Oracle Internet Directory
Oracle Application Server Tips by Burleson
Oracle Internet Directory is an integral
part of Oracle Application Server 10g’s security as the repository
for user names and passwords. However OID is a complete directory
service based on the Lightweight Directory Access Protocol (LDAP).
OID combines the capabilities of a directory service with the power
and security of the Infrastructure repository Oracle9i database.
LDAP was first used as a method of looking up email information on
the Internet, however its use has quickly expanded as an efficient
method of storing and retrieving all types of lookup data, even PKI
keys. It is actually a protocol used to ask for information from a
directory but in the case of OID, it includes the actual directory
also. This simple capability has become the basis for looking up
resources on the Internet, such as web services and devices. In the
Oracle Application Server 10g the Oracle Internet Directory can
contain application configuration information that can be delegated
different levels of administrators for maintenance.
The 10g Infrastructure instance
contains an instance of an OID application, which listens for
directory requests. The OID application handles the security
requirements while the Oracle repository database handles the
information storage. OID uses SSL (discussed above) to insure that
data is not modified or intercepted during transmission. An example
of an Oracle product that can use OID is Oracle Net. Most DBAs only
use tnsnames.ora files to maintain their database connection data.
If your organization grows to a point where multiple application
servers are accessing multiple back-end databases, the tnsnames.ora
file can become problematic to maintain. In this case you can
implement an LDAP directory to centralize the location data. Oracle
Net Services can access OID to resolve database services. The
client connection strings will contain connection identifiers, which
are resolved by OID. If a database is moved, only OID must be
OID is maintained using a Java based
GUI called oidadmin, located in the Infrastructure’s $ORACLE_HOME/bin
directory. In Windows go to the Start menu and navigate to the
Oracle Directory Manager program. When the Oracle Directory Manager
starts it will ask you to connect to a server. Use the OID
information entered when installing the midtier instance. You will
next see the log-on screen (Figure 12-1)
Figure 1: Oracle Directory Manager Logon
The user name is orcladmin and the
password is the ias_admin password you selected during the
infrastructure installation. One you have connected, the Oracle
Directory Manager opens as seen is Figure 12-2.
Figure 2:Oracle Directory Manager
The Oracle Directory Manager, like OID, is built on a tree structure. I created a Portal user called
Sam Spade and used Oracle Directory Manager to locate the entry. I
executed a search in the Entry Management branch for entry’s
beginning with “sam” and got the results shown in Figure 12-3.
Figure 3:Oracle Directory Manager: Entry
Looking around the Oracle Directory
Manager you will find data pertaining to users, application
configuration, database connectors and security profiles. For
detailed explanations of the capabilities of the Oracle Directory
Manager, refer to the Oracle OID documentation.
Delegated Administration Services
Delegated Administration Services
(known as DAS) provides application server components with secure
access to OID. DAS is actually a set of utilities which act as
intermediaries to the information in OID. Each application server
component will actually request directory information from DAS,
which will then retrieve the information from OID. An example of a
DAS service is the password verifier. An application will pass the
authentication information to the password verifier, which will
validate the information. In this way, the application does not
have to be granted privileges to OID since if does not directly
DAS establishes a tree structure to
manager administration if OID. There is a Global Administrator at
the top of the tree. Below the Global Administrator are sets of
Realms that each have a Realm Administrator. Below the Realm
Administrator are the users that belong to that Realm. Users that
have common privileges and roles can be placed in a Group.
One advantage of using DAS is
increased security for access to OID. In Oracle Application Server
10g, the user accesses a servlet or application to get a result. If
the servlet or application needs information from OID, it will send
the request to DAS, which will in turn retrieve the required
information from OID and return it. This process adds an additional
layer to the process however it insures that a malicious user never
access OID directly.
One of the useful tools provided by
DAS is the Self Service Console.
