Migrating from ODSEE, ISW To OUD, DIP. WLS, OID, Configure WLS, OID, OUD required for DIP Instances – Part 4

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Below I am continuation on how to migrate from ODSEE, ISW To OUD, DIP. you can access the other parts here – Part 1, Part 2, and Part 3.

Since the migration is quite complex, I am splitting the configuration into separate parts.

This is part 4, Install, Configure WLS, OID, OUD to work with DIP.

Configure WLS And DIP instance

Note: Before continuing with the below, please make sure to check out part 2 and part 3, how to install and configure WLS, OID, OUD instances.

Lets start by configuring Weblogic, you do so by running the below

Completed the setup.

Next, we are going to set a password for the domain to start without user intervention.

Now, we need to start the domain(s)

Tail -f the nohup.out for progress, untill you see somethingwith the words RUNNING.

Configuring / creating DIP domain(s)

Note: To be able to run the configuration with out an Oracle DB you have to include Oudsm as part of the configuration.

Below we are creating an OUDSM domain by using the wlst command line interface.

Next, Stop the weblogic instance which is running (leave the NodeManager running).

DIP and OUD certificate key configuration

In order for DIP to use SSL for communication. the DIP instance needs to import the OUD and Active Directory(AD) or any other directory certificate keys.
For DIP I will be using a key stored in /oud/certs/dip1-dip2oud.jks

Note:
I will be using the same OUD key for the DIP instance, as the CN is alrday included i.e. the below steps are needed in our configuration) .
Below is just for a reference, if you would like to create a new DIP certificate key (CA and key).
Creating a DIP CA and key

Now, lets continue with the OUD DIP keys.
You will need to export the OUD admin key for DIP to connect in SSL, to do so just run the below.
To get the OUD regular and admin certificates you run the below.

You can also get the admin certificate by running the below (copy the BEGIN….END CERTIFICATE).

Now lets start the weblogic domain instance, you do so by running the below.

Next, lets start the DIP weblogic instance, you do so by running the below.
But first cerate a boot.properties file (so no password is prompted at startup)

Access console
http://dip1.domain.com:7001/console/
Access DIP
http://dip1.domain.com:7001/em/
Access OUDSM
http://dip1.domain.com:7001/oudsm

Next, we modify DIP configuration with the JKS (certificate) location, this JKS certificate(s) is used for all SSL communication between DIP and OUD/AD/etc..

Next, we need to create a new weblogic pass key credentials store.

DIP binding configuration

We are now ready to configure DIP with the the OUD instance, you do so by running the below.

Note: To view DIP initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.

# Add DIP ACI’s to your OUD instance.

We are now ready to change/modify DIP to SSL communication (mode 2).
follow the below steps to do so.

Next, Modify the OUD SSL port.

Finaly, verify DIP still works with SSL on working.
Note: You can do test this from the DIP Web UI as well.

If all works, Restart the DIP wls_ods1 instance. this is required for DIP to start using SSL.

Adding / Configuring SSL From DIP <-> AD communication

To get the ad certificates, run the below.

Now, import/add the key to the DIP trusted store.

Note: AD 2008r2 and below do not support TLS1.2 out of the box, to set DIP to accept min TLS to 1.0, follow the below
https://docs.oracle.com/middleware/12213/dip/administer/GUID-5792E326-0A9E-4B16-83A7-CA8A7E1E1CC9.htm#OIMIG-GUID-89E0E64B-A175-4B22-BB86-AC7BC13059F2

WebLogic to allow TL1.0

Note: Specify the lowest version i.e. TLSv1, includes TLSv1.1 and TLSv1.2

OUD changes required for DIP

Allow already hashed passwords in OUD.

Enable change-log if not already done for the cn=oraclecontext

Configuring Password Sync

If using password ether
from AD => OUD
or
from OUD => AD
Run the below.
From AD => OUD
Synchronize the password from a connected directory to Oracle Unified Directory, by runing the setupPlugin, like the below.

Note: To view the Password Filter initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.

From OUD => AD
Enable / configure OUD password Translation by running the setupPasswordTranslation, like the below.

Note: To view the Password Filter initialize logs tail the /oud/Oracle/Middleware/Oracle_Home/ldap/log/dipConfig.log log file.

Troblshuting and logging

To increase DIP logging you can do so in the Web UI or in the logging.xml.
The log location is.

Helpful links
The Pythian has also relased a very helpful slideshare, that can be found here

Oracle support master notes for DIP – Doc ID 1563196.1

In the article we have completed the Configure WLS And DIP instance. In Part 5 I am going to show you – how to Configure ISW => DIP migration, configure OUD <=> AD mappings..
To continue reading Part 5 click here.

Like what you’re reading? please provide feedback, any feedback is appreciated.

Leave a Reply

avatar
  Subscribe  
Notify of