OID - Active Directory Child Domain synchronization using Oracle Directory Integration Platform

It is required to use Oracle Internet Directory(OID) as LDAP directory for implementing SSO for Oracle products like EBS using Oracle Access Manager.If you are using any other LDAP servers like Microsoft Active directory across the enterprise it will be required to use Oracle Directory Integration Platform for synchronizing the directories.

If all the users from the third party directory are not required into OID we can use filters like AD groups and make use of the filtering in the DIP synchronization profiles to bring in the selected users.If the AD you are connecting to is a global catalog server rather than the child domain with a referral the users from the child domain is expected to get synced to the OID.But if it is a referral child domain ldap search will fail with below error.

$ORACLE_HOME/bin/ldapsearch -h ADhost -p port -D "admin@mydomain.com" -w welcome1 -b "cn=users,dc=child1,dc=mydomain,dc=com" -s sub"objectclass=*"

ldap_search: LDAP Referral Error
ldap_search: additional info: 0000202B: RefErr: DSID-0310063C, data 0, 1 access points 
ref 1: 'child1.mydomain.com' 

If there is no global catalog server the solution for this will be to create a new synchronization profile in DIP pointing to the child domain directly.This can be targeted to the new container in OID or a new one.The ldapsearch query can be run against the child Domain controller to verify if all the user accounts of interest including all attributes and values that will be synchronized are pulled in the query using the filter if any.

$ORACLE_HOME/bin/ldapsearch -h ChildADhost -p port -D "admin@mydomain.com" -w welcome1 -b "cn=users,dc=child1,dc=mydomain,dc=com" -s sub"objectclass=*"


To manually create the AD OID integration profile and setup the synchronization perform the below steps

• Launch the FMW Enterprise Manager console and login with weblogic user.
• Expand your domain and Navigate to Identity and Access
• Select DIP
• From the DIP Server drop down list select Administration , then Synchronization Profiles
• Using the navigation path, create a new DIP Sync profile with a name , you can give your name.For Example take it as AD2OID is the integration profilename , in this window you'll be asked to enter the AD details
• For the attribute Use DIP-OID as Source or Destination , you need to select the option Destination if you are using import (AD to OID) sync or select Sourceoption if you are using Export (OID to AD) sync. Also source type you need to select Active Directory(MS) from the drop down next type.
• After Providing the above mentioned details in the general tab click on Test Connection Tab, If the provided values are correct you'll see the Information dialogue saying that "Test Passed.Connection Successful". If the values provided for AD are wrong in the General tab , when you click on the Test Connection, you will get an Error dialogue saying Authentication Failure,Make sure that you provide the correct values and get connection Successful to move Further
• Then Click on OK to Save the profile.Now select the AD2OID profile from the list of available profiles and click on Edit.
• Now select the Mapping tab and configure mapping like below

Configure Domain Rules Click on Create option, You'll get a Add Mapping Rule Window , in that Select the Source Container DN and OID container DN from the lookup windows provided and click on OK. 

Validate / re-Validate mapping until you have no errors, warnings are OK

Make sure the user account used has read access privileges to the sub tree root.

Configure SSL between SOA composite and external services

We had a requirement of configuring two way SSL between the SOA composite and the external services and below are the steps used to  import the partner's public cert into the trusted keystore used by SOA.

The default trusted keystore for SOA is DemoTrust.jks which is located in $MW_HOME/wlserver_10.3/server/lib directory.

For generating a custom keystore use the below  command from $MW_HOME/wlserver_10.3/server/lib or the default JKS can be used.

keytool -genkey -alias mykey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=soa, C=AE" -keystore customcerts.jks -storepass xxxxx 

Download the security certificate from the below URL and  Save as type “X.509 Certificate(PEM)” and name the file as “xxxxx.crt”

Import the public certificate into your own trusted keystore using the below command.

-bash-4.1$ keytool -import -alias taleo -keystore customcerts.jks -file ../cert/xxxx.crt

Enter keystore password:  ****

Re-enter new password: *****

Owner: CN=*.taleo.net, OU=Comodo PremiumSSL Wildcard, OU=Web, O=Taleo Inc., STREET=4140 Dublin Boulevard, STREET=Suite 400, L=Dublin, ST=CA, OID.2.5.4.17=94568, C=US

Issuer: CN=COMODO High-Assurance Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

Serial number: 99faa8037a4eb2faef84eb5e55d5b8c8

Valid from: Wed May 04 04:00:00 GST 2011 until: Tue Jul 05 03:59:59 GST 2016

Certificate fingerprints:

         MD5:  D3:27:02:09:99:85:0B:7C:C2:36:3D:36:21:45:DC:02

         SHA1: 33:67:A1:82:4A:60:13:C0:2A:3E:25:BB:E4:DA:86:33:87:FA:F1:34

         SHA256: 95:CB:44:39:34:BE:DA:97:62:76:88:54:61:91:AB:1D:39:89:A8:35:59:2C:EB:DD:24:34:F9:AD:41:32:4C:E1

         Signature algorithm name: SHA1withRSA

         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

  [

   accessMethod: caIssuers

   accessLocation: URIName: http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt

,

   accessMethod: ocsp

   accessLocation: URIName: http://ocsp.comodoca.com

]

]

#2: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 3F D5 B5 D0 D6 44 79 50   4A 17 A3 9B 8C 4A DC B8  ?....DyPJ....J..

