Oracle Internet Directory (OID) Oracle Application Server Tips by Burleson Consulting

Oracle Internet Directory is an integral part of Oracle Application Server 10g?s security as the repository for user names and passwords.  However OID is a complete directory service based on the Lightweight Directory Access Protocol (LDAP).  OID combines the capabilities of a directory service with the power and security of the Infrastructure repository Oracle9i database. 

LDAP was first used as a method of looking up email information on the Internet, however its use has quickly expanded as an efficient method of storing and retrieving all types of lookup data, even PKI keys.  It is actually a protocol used to ask for information from a directory but in the case of OID, it includes the actual directory also.  This simple capability has become the basis for looking up resources on the Internet, such as web services and devices.  In the Oracle Application Server 10g the Oracle Internet Directory can contain application configuration information that can be delegated different levels of administrators for maintenance. 

The 10g Infrastructure instance contains an instance of an OID application, which listens for directory requests.  The OID application handles the security requirements while the Oracle repository database handles the information storage.  OID uses SSL (discussed above) to insure that data is not modified or intercepted during transmission. An example of an Oracle product that can use OID is Oracle Net.  Most DBAs only use tnsnames.ora files to maintain their database connection data.  If your organization grows to a point where multiple application servers are accessing multiple back-end databases, the tnsnames.ora file can become problematic to maintain.  In this case you can implement an LDAP directory to centralize the location data.  Oracle Net Services can access OID to resolve database services.  The client connection strings will contain connection identifiers, which are resolved by OID.  If a database is moved, only OID must be updated.

OID is maintained using a Java based GUI called oidadmin, located in the Infrastructure?s $ORACLE_HOME/bin directory. In Windows go to the Start menu and navigate to the Oracle Directory Manager program.  When the Oracle Directory Manager starts it will ask you to connect to a server.  Use the OID information entered when installing the midtier instance.  You will next see the log-on screen (Figure 12-1)

Figure 1: Oracle Directory Manager Logon Screen.

The user name is orcladmin and the password is the ias_admin password you selected during the infrastructure installation. One you have connected, the Oracle Directory Manager opens as seen is Figure 12-2.

Figure 2:Oracle Directory Manager

The Oracle Directory Manager, like OID, is built on a tree structure.  I created a Portal user called Sam Spade and used Oracle Directory Manager to locate the entry.  I executed a search in the Entry Management branch for entry?s beginning with ?sam? and got the results shown in Figure 12-3.

Figure 3:Oracle Directory Manager: Entry Data.

Looking around the Oracle Directory Manager you will find data pertaining to users, application configuration, database connectors and security profiles.  For detailed explanations of the capabilities of the Oracle Directory Manager, refer to the Oracle OID documentation. 

Delegated Administration Services

Delegated Administration Services (known as DAS) provides application server components with secure access to OID.  DAS is actually a set of utilities which act as intermediaries to the information in OID.  Each application server component will actually request directory information from DAS, which will then retrieve the information from OID.  An example of a DAS service is the password verifier.  An application will pass the authentication information to the password verifier, which will validate the information.  In this way, the application does not have to be granted privileges to OID since if does not directly access it.

DAS establishes a tree structure to manager administration if OID.  There is a Global Administrator at the top of the tree.  Below the Global Administrator are sets of Realms that each have a Realm Administrator.  Below the Realm Administrator are the users that belong to that Realm.  Users that have common privileges and roles can be placed in a Group.

One advantage of using DAS is increased security for access to OID.  In Oracle Application Server 10g, the user accesses a servlet or application to get a result.  If the servlet or application needs information from OID, it will send the request to DAS, which will in turn retrieve the required information from OID and return it.  This process adds an additional layer to the process however it insures that a malicious user never access OID directly. 

One of the useful tools provided by DAS is the Self Service Console.