Oracle Internet Directory Self-Service
Although the Oracle Directory Manager
is a powerful tool, as the application server administrator you will
probably find it easier to use the web based tool oiddas or the OID
Self Service Console. The OID Self Service Console (SSC) is part of
the Delegated Administration Services. This tool is much easier to
use when managing a user. To access SSC, open you browser and point
to the infrastructure OHS port, and add the oiddas directory to the
This will bring up the Oracle Internet
Directory Self Service Console web site, Figure 12-4, which was
installed along with the infrastructure. This screen allows you to
view your own profile, or create another user (if you have that
privilege). This is a powerful tool because it allows you to enter
the basic user information (names, passwords, roles) and allows the
user to fill in other data (address, etc). Depending on their
assigned privileges, both users and administrators can use the SSC
to update and maintain user information.
Figure 4:Oracle Internet Directory Self
The Self Service Console integrates
with Single Sign-On to authenticate a user. To logon, select a link
or the Login link. The administrator user name is “orcladmin” and
the password is the ias_admin password from the infrastructure
install. After login, you return to the Self Service Console. From
the Home page you can select My Profile to review you own account
information as seen in Figure 12-5.
Figure 5:Oracle Internet Directory Self
Service Console: My Profile page
Selecting the “Edit My Profile” button (or
the My Profile tab) will take you to a page that allows you to edit
your account information or upload a photo. Across the top of the
page are links to allow you to change your password, etc.
If you select the Directory tab the
console displays the Directory page where you can search for other
users in the directory. The example Figure 12-6 shows a listing of
all users whose user name begins with “sam”. As the orcladmin user,
I can create a new user or edit a current user. To edit a current
user, locate the user with the Search feature, select the user’s
radio button and then select the Edit button. To simply see the
user’s information, select the user name link directly. If I wanted
to list all users I would select the Go button with a blank Search
field and all users are listed.
Figure 6:OID SSC: Directory Users page
As the name implies, Groups are groups
of users. A group can be private (only visible to the members) or
public (visible to all users). Its creator and whoever is added to
the owner list own a group. Another group can own a group. Group
membership includes users and other groups. If a group is created
as a privileged group then you can assign privileges to the group.
I created an Employee Group called EMP in Figure 12-7. I added
Samantha Heart (the Human Resource Clerk) as the owner and I added
all the example users as members.
Figure 7:OID SSC Create Group EMP
After returning to the Group page, I
can list all current groups by selecting Go with an empty Search
field. As seen in Figure 12 –8, the Company Employee group is
listed. To view the group information I can select the Company
Employee link. Because I did not make the EMP group a privileged
group so I cannot assign privileges to it. However I can make the
group a privileged group by selecting the group radio button and
selecting Edit. Here I can select the checkbox to make EMP a
privileged group. Now I can assign privileges to this group by
selecting the group’s radio button and then selecting the Assign
Privileges button. Figure 12 –8 demonstrates granting the members
of the EMP group the privileges that allows them to create, edit and
Figure 8:OID SSC Assign Group Privileges.
A service is one or more applications
that provide some capability. It can perform the task for all
users, groups of specific users/groups. The Self Service Console is
an example of a service.
The Accounts page will allow you to
unlock, enable or disable an account. Select the function you want
to perform and then search for the user account. Select the account
and perform the function.
As previously discussed, DAS divides
users/groups into realms. Each realm has a realm administrator.
When installed, there is only one realm called “DEFAULT COMPANY“.
If you logged in as the global administrator (installed as orcladmin)
then you can create additional realm. Select the Realm Management
link at the top of the page. Empty the text box (if necessary) and
click Go to see a listing of all current realms. Select the Create
button to move to the Create Identity Management Realm page as shown
in Figure 12-9. Enter a name, contact information and a description
of the new realm. If you want to display a Logo for the Realm or a
product Logo, then select the check box and Browse to the file.
Select Submit and SSC will create the new realm.
Figure 9:OID SSC: Creating an Identity
As you can see, the Self Service
Console provides a convenient way to manage users and allows each
user to update their own information.
At this point you have a basic
understanding of the Oracle Internet Directory and the Delegated
Administration Services. For additional information on OID and DAS,
to include bulk loading user information into OID, refer to the
Oracle Internet Directory Administration Guide 10g.
One of the components of the Oracle
Application Server 10g that uses DAS and OID extensively is Single
This is an excerpt from "Oracle
10g Application Server Administration Handbook" by Don Burleson
and John Garmany.