0010: B0 22 64 6B                                        ."dk

]

]

#3: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

  CA:false

  PathLen: undefined

]

#4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

  [DistributionPoint:

     [URIName: http://crl.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crl]

]]

#5: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies [

  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.1.3.4]

[PolicyQualifierInfo: [

  qualifierID: 1.3.6.1.5.5.7.2.1

  qualifier: 0000: 16 1D 68 74 74 70 73 3A   2F 2F 73 65 63 75 72 65  ..https://secure

0010: 2E 63 6F 6D 6F 64 6F 2E   63 6F 6D 2F 43 50 53     .comodo.com/CPS

]]  ]

]

#6: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

  serverAuth

  clientAuth

]

#7: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  DigitalSignature

  Key_Encipherment

]

#8: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  DNSName: *.taleo.net

  DNSName: taleo.net

]

#9: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: A2 76 09 20 A8 40 FD A1   AC C8 E9 35 B9 11 A6 61  .v. .@.....5...a

0010: FF 8C FF A3                                        ....

]

]

Trust this certificate? [no]:  y

Certificate was added to keystore.

If default DemoTrust.jks is not used add the generated keystore file(.jks) and the property named "-DUseSunHttpHandler=true" to "setDomainEnv.sh" as mentioned in the below sample:

  

  set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dsoa.archives.dir=%SOA_ORACLE_HOME%\soa -Dsoa.oracle.home=%SOA_ORACLE_HOME% -Dsoa.instance.home=%DOMAIN_HOME% -Dtangosol.coherence.clusteraddress=227.7.7.9 -Dtangosol.coherence.clusterport=9778 -Dtangosol.coherence.log=jdk -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Dweblogic.transaction.blocking.commit=true -Dweblogic.transaction.blocking.rollback=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.webservice.client.ssl.strictcertchecking=false -Dweblogic.security.SSL.enforceConstraints=off -Dssl.debug=true -Djavax.net.ssl.trustStore=%WL_HOME%\server\lib\opinionmeter.jks -Djavax.net.ssl.trustStorePassword=opinionmeter -Dweblogic.security.SSL.verbose=true -DUseSunHttpHandler=true

  

  set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dem.oracle.home=C:\Wls_10.3.6\Middleware\oracle_common -Djava.awt.headless=true -DUseSunHttpHandler=true

  set JAVA_OPTIONS=%JAVA_OPTIONS% %JAVA_PROPERTIES% -Dwlw.iterativeDev=%iterativeDevFlag% -Dwlw.testConsole=%testConsoleFlag% -Dwlw.logErrorsToConsole=%logErrorsToConsoleFlag% -DUseSunHttpHandler=true

Restart the servers.

Below are the commands to delete the existing certificate and import again.

keytool -list -keystore opinionmeter.jks -storepass *****

keytool -delete -alias xxx -keystore v.jks -storepass *****

keytool -import -alias xxx -file xxxx.cer -keystore c.jks -storepass  *****

If the certificate is not imported properly below error will be seen.

Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To route the request through proxy server and use ssl set the below in the service reference in composite.xml

<property name="oracle.webservices.proxyHost" type="xs:string"

                many="false">10.xxx.xx.x</property>

 <property name="oracle.webservices.proxyPort" type="xs:string"

                many="false">80</property>

  <property name="oracle.soa.two.way.ssl.enabled">true</property>

Oracle SOA DB Adapter Fails to return XML Type with MS SQLServer

When you use DB Adapter to access Microsoft  SQL Server Stored Procedures that return output  with XML types, a class type mapping exception can be thrown.

A stack trace similar to the below one can be thrown from the adapter.

Exception occured when binding was invoked. Exception occured during invocation of JCA binding: "JCA Binding execute of Reference operation 'Test' failed due to: Unimplemented string conversion. Conversion of JDBC type to String is not supported. An attempt was made to convert a Java object to String using an unsupported JDBC type: . Use a data type with a supported JDBC type. ". The invoked JCA adapter raised a resource exception. Please examine the above error message carefully to determine a resolution.

To fix this, change the driver from “com.microsoft.sqlserver.jdbc.SQLServerDriver “  to “weblogic.jdbc.sqlserver.SQLServerDriver “ by logging to the console and changing the driver class name or create a new connection by using of Oracle’s MS SQL server driver.

Also make sure to create a strong schema by introspecting the stored procedure using some input values. If weak schema is used, XML results greater than 2,033 characters in length will be returned  in multiple rows of 2,033 characters each.

For example,

CREATE PROCEDURE [dbo].[spSoaTest] @param1 int AS BEGIN SELECT TOP 500 FROM dbo.TableXX tbl ORDER BY  1 DESC  FOR XML PATH('test'),ROOT('test1'),TYPE END

If you omit the "type" after the "for xml" you may get the below exception while introspecting the stored procedure in JDeveloper.

BINDING.JCA-11819

Database type not supported.

Encountered a database type ntext that is either not supported or is not implemented.

Parameter XML_F52E2B61-18A1-11d1-B105-00805F49916B is of type ntext which is either not supported or is not an implemented datatype.

Check to ensure that the type of the parameter is one of the supported datatypes or that there is a collection or user defined type definition representing this type defined in the database.

                at oracle.tip.adapter.db.sp.xsd.sqlserver.DatabaseBrowser.expandParameter(DatabaseBrowser.java:88)

                at oracle.tip.adapter.db.sp.xsd.sqlserver.DatabaseBrowser.expandParameters(DatabaseBrowser.java:65)