occur: ■ From a connected directory to Oracle Internet Directory ■ From Oracle Internet Directory to a connected directory ■ In both directions Synchronizing from Oracle Internet Directory to a Connected Directory Oracle Internet Directory maintains a change log in which it stores incremental changes made to directory objects. It stores these changes sequentially based on the change log number. Synchronization from Oracle Internet Directory to a connected directory makes use of this change log. Consequently, when running the Oracle Directory Integration Platform, you must start Oracle Internet Directory with the default setting in which change logging is enabled. Each time the Oracle Directory Integration Platform Synchronization Service processes a synchronization profile, it: 1. Retrieves the latest change log number up to which all changes have been applied. 2. Checks each change log entry more recent than that number. 3. Selects changes to be synchronized with the connected directory by using the filtering rules in the profile. Configuring High Availability for Identity Management Components 8-73 4. Applies the mapping rules to the entry and makes the corresponding changes in the connected directory. The appropriate entries or attributes are then updated in that connected directory. If the connected directory does not use DB, LDAP, tagged, or LDIF formats directly, then the agent identified in its profile is invoked. The number of the last change successfully used is then stored in the profile. Periodically, Oracle Internet Directory purges the change log after all profiles have used what they need, and identifies where subsequent synchronization should begin. Synchronizing from a Connected Directory to Oracle Internet Directory When a connected directory uses DB, LDAP, tagged, or LDIF formats directly, changes to its entries or attributes can be automatically synchronized by the Oracle Directory Integration Platform Synchronization Service. Otherwise, the connector has an agent in its synchronization profile, which writes the changes to a file in the LDIF or tagged format. The Oracle Directory Integration Platform Synchronization Service then uses this file of connected directory data to update Oracle Internet Directory. Provisioning Flow Provisioning refers to the process of providing users, groups, and other objects with access to applications and other resources that are available within an environment. A provisioning-integrated application refers to an application that has registered for provisioning events and registered a provisioning-integration profile in Oracle Internet Directory. An application can be provisioned with Oracle Directory Integration Platform Provisioning in one of the methods below: ■ Synchronous provisioning ■ Asynchronous provisioning ■ Provisioning data flow Each of these provisioning methods is described in its own section below. Synchronous Provisioning Applications that maintain user information in Oracle Internet Directory and use the Data Access Java plug-in to create, modify, and delete user entries whenever the change occurs in Oracle Internet Directory are said to be provisioned synchronously, since the Data Access Java plug-in can be invoked directly from Oracle Identity Management, including the Provisioning Console and command-line LDAP tools. Synchronous provisioning with the Oracle Directory Integration Platform Provisioning Service can be invoked from Oracle Identity Management Tools such as the Provisioning Console in the Oracle Fusion Middleware Control and bulkprov, synchronization with third-party directories, or command-line LDAP tools. Synchronous provisioning with the Oracle Directory Integration Platform Provisioning Service from Oracle Identity Management Tools such as through the Provisioning Console screen in the Oracle Fusion Middleware Control, bulk provisioning with the provProfileBulkProv command, and from third-party directories follows this process: 1. A new user entry is created in Oracle Internet Directory. 2. The Oracle Identity Management component that created the new user entry invokes the Data Access Java plug-in. 3. The Data Access Java plug-in provisions the new user account in the application. 8-74 Oracle Fusion Middleware High Availability Guide Synchronous provisioning from command line LDAP tools follows this process: 1. A command-line LDAP tool creates a new user entry in Oracle Internet Directory. 2. At the next scheduled synchronization interval, the Oracle Directory Integration Platform identifies new user entries in Oracle Internet Directory that require provisioning. 3. The Oracle Directory Integration Platform invokes the Data Access Java plug-in. 4. The Data Access Java plug-in provisions the new user accounts in the application. Asynchronous Provisioning In asynchronous provisioning, the provisioning is handled by a PLSQL plug-in and not by any component of Oracle Identity Management The Oracle Directory Integration Platform propagates PLSQL events to a provisioning-integrated application, which then executes a PLSQL plug-in to process the events. Execution of a PLSQL plug-in occurs within the application repository and not within the address space of any Oracle Identity Management component. Because provisioning is handled by a PLSQL plug-in and not by any component of Oracle Identity Management, provisioning-integrated applications that implement a PLSQL plug-in are provisioned asynchronously. Asynchronous provisioning with the Oracle Directory Integration Platform Provisioning Service can be invoked from Oracle Identity Management Tools such as Provisioning Console and bulkprov, synchronization with third-party directories, or command-line LDAP tools. Asynchronous provisioning from Oracle Identity Management Tools such as the Provisioning Console, bulk provisioning with the provProfileBulkProv command, and third-party directories follows this process: 1. A new user entry and an associated entry containing application-specific user preferences are created in Oracle Internet Directory. 2. At the next scheduled synchronization interval, the Oracle Directory Integration Platform identifies new user entries in Oracle Internet Directory that require provisioning. 3. Provisioning events are sent from the Oracle Directory Integration Platform to the PLSQL plug-in. Asynchronous provisioning using command line LDAP tools follows this process: 1. A new user entry is created in Oracle Internet Directory using a command-line LDAP tool. 2. At the next scheduled synchronization interval, the Oracle Directory Integration Platform identifies new user entries in Oracle Internet Directory that require provisioning, and creates an associated entry containing application-specific user preferences. 3. Provisioning events are sent from the Oracle Directory Integration Platform to the PLSQL plug-in. Provisioning Data Flow Regardless of whether it is provisioned synchronously or asynchronously, an application can invoke the Pre-Data Entry and Post-Data Entry plug-ins to enhance provisioning intelligence and implement business policies. Both plug-ins are invoked by Oracle Identity Management components such as the Oracle Internet Directory Provisioning Console and bulk provisioning with the provProfileBulkProv command. Configuring High Availability for Identity Management Components 8-75 The Pre-Data Entry plug-in populates fields according to provisioning policies. The primary purpose of this plug-in is to determine whether a user should be provisioned in an application. For example, if an organization has a a policy where only managers are provisioned for a financial application, the Pre-Data Entry plug-in can be used to identify which user entries to provision. Common user attributes are already populated when this plug-in is invoked, so it should have adequate information to make provisioning decisions. The Post-Data Entry plug-in primarily validates data entered by users for common attributes and application-specific attributes. The validation for the plug-in must be successful for provisioning to continue. The provisioning data flow follow this process: 1. Base user information is created. 2. The Pre-Data Entry plug-in is invoked, which populates fields according to policies. 3. The Post-Data Entry plug-in is invoked, which validates data entered by the user. 4. Depending on the provisioning approach, either asynchronous or synchronous provisioning procedures are invoked. If provisioning is performed with the Provisioning Console, then after the Pre-Data Entry Plug-in is invoked, but before the Post-Data Entry plug-in is invoked, an administrator can modify the application attributes.

