17-10 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform Mapping rules govern the way data is transformed when a source directory and a destination directory are synchronized. Customize the default mapping rules found in the sample profiles when you need to do the following: ■ Change distinguished name mappings. The distinguished name mappings establish how the third-party directory DIT maps to the Oracle Internet Directory DIT. ■ Change the attributes that need to be synchronized. ■ Change the transformations mapping rules that occur during the synchronization. You can perform any mapping if the resulting data in the destination directory conforms to the schema in that directory. Once you have established a working synchronization between Oracle Internet Directory and a third-party directory, you can customize the attribute mapping rules for your synchronization profiles to meet the needs of your deployment. To customize the attribute mapping rules for your synchronization profiles: 1. Make a duplicate of the sample mapping rules file. The sample mapping rules files are stored in the ORACLE_HOMEldapodiconf directory with the extension of map.master for the various profiles. 2. Edit the sample mapping rules file to make the previously discussed modifications. You can find instructions for editing mapping rules in Configuring Mapping Rules on page 6-3. 3. After the changes are made, use the update operation of the manageSyncProfiles command to update the profile. For example, the following command updates a profile name myImportProfile with a properties file named myPropertiesFile: manageSyncProfiles update -profile profile_name -file myPropertiesFile

4. Wait until the scheduling interval has elapsed, and then check the synchronized

users and groups to ensure that the attribute mapping rules meet your requirements. Note: When a synchronization is underway, it relies on the mapping rules configured prior to any changes in the directory. To ensure consistent mapping, you may need to remove an already synchronized entry or perform a full synchronization. See Also: ■ The section Configuring Mapping Rules on page 6-3 for a full discussion of mapping rules ■ The section Supported Attribute Mapping Rules and Examples on page 6-10 for examples of how attribute values are transformed when synchronized from one directory to another ■ The file ORACLE_HOMEldapodiconfactiveimp.map.master for an example of import mapping rules See Also: The manageSyncProfiles section in the Oracle Directory Integration Platform tools chapter of the Oracle Identity Management User Reference Configuring Synchronization with a Third-Party Directory 17-11

17.3.4 Configuring the Third-Party Directory Connector for Synchronization in SSL Mode

By default, SSL is not enabled for the import and export synchronization profiles created with the expressSyncSetup command. Whether or not you synchronize in the SSL mode depends on your deployment requirements. For example, synchronizing public data does not require SSL, but synchronizing sensitive information such as passwords does. To synchronize password changes between Oracle Internet Directory and a third-party directory, you must use SSL server authentication mode. Securing the channel requires: ■ Enabling SSL between Oracle Internet Directory and the Oracle Directory Integration Platform ■ Enabling SSL between the Oracle Directory Integration Platform and the third-party directory Although you can enable SSL either between Oracle Internet Directory and the Oracle Directory Integration Platform or between that server and the third-party directory, Oracle recommends that you completely secure the channel before you synchronize sensitive information. In certain cases, such as password synchronization, synchronization can occur only over SSL. Configuring SSL requires the following: ■ Running the Oracle directory server in SSL mode as described in the chapter on Secure Sockets Layer SSL in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory. ■ Running the Oracle Directory Integration Platform in the SSL mode as described in Chapter 2, Security Features in Oracle Directory Integration Platform . The SSL mode for Directory Integration Platform must be the same mode used when the Oracle Internet Directory server started. SSL mode 1 is no authentication and SSL mode 2 is server authentication. ■ Running the third-party directory server in SSL mode. Communication with a third-party directory over SSL requires SSL server authentication. This requires that both Oracle Internet Directory and the Oracle Directory Integration Platform be run in SSL server authentication mode. Perform the following steps to configure communication with a connected directory in SSL mode: 1. Generate a certificate for the connected directory. Only the trust point certificate from the server is required. Put the certificate in the connected directorys certificate store. 2. Export the trusted Certificate Authority CA certificates to Base 64 encoded format. Tip: You may find it helpful to add test users and groups to Oracle Internet Directory or the third-party directory when customizing attribute mapping rules. Note: Be sure that you can successfully synchronize users in non-SSL mode before attempting to configure your synchronization profiles for SSL. 17-12 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform 3. Import the trusted CA certificates to the Java KeyStore JKS using the keytool command. If Oracle Directory Integration Platform is already using an existing JKS, identify the location of it using the -keystore PATH_TO_JKS option. If Oracle Directory Integration Platform does not already have a JKS to use, keytool will create one at the location identified by the -keystore PATH_TO_JKS option. For example: keytool –importcert –trustcacerts –alias mycert –file PATH_TO_CERTIFICATE \ -keystore PATH_TO_JKS If this is the first time you are using the JKS identified by the -keystore PATH_ TO_JKS option, you must provide its password and also perform the following steps a and b: a. Update the Directory Integration Platform configuration with the location and password used in step 3 by using the manageDIPServerConfig command. For example: manageDIPServerConfig set -h HOST –p PORT -D WLS_USER \ -attribute keystorelocation -value PATH_TO_CERTIFICATE b. Update the credential in the Credential Store Framework CSF using the following WLST command and replacing the PASSWORD variable with the password used when the keystore was created: createCredmap=dip, key=jksKey, user=jksUser, password=PASSWORD,desc=jks password 4. Modify the third-party directory connection information, including the host name, profile, and connectedDirectoryURL attribute, using the modify operation of the manageSyncProfiles command. manageSyncProfiles update -profile profile_name -file myMapFile When you configure the connectedDirectoryURL attribute, use the following format: host:port:sslmode Supported values for sslmode are as follows:

5. If you used a new JKS in step 3, you must restart the Oracle Directory Integration

Platform in SSL mode. If you used an existing JKS in step 3, go to step 6 now.

6. Add a test user and verify that it synchronizes successfully. If the test user does

not synchronize successfully, then troubleshoot your SSL configuration. Table 17–1 Supported Values for sslmode in connectedDirectoryURL Attribute Supported sslmode Value Description No SSL mode. Supported for all directory types. 1 No Authentication mode. No certificate. Supported only for Oracle Internet Directory. 2 Server-Only Authentication mode. Requires certificate. Supported for all directory types. Note: The Oracle Directory Integration Platform does not support SSL in clientserver authentication mode.