How to setup AD bridge on IDCS

What is AD bridge

The Microsoft Active Directory (AD) Bridge provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service. Oracle Identity Cloud Service can synchronize with this directory structure so that any new, updated, or deleted user or group records are transferred into Oracle Identity Cloud Service.

Synchronization Flow & Allowed Operations:

AD to IDCS synchronization (Mandatory) - Create/Update/Delete users from AD to IDCS

IDCS to AD synchronization (optional) - Update/Deactivate ( No create/Delete operations allowed)

Prerequisites :

Set Permissions for Your Microsoft Active Directory (AD) Account

1. Create the service account in AD

2. In order to setup AD to IDCS synchronization, Please grant Generic Read permissions for the users, groups, and organizational units (OU) in the AD domain that you want to import into Oracle Identity Cloud Service:

dsacls "DC=jay,DC=local" /I:T /g "jay.local\sanjeev:GR"

3. If you want to setup IDCS to AD sync (optional) , then please grant Generic Write permission for the users, groups, and organizational units (OU) in the AD domain,

dsacls "DC=jay,DC=local" /I:T /g "jay.local\sanjeev:GW"

Certified Components

• With the Microsoft Active Directory (AD) Bridge, Oracle Identity Cloud Service can connect to your AD enterprise directory structure.  The  following table lists the certified versions for Oracle Identity Cloud Service,AD, your operating system, and the Microsoft .NET software framework (which is required for the AD Bridge to run).

• Please create the machine (for deploying AD bridge) that’s attached to the Microsoft Active Directory domain for auto discovery & Make sure firewall is opened to reach IDCS.

Create a Microsoft Active Directory (AD) Bridge

To create a Microsoft Active Directory (AD) Bridge that provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service, you must be assigned to either the identity domain administrator role or the security administrator role

• In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Directory Integrations and click Add a Microsoft Active Directory Bridge.

• Make a note of the Identity Cloud Service URL, Client ID, and Client Secret.

• Click Download. Oracle Identity Cloud Service downloads the client for the AD Bridge.

• FTP the ad-id-bridge.exe file to window server which was created in earlier step.

Install AD bridge

• To install the client for the AD Bridge, double-click the ad-id-bridge.exe file.The Welcome to AD Bridge Installer window appears.In the Language Selection area,

• select the language that you want to use to install the client for the AD Bridge, and then click OK. The Identity Cloud Service Microsoft Active Directory Bridge Installer appears.

• In the Welcome dialog box, click Next.

• In the Destination Folder dialog box, choose one of the following install choices:

• In the Specify Proxy Server dialog box:

1. If your organization has a firewall in place and requires communication to be handled using an HTTP Proxy Server, then select Use Proxy Server. If you select this check box, then provide the full path (or address) of the proxy server and the administrator credentials for connecting to the proxy server.

2. If your organization doesn’t require communication to be handled using an HTTP Proxy Server, then don't select Use Proxy Server.

3. Click Next.

• In the Specify Identity Cloud Service Credentials dialog box:

1. Provide the Cloud Service URL, Client ID, and Client Secret.

2. Click Test.

   The AD Bridge attempts to connect to the Oracle Identity Cloud Service server.

   If a connection can be established, then a Connection Successful! confirmation message appears.

   Otherwise, you’ll receive an error message, indicating that you entered an incorrect Cloud Service URL, Client ID, or Client Secret. Modify the incorrect values, and click Test again.

3. Click Next.

• In the Specify Microsoft Active Directory Credentials dialog box, provide the following connection details to the AD server:

  1. Username: The AD account that the AD Bridge uses to access the AD server.

  2. Password: The password for the AD account.

  3. Use SSL: If you're connecting to the server via an SSL connection, then leave this check box selected. Otherwise, deselect it.

• Click Next -->Click Close

• In the Identity Cloud Service console, access the Directory Integrations page. The AD Bridge that you created for the AD domain appears with a status of Partially Configured. The bridge is created, but not configured. See Configure a Microsoft Active Directory (AD) Bridge for more information about configuring this bridge.

  Note:

  If you don't see the AD Bridge in the Directory Integrations page, then refresh your web browser. Also, you can create only one bridge per AD domain.

Configure a Microsoft Active Directory (AD) Bridge

You can access the Managing Security Settings infographic to see how to configure an AD Bridge.

1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Directory Integrations -->Click the AD Bridge that you want to configure.

   Note : The bridge has a status of Partially Configured.

2. In the Configure the Microsoft Active Directory Domain page, configure the AD domain to poll for changes to users or groups in AD and import those changes into Oracle Identity Cloud Service. In the Select organizational units (OUs) for users and Select organizational units (OUs) for groups panes:

3. In the Supported Operations area, choose which operations for Oracle Identity Cloud Service users or groups will be propagated to AD: (didn't choose anything as we don't to propogate changes from IDCS to AD)

4. In the Set import frequency area, schedule how often, in hours and minutes, you want Oracle Identity Cloud Service to use the AD Bridge to import users and groups from AD.

5. In the Configure Attribute Mappings area, click Edit Attribute Mappings to define custom attribute mappings between AD and Oracle Identity Cloud Service. (We didn't change anything)

6. In the Authentication Settings area, select Enable local authentication if you want users to use their Oracle Identity Cloud Service or their AD passwords (requires delegated auth setup which has not been setup as of now) to authenticate into Oracle Identity Cloud Service to access Oracle Identity Cloud Service-protected resources.

7.Click Save

8. In the Confirmation window, click OK.The status of the AD Bridge changes from Partially Configured to Configured. The bridge is created and configured.

9. Click on Bridge we have created in IDCS and go to import tab

10 . We can do the full import during first time & subsequently scheduled job will sync the changes from AD to IDCS.

