5
Completing Directory Usage Configuration

This chapter describes the configuration steps that enable your Oracle home to use an Oracle Internet Directory server. The chapter describes the configuration steps common to all Oracle products; then it directs you to resources that describe directory configuration tasks particular to each Oracle product.

The chapter covers the following topics:

• Prerequisites for Directory Use
• Options for Directory Usage Configuration
• Configuring Directory Usage After Installing the Database
• Configuring Directory Usage During a Custom Database Installation
• Configuring Directory Usage During a Client Installation
• Administrative Groups
• Product-Specific Configuration Tasks

Prerequisites for Directory Use

Conceptually, there are five major prerequisites for an Oracle RDBMS to communicate with the directory:

• The directory must contain the current version of the Oracle Schema. The Oracle Schema contains all Oracle-specific object classes and attributes. It is preinstalled in Oracle Internet Directory.
• The directory must contain the current version of the Oracle Context. This is the subtree where all the Oracle-specific objects are stored. Oracle Internet Directory is shipped with a preinstalled Oracle Context at the directory root. You can create other Oracle Contexts elsewhere, but do not remove the root context.
• Your Oracle home must be configured for directory usage. Configuring your Oracle home entails setting parameters in the ldap.ora file that enable Oracle programs to connect to the directory. These parameters consist of values for directory host, port, and type and for the location of the Oracle Context.
• The directory must contain an entry for the database, so that the database can bind (log in) to the directory.
• Some directory-enabled features such as Oracle Advanced Security require the directory to be enabled for two-way authentication using Secure Sockets Layer (SSL). This feature requires that the user have an Oracle wallet in the directory.

The first two prerequisites are met by default if you are using the latest version of Oracle Internet Directory. If you are not using the latest version, Oracle Net Configuration Assistant updates both the Oracle Schema and the Oracle Context. This tool also creates the ldap.ora file. Database Configuration Assistant satisfies the fourth requirement: it creates an entry for the database in the directory, a process called database registration. Both tools must be run to complete directory usage configuration. The sections that follow explain how to run them.

To learn how to create and upload and download wallets from the directory, see Chapter 17, "Using Oracle Wallet Manager" in Oracle Advanced Security Administrator's Guide. To learn how to create and start an SSL instance when the directory is Oracle Internet Directory, see "Task 2: Start a Server Instance" in Chapter 3 of Oracle Internet Directory Administrator's Guide.

Options for Directory Usage Configuration

There are three methods for completing directory usage configuration:

1. Configure directory usage after installing a database. This method enables your Oracle home to use a directory
2. Configure directory usage when you install and register a database. This method is part of a custom database installation. It is an alternative to the first method.
3. Configure your client to use a directory to connect to a database. This method is part of a client installation

Configuring Directory Usage After Installing the Database

Oracle Net Configuration Assistant and Database Configuration Assistant can be used to complete directory usage configuration at any time. If you choose this option, both tools must be run in standalone mode. The first tool enables you to choose a directory server. The second registers your database--that is, it creates an entry for the database in the directory. Without this entry, your Oracle home cannot access the directory.

This section covers the following topics:

• Using Oracle Net Configuration Assistant to Configure Directory Usage
• Using Database Configuration Assistant to Register a Database

Using Oracle Net Configuration Assistant to Configure Directory Usage

To configure directory server usage:

1. Start Oracle Net Configuration Assistant:
   • On UNIX, go to $ORACLE_HOME/bin; then enter the command netca
   • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Configuration and Migration Tools > Net Configuration Assistant

   The Welcome page appears.

2. Select Directory Service Usage Configuration, and then choose Next.

   The Directory Usage Configuration page is shown in Figure 5-1.

Figure 5-1 Oracle Net Configuration Assistant: Directory Usage Configuration Page

Text description of the illustration dircongi.gif

3. Select one of the four options on this page; then follow the prompts in the wizard and Help to complete directory usage configuration.

The options are as follows:

Option 1: Select the directory server you want to use

Select this option to enable your Oracle home to use a directory server that is already configured to use directory-enabled features.