Oracle Internet Directory Self-Service Console

Although the Oracle Directory Manager is a powerful tool, as the application server administrator you will probably find it easier to use the web based tool oiddas or the OID Self Service Console.  The OID Self Service Console (SSC) is part of the Delegated Administration Services.  This tool is much easier to use when managing a user.  To access SSC, open you browser and point to the infrastructure OHS port, and add the oiddas directory to the URL.

http://appsvr.proxitec.com:7777/oiddas

This will bring up the Oracle Internet Directory Self Service Console web site, Figure 12-4, which was installed along with the infrastructure.  This screen allows you to view your own profile, or create another user (if you have that privilege).  This is a powerful tool because it allows you to enter the basic user information (names, passwords, roles) and allows the user to fill in other data (address, etc).  Depending on their assigned privileges, both users and administrators can use the SSC to update and maintain user information.

Figure 4:Oracle Internet Directory Self Service Console

The Self Service Console integrates with Single Sign-On to authenticate a user.  To logon, select a link or the Login link.  The administrator user name is ?orcladmin? and the password is the ias_admin password from the infrastructure install.  After login, you return to the Self Service Console.  From the Home page you can select My Profile to review you own account information as seen in Figure 12-5.

Figure 5:Oracle Internet Directory Self Service Console: My Profile page

Selecting the ?Edit My Profile? button (or the My Profile tab) will take you to a page that allows you to edit your account information or upload a photo.  Across the top of the page are links to allow you to change your password, etc. 

Users

If you select the Directory tab the console displays the Directory page where you can search for other users in the directory.   The example Figure 12-6 shows a listing of all users whose user name begins with ?sam?.  As the orcladmin user, I can create a new user or edit a current user.  To edit a current user, locate the user with the Search feature, select the user?s radio button and then select the Edit button.  To simply see the user?s information, select the user name link directly.  If I wanted to list all users I would select the Go button with a blank Search field and all users are listed.

Figure 6:OID SSC: Directory Users page

Groups

As the name implies, Groups are groups of users.  A group can be private (only visible to the members) or public (visible to all users).  Its creator and whoever is added to the owner list own a group.  Another group can own a group.  Group membership includes users and other groups.  If a group is created as a privileged group then you can assign privileges to the group.  I created an Employee Group called EMP in Figure 12-7.  I added Samantha Heart (the Human Resource Clerk) as the owner and I added all the example users as members. 

Figure 7:OID SSC Create Group EMP

After returning to the Group page, I can list all current groups by selecting Go with an empty Search field.  As seen in Figure 12 ?8, the Company Employee group is listed.  To view the group information I can select the Company Employee link.  Because I did not make the EMP group a privileged group so I cannot assign privileges to it.  However I can make the group a privileged group by selecting the group radio button and selecting Edit.  Here I can select the checkbox to make EMP a privileged group.  Now I can assign privileges to this group by selecting the group?s radio button and then selecting the Assign Privileges button.  Figure 12 ?8 demonstrates granting the members of the EMP group the privileges that allows them to create, edit and delete users.

Figure 8:OID SSC Assign Group Privileges.

Services

A service is one or more applications that provide some capability.  It can perform the task for all users, groups of specific users/groups.  The Self Service Console is an example of a service.

Accounts

The Accounts page will allow you to unlock, enable or disable an account.  Select the function you want to perform and then search for the user account.  Select the account and perform the function.

Identity Realms

As previously discussed, DAS divides users/groups into realms.  Each realm has a realm administrator.  When installed, there is only one realm called ?DEFAULT COMPANY?.  If you logged in as the global administrator (installed as orcladmin) then you can create additional realm.  Select the Realm Management link at the top of the page.  Empty the text box (if necessary) and click Go to see a listing of all current realms.  Select the Create button to move to the Create Identity Management Realm page as shown in Figure 12-9.  Enter a name, contact information and a description of the new realm.  If you want to display a Logo for the Realm or a product Logo, then select the check box and Browse to the file.  Select Submit and SSC will create the new realm. 

Figure 9:OID SSC: Creating an Identity Management Realm

As you can see, the Self Service Console provides a convenient way to manage users and allows each user to update their own information. 

At this point you have a basic understanding of the Oracle Internet Directory and the Delegated Administration Services.  For additional information on OID and DAS, to include bulk loading user information into OID, refer to the Oracle Internet Directory Administration Guide 10g.

One of the components of the Oracle Application Server 10g that uses DAS and OID extensively is Single Sign-On.

This is an excerpt from "Oracle 10g Application Server Administration Handbook" by Don Burleson and John Garmany.