Installation of Weblogic 12c (12.2.1.4) on Linux

 Prerequisites:

a. Download JDK1.8 (jdk-8u281-linux-x64.tar.gz)   from below link.

https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html 

b. Download weblogic 12.2.1.4 (fmw_12.2.1.4.0_wls_Disk1_1of1.zip) from below link.

https://www.oracle.com/in/middleware/technologies/weblogic-server-downloads.html

c. Create user webadmin  who installs and configures weblogic server.

useradd webadmin

d. Create the prerequisite directory to hold oracle WebLogic software

mkdir /u01/app/web_12214

mkdir  /u01/app/oraInventory

e. create /etc/oraInst.loc  & add the below lines.

inventory_loc=/u01/app/oraInventory

inst_group=webadmin

f. Stage the software under /u01/app/softwares  .

[webadmin@jaytch softwares]$ pwd

/u01/app/softwares

[webadmin@jaytch softwares]$ ls -ltr

total 986544

-rw-rw-r--. 1 opc      opc      866494253 Apr  4 07:56 fmw_12.2.1.4.0_wls_Disk1_1of1.zip

-rw-rw-r--. 1 webadmin webadmin 143722924 Apr  4 10:27 jdk-8u281-linux-x64.tar.gz

[webadmin@jaytch softwares]$ unzip fmw_12.2.1.4.0_wls_Disk1_1of1.zip

Archive:  fmw_12.2.1.4.0_wls_Disk1_1of1.zip

  inflating: fmw_12.2.1.4.0_wls.jar

[webadmin@jaytch app]$ cd /u01/app

[webadmin@jaytch app]$ tar -zxvf  /u01/app/softwares/jdk-8u281-linux-x64.tar.gz

Installation:

 export PATH=/u01/app/jdk1.8.0_281/bin:$PATH

 cd /u01/app/softwares/

 java -jar fmw_12.2.1.4.0_wls.jar

After the graphical wizard opens, use the guidelines in the following table to install WebLogic Server 12c (12.2.1):

Step	Window/Page Description	Choices or Values
a.	Step 1 of 9 - Welcome	Click Next.
b.	Step 2 of 9 - Auto Updates	Select Skip Auto Updates. Click Next.
c.	Step 3 of 9 - Installation Location	Enter /u01/app/web_12214 for Oracle Home. Click Next.
d.	Step 4 of 9 - Installation Type	Select Complete with Examples. [ If it is production box, Please choose weblogic server ] Click Next.
e.	Step 5 of 9 - Prerequisite Checks	Click Next.
f.	Step 6 of 9 - Security Updates	Unselect I wish to receive security updates via My Oracle Support. Click Next.
g.	My Oracle Support Username/Email Address Not Specified	Click Yes.
h.	Step 7 of 9 - Installation Summary	Click Install.
i.	Step 8 of 9 - Installation Progress	Click Next.
j.	Step 9 of 9 - Installation Complete	Click Finish.

Environment File Setup:

Create the env file $HOME/web12c.env 

ORACLE_HOME=/u01/app/web_12214; export ORACLE_HOME

MW_HOME=$ORACLE_HOME ; export MW_HOME

WLS_HOME=$MW_HOME/wlserver; export WLS_HOME

DOMAIN_HOME=/u01/app/web_12214/user_projects/domains/jay_domain; export DOMAIN_HOME

JAVA_HOME=/u01/app/jdk1.8.0_281; export JAVA_HOME

export PATH=$JAVA_HOME/bin:$ORACLE_HOME/OPatch:$PATH

Creating Weblogic Domain:

source $HOME/web12c.env

$ORACLE_HOME/oracle_common/common/bin/config.sh

Start the Services:

Create the boot.properties under  $DOMAIN_HOME/WLS_DEMO/security folder .

nohup $DOMAIN_HOME/bin/startNodeManager.sh > /dev/null 2>&1 &

nohup $DOMAIN_HOME/startWebLogic.sh > /dev/null 2>&1 &

nohup $DOMAIN_HOME/bin/startManagedWebLogic.sh WLS_DEMO  > /dev/null 2>&1 &

R12.2 Forms Server Fails With "Could not reserve enough space for object heap" on OEL6

Issue :

Not able to start the forms managed server  with XMX as 2G.

Cause:

It was working fine. No changes has been made.

Solution:

Unlike oacore, Forms servers are running on top of 32 bit JVM. There is a bug (or) limitation on 32 bit libraries  to reserve the memory more than 1G.  Please see the output 32 and 64 bit  java output below.

$COMMON_TOP/util/jdk32/jre/bin/java  -Xms32m -Xmx3072m -XX:MaxPermSize=256m -version

Error occurred during initialization of VM

Could not reserve enough space for object heap

Error: Could not create the Java Virtual Machine.

Error: A fatal exception has occurred. Program will exit.

 $COMMON_TOP/util/jdk64/jre/bin/java  -Xms32m -Xmx3072m -XX:MaxPermSize=256m -version

java version "1.7.0_85"

Java(TM) SE Runtime Environment (build 1.7.0_85-b15)

Java HotSpot(TM) 64-Bit Server VM (build 24.85-b06, mixed mode)

This is caused by the prelink command. It calculates shared library load addresses, and updates the shared libraries with them. Simplest thing to do is to undo what prelink did, and disable it.

By default prelinking is enabled on OEL6 (not receiving this error on OEL7) 

Disable prelink method

To disable prelinking

a. Login as root user & execute prelink -u --all

 b. Edit /etc/sysconfig/prelink and save.

    set PRELINKING=no

c. Now try to execute below command. It should not return any error.

$COMMON_TOP/util/jdk32/jre/bin/java  -Xms32m -Xmx3072m -XX:MaxPermSize=256m -version