Once configuration is complete, this option enables your computer to look up entries in the directory. It prompts you to do the following:

• Select the type of directory server.
• Identify the host name and port of the directory server. The default non-SSL port number is 389. The default SSL port is 636.
• Select a directory entry that contains an Oracle Context from which this server can access Oracle entries.

Option 2: Select the directory server you want to use, and configure the directory server for Oracle usage

Select this option to configure a directory server for directory-enabled features and to enable your Oracle home to use that directory. This option is designed for administrators who are configuring these features for the first time.

Once configuration is complete, this Oracle home can look up entries in the directory.

The options are the same as those for Option 1. The difference is that, if the Oracle Schema does not exist or is an older version, you are prompted to create it or upgrade it. Having the correct schema version is a prerequisite for creating or designating an Oracle Context. There are three possible options for choosing an Oracle Context:

1. Accept the root Oracle Context as your default. The root Oracle Context is at the root entry, or top entry, of a directory.
2. Choose from a drop-down list of Oracle Contexts.
3. If no Oracle Context exists, create one under a directory entry of your choice. To add an Oracle Context, you must use Option 3. Note that some Oracle features require a root Oracle Context--that is, one that is located at the root entry of a directory. If the root Oracle Context is missing, you can create one by selecting "root entry" from the drop-down list of directory entries that Oracle Net Configuration Assistant displays.

Option 3: Create additional or upgrade existing Oracle Context

You must select this option to add an Oracle Context to your directory if it already contains an Oracle Context. In addition, this option can be used to upgrade an old version of the context.

To create an Oracle Context, the following must exist in the directory server:

• A directory entry under which you want the Oracle Context to be created.
• The current Oracle Schema.

If the Oracle Context is an older version, you are prompted to upgrade it. This is important because an Oracle9i database will not work with an Oracle8i Oracle Context or an earlier one. You can use the upgraded Oracle Context to register any Oracle8i databases that are created in the future.

Option 4: Create or upgrade the Oracle Schema

In the unusual event that Oracle Internet Directory contains no Oracle Schema, you can use Option 4 to create the Schema without having to resort to the full directory usage configuration explained in Options 1 and 2. In addition, Option 4 can be used to upgrade the Oracle Schema.

Using Database Configuration Assistant to Register a Database

After running the Oracle Net Configuration Assistant, run the Database Configuration Assistant to register your database in the directory. To register a database, you must be a member of either the Database Registration group or the OracleContextAdmins group, or you must be the directory superuser. Use Oracle Enterprise Security Manager to add administrators to these two groups. To learn how to use this tool see Chapter 18, "Using Oracle Enterprise Security Manager", in Oracle Advanced Security Administrator's Guide. Note that, if you are using Enterprise User Security, you can use Enterprise Security Manager to register a database.

To register a database in the directory, using Database Configuration Assistant in standalone mode:

1. Start the Database Configuration Assistant as follows:
   • Windows NT: Select Start->Programs->Oracle-<Oracle-HOME_NAME>->Database Administration->Database Configuration Assistant
   • UNIX: Select $ORACLE_HOME/bin/dbca
2. Select Configure database options in a database and choose Next.
3. Select a database and choose Next.
   The final Database Configuration Assistant window appears.
4. Choose Yes, Register the Database, and enter the directory credentials for a user in the Database Registration group.
5. Choose Finish if you are just registering a database; choose Next if you want to select additional database features.
6. If you chose Finish; the Locate Initialization File window appears.
7. Select the appropriate initialization file and choose OK.

If you execute these steps correctly, Database Configuration Assistant does the following:

• Creates a new database service object and subtree underneath your chosen Oracle Context in the directory
• Adds the database to the default enterprise domain. (To learn about enterprise domains, see "Oracle Advanced Security Entries Under the Oracle Context" in Chapter 4)
• Adds the distinguished name of the database to the database server parameter file, spfile.ora, as an RDBMS_SERVER_DN initialization parameter value
• Restarts the database, so that the new initialization parameter takes effect

Configuring Directory Usage During a Custom Database Installation

After installing database server software, Oracle Universal Installer launches Oracle Net Configuration Assistant, which gives you the option of completing directory usage configuration. Completing configuration consists of the following:

• Selecting a directory type.
• Specifying the directory's host name and port. The default port numbers are 389 for non-SSL connections and 636 for SSL connections.
• Selecting a directory entry that contains an Oracle Context.

