Preparing the Directory for Enterprise User Security (Phase One)

This configuration phase must be performed before you can configure any other part of Enterprise User Security.

Enterprise User Security for 12c Release 1 (12.1) requires Release 9.0.4 (or later) version of Oracle Internet Directory, which installs with the required version of the Oracle schema. This schema is backward compatible. After you have installed Oracle Internet Directory, perform the following directory usage configuration tasks:

Task 1: (Optional) Create an identity management realm in the directory

If necessary, use Oracle Internet Directory Self-Service Console (Delegated Administration Service) to create an identity management realm in the directory. You can use Oracle Internet Directory Configuration Assistant to upgrade an Oracle9i Oracle Context to a 9.0.4 or higher version Identity Management Realm.

You must have version 9.0.4 (or later) identity management realm to use Oracle Database 10g or Oracle Database 11g. Version 9.0.4 realms are backward compatible to Oracle9i, so you can register Oracle9i and Oracle Database 12c Release 1 (12.1) in the same realm and place them in the same domain, if desired.

See Also:

Oracle Identity Management Guide to Delegated Administration for more information on creating identity management realms in Oracle Internet Directory

Task 2: (Optional) Set identity management realm properties

Table 4-1 shows the defaults for a version 9.0.4 identity management realm.

Table 4-1 Identity Realm Defaults

User Search Base Group Search Base Login Name Attribute (nickname)

cn=Users,realm_DN

cn=Groups,realm_DN

uid, the user id

If you want different settings, then use Oracle Internet Directory Self-Service Console to set the user search base, group search base, and login name attribute (nickname). You can also set up the necessary context administrators in the identity management realm you plan to use in the directory.

To perform this task, see "Setting Properties of an Identity Management Realm".

Note:

Each identity management realm includes an orcladmin user who is the root user of that realm only. These realm-specific orcladmin users are represented by the directory entries cn=orcladmin,cn=Users,<realm_DN>. Note that when you are logged in to Enterprise User Security administration tools as a realm-specific orcladmin user, then you can only manage directory objects for that realm. To manage objects in another realm, you must log in to administration tools as the orcladmin user for that realm.

Task 3: Identify administrative users in the directory

Identify administrative users in the directory who are authorized to perform the following tasks:

  • Register databases

  • Administer database security

  • Create and manage enterprise domains

If administrative users do not already exist who can perform these tasks, then see Administering Enterprise User Security to create them.

Note:

Although one administrator can perform all Enterprise User Security administrative tasks, you can create many different kinds of administrators so security tasks can be assigned to different people. Separating security tasks in this way results in a more secure enterprise environment, but this requires coordination among the different administrators.

Task 4: (Optional) Set the default database-to-directory authentication type for the identity management realm

By default, the database-to-directory authentication type for the identity management realm is set to passwords. If you want a different default setting, then use the Oracle Enterprise Manager interface to change it. For example, if you are using a public key infrastructure (PKI), then you would need to set the authentication type to SSL. See "Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm".

Note:

Task 5: (Optional) Configure your Oracle home for directory usage

This step is optional because users of Domain Name System (DNS) discovery (automatic domain name lookup to locate the directory on a network) do not need to perform this step. (See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about DNS server discovery.)

If you are not using DNS discovery, then you must use Oracle Net Configuration Assistant (NetCA) to create an ldap.ora file for your Oracle home. This configuration file specifies the directory host and port information, and the location of the identity management realm so the database can connect to the directory. (See "Starting Oracle Net Configuration Assistant")

To create an ldap.ora file for your Oracle home:

  1. In the Oracle Net Configuration Assistant welcome page, choose Directory Service Usage Configuration, and click Next.

  2. On the Directory Usage Configuration page, select an option appropriate for your environment. Then follow the prompts in the wizard and refer to the online Help to create an ldap.ora file for your Oracle home.

    Note:

    • SSL authentication between your database and directory requires that the SSL port entered in the ldap.ora file support two-way authentication, in which both client and server send certificates to each other. Thus, you must acquire a PKI digital certificate and wallet for Oracle Internet Directory, and bring up Oracle Internet Directory in the SSL mutual authentication mode. The second port in the ldap.ora file should have the SSL mutual authentication port. (See Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.)

    • If you are using password authentication for your database-to-directory connection, then the SSL port entered in the ldap.ora file must support SSL with no authentication. No wallet or certificate is required for Oracle Internet Directory. The second port in the ldap.ora file should have the SSL no authentication port.

See Also:

"Configuring Your Database to Use the Directory" for an example of using NetCA to configure directory usage

Task 6: Register the database in the directory

After you have configured your Oracle home for directory usage, use Database Configuration Assistant to register the database in the directory. Registration creates an entry in the directory so the database can bind (log in) to it.