8.5.1.1.4 Configuration Artifacts Oracle Directory Integration Platform-related

configuration details are maintained in the dip-config.xml file. This configuration file is packaged as part of the Oracle Directory Integration Platform application. The default location for the dip-config.xml file is: MW_HOMEuser_projectsdomainsdomainNameconfig fmwconfigserversserverNameapplicationsDIP_11.1.1.2.0configuration Where domainName is the name of your domain serverName is the name of your managed server. The parameters are managed using Config MBeans. Table 8–6 shows the configuration parameters required in dip-config.xml to start the Oracle Directory Integration Platform: Table 8–6 Configuration Parameters Required to Start Directory Integration Platform Parameter Description OID Host Host name of the Oracle Internet Directory to which Oracle Directory Integration Platform needs to connect. OID Port The Oracle Internet Directory port SSL Mode The SSL mode used to connect to Oracle Internet Directory. Valid values are: ■ 0: non-SSL ■ 1: SSL with no authentication handshake only. This is the default mode ■ 2: SSL with server-only authentication enabled. Authentication is based on the Trust Point Certificate. JKS Location File system location to store the Java Keystore JKS 8-76 Oracle Fusion Middleware High Availability Guide Once the Oracle Directory Integration Platform server is up and running, it reads further details from Oracle Internet Directory for handling its synchronization and provisioning functions. For information on creating synchronization profiles and provisioning profiles, see: ■ Creating Synchronization Profiles in the Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform. ■ Managing Provisioning Profiles Using oidprovtool in the Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform.

8.5.1.1.5 External Dependencies Oracle Directory Integration Platform uses an Oracle

Internet Directory to store its metadata. The Quartz Scheduler uses the ODSSM schema to store its scheduling information in the database. The same database is used by Oracle Internet Directory and Oracle Directory Integration Platform. The ODSSM schema required for Oracle Directory Integration Platform is created as part of Oracle Internet Directory schema creation. Oracle Directory Integration Platform is also dependent on the Oracle Credential Store Framework CSF, a secure framework provided by Oracle and the Java Keystore JKS to store wallets and credentials used to connect to Oracle Internet Directory and third party LDAP stores over SSL. Oracle Directory Integration Platform is also dependent on the Oracle Fusion Middleware Common Audit Framework, which is installed by default.

8.5.1.1.6 Oracle Directory Integration Platform Log File Oracle Directory Integration

Platform is a J2EE application deployed on top of Oracle WebLogic Server. All log messages are logged in the server log file of the Oracle WebLogic Server that the application is deployed on. The default location of the server log is: WEBLOGIC_SERVER_HOME user_projectsdomainsdomainNameserversserverNamelogs serverName -diagnostic.log

8.5.2 Oracle Directory Integration Platform High Availability Concepts