If the required Oracle Schema is already installed, Oracle Net Configuration Assistant prompts you to select an Oracle Context from a drop-down list of directory entries. If it was created during directory setup, one of the entries in the list is a root Oracle Context. The root Oracle Context is at the root entry, or top entry, of a directory.

If only the root context is present, you can either use this context or create a new Oracle Context by running Oracle Net Configuration Assistant in standalone mode. (See "Option 3: Create additional or upgrade existing Oracle Context".)

If no root Oracle Context is present, you can create one by selecting "root entry" from the drop-down list of directory entries. Note that some Oracle features require that a root Oracle Context be present.

If the required Oracle Schema is not installed, Oracle Net Configuration Assistant gives you the option of installing the correct schema or deferring directory configuration until a later time.

If you perform a custom database installation, Database Configuration Assistant runs automatically, after Oracle Net Configuration Assistant. It prompts you to register the database. Choose Yes, Register the Database, and then follow steps 4 through 7 in "Using Database Configuration Assistant to Register a Database".

Administrative Groups

The administrator who successfully creates or updates an Oracle Context in the course of completing directory configuration is automatically added to five administrative groups:

• OracleContextAdmins (cn=OracleContextAdmins,cn=Groups,cn=OracleContext)

  This group has full privileges for the entire Oracle Context.

• OracleDBCreators (cn=OracleDBCreators,cn=OracleContext)

  This group enables you to use Database Configuration Assistant to register a database service entry in the directory together with its connect descriptor.

• OracleNetAdmins (cn=OracleNetAdmins,cn=OracleContext)

  This group can use Oracle Net Manager to create, modify, and delete net service names and to modify Oracle Net attributes of database services.

• OracleDBSecurityAdmins (cn=OracleDBSecurityAdmins,cn=OracleContext)

  This group has full privileges over directory objects in the container OracleDBSecurity. These objects consist of enterprise domains, enterprise roles, and mappings between users and shared database schemas.

• OracleUserSecurityAdmins (cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext)

  This group has read and write privileges for wallet password hints and passwords.

Configuring Directory Usage During a Client Installation

A client installation gives you the option of using database services, net service names, or net service aliases stored in the directory to connect to a database. This feature is called directory naming. If you choose to use the directory to connect to a database, Oracle Net Configuration Assistant prompts you to do the following:

• Select a directory type.
• Specify the directory's host name or port. The default port numbers are 389 for non-SSL connections and 636 for SSL connections.
• Select a directory entry that contains an Oracle Context.

If the Oracle Schema is incorrect or was not installed or no Oracle Context is present, you cannot complete directory usage configuration on the client. To complete configuration, run Oracle Net Configuration Assistant in standalone mode after installing the database.

For more about database services, net service names, and net service aliases, see "Oracle Net Services Entries Under the Oracle Context" in Chapter 4, "Deploying Oracle Products with Oracle Internet Directory."

Product-Specific Configuration Tasks

Oracle Net Configuration Assistant performs only the minimal directory configuration tasks necessary for most Oracle products. As such, many directory-enabled Oracle products may require additional configuration. Table 5-1 lists each product described in this book and provides links to documents that describe product-specific configuration tasks.

Table 5-1 Links to Product-Specific Configuration Information

Product	Document
Oracle Net Services	Oracle9i Net Services Administrator's Guide, Chapter 8, "Setting Up Directory Server Usage"
Oracle Advanced Security	Oracle Advanced Security Administrator's Guide, Chapter 15, "Managing Enterprise User Security"
Application Context	Oracle9i Application Developer's Guide - Fundamentals, "Application Context Initialized Globally", in Chapter 12, "Policy-Based Security"
Oracle Advanced Queuing	Oracle9i Application Developer's Guide - Advanced Queuing, Chapter 12, "Creating Applications Using JMS"
Oracle Dynamic Services	Oracle Dynamic Services User's and Administrator's Guide, "Using Lightweight Directory Access Protocol (LDAP) as a Master Registry," in Chapter 4, "Advanced Installation Options"