Note:

To perform this task, you must be the directory superuser or a member of either the OracleDBCreators group or the OracleContextAdmins group.

When registering a database in the directory, Database Configuration Assistant performs the following configuration tasks:

  • Creates a new database service entry and subtree, and assigns a DN to it in the Oracle Context for the identity management realm you are using.

  • Adds the database to the default enterprise domain.

  • Establishes the authentication type of the database to the directory by setting the LDAP_DIRECTORY_ACCESS parameter to one of the three allowable settings: NONE, PASSWORD, or SSL. Database Configuration Assistant reads the default database to directory authentication attribute setting for the identity management realm to determine the authentication type setting for the database.

    The LDAP_DIRECTORY_ACCESS parameter, residing in the database initialization parameter file, determines whether and how the database attempts authentication to the directory. An administrator can change this authentication type setting by using the ALTER SYSTEM command.

  • Creates a database wallet, containing the database DN in the following form:

    cn=short_database_name,cn=OracleContext,realm_DN

    where short_database_name is the first part of the fully qualified domain name for a database.

    For example, if you have a database named db1.us.example.com, then the short database name is db1.

  • Randomly generates a database password for directory access, storing it in the database wallet and in the directory.

  • After creating the wallet, Database Configuration Assistant stores it at $ORACLE_BASE/admin/Oracle_SID/wallet (in UNIX environments), if the ORACLE_BASE environment variable is present. If the ORACLE_BASE environment variable is not present, then the $ORACLE_HOME/admin/Oracle_SID/wallet directory is used.

    In Windows environments, replace the slashes (/) with backslashes (\).

    If a database wallet already exists, then Database Configuration Assistant uses it and updates the password in the wallet.

  • Enables autologin for the database wallet.

Note:

The database's password-based credentials for authentication to Oracle Internet Directory are placed in the wallet when an Oracle database is registered in Oracle Internet Directory.

To register a database with the directory:

See "Starting Database Configuration Assistant" to start this tool.

  1. After starting Database Configuration Assistant, select Configure Database Options in a Database and click Next.

  2. Select a database and click Next.

  3. To register the database, click Yes, Register the Database.

  4. Enter a Custom Database Name for the database.

    The ability to specify a custom database name is new in Oracle Database 12c Release 1 (12.1). By default, the database CN (first part of the DN or the distinguished name) in the directory is the DB_UNIQUE_NAME. You can change this to a custom value.

  5. Enter the directory credentials for a user in the OracleDBCreators group.

  6. Enter a password for the database wallet.

    Note:

    Remember the database wallet password you entered in Step 5. It cannot be retrieved after you finish database registration. If you do not know the password, a multistep process is required to generate a new wallet and reregister the database. See "About the Database Wallet and Password" for further information.

  7. Click Finish if you are only registering the database. Click Next if you want to configure additional database features.

    See Also:

    "Registering Your Database with the Directory" for an example of using DBCA to register the database

To change the database's directory password:

After starting Database Configuration Assistant, select Configure Database Options in a Database, and click Next.

  1. Select a database and click Next.

  2. Select Regenerate database password.

  3. Enter the directory credentials for a user in the OracleDBCreators group and a password for the database wallet. Click OK.

  4. Click Finish if you are only regenerating the password. Click Next if you want to configure additional database features.

To unregister a database from the directory:

See "Starting Database Configuration Assistant" to start this tool.

  1. After starting Database Configuration Assistant, select Configure Database Options in a Database and click Next.

  2. Select a database and click Next.

  3. To unregister the database, select the Unregister option.

  4. Enter the directory credentials for a user with the appropriate permissions.

  5. Enter a password for the database wallet.

When you unregister a database from the directory, Database Configuration Assistant performs the following configuration tasks:

  • Removes the database entry and subtree from the directory.

  • Sets the LDAP_DIRECTORY_ACCESS parameter to NONE.

  • Removes the database from its enterprise domain (if the user has sufficient permissions).

    Note:

    Depending on user permissions, Database Configuration Assistant may be unable to remove a database from its domain in the directory. If it cannot, then use Oracle Enterprise Manager to remove it from the enterprise domain.

  • Does not remove the database wallet.

    See Also:

    "About Oracle Wallet Manager" and "Deleting an Oracle Wallet" for more information about deleting the wallet

Note:

To succeed at unregistering an Oracle Database from Oracle Internet Directory by using Database Configuration Assistant, you must be one of the following:

  • A member of the Oracle Context Admin group

  • A member of both the Database Admin group (for the database you are unregistering) and the Database Security Admin group

  • A member of both the Database Admin group (for the database you are unregistering) and the Domain Admin group (for the enterprise domain that contains the database).