7/17/2014 Document Display

https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 1/8

LDAP Directory Type JPS-CONFIG.XML file Special Instructions
Microsoft Active Directory (MSAD) jps-configAD.xml
Oracle Internet Directory (OID) JPS-CONFIGOID.XML
Oracle Directory Server Enterprise
Edition
Also know as:
Sunone LDAP directory.
IPLANET LDAP directory.
jps-configSun7.xml
How To Configure ODI Studio With External Authentication (Doc ID 1510392.1)
Modified: 10-Jul-2014 Type: HOWTO
In this Document
Goal
Solution
ODI 12c
ODI 12c standalone agent configuration
ODI 11g
ODI11g Standalone agent configuration
References
APPLIES TO:
Oracle Data Integrator - Version 11.1.1.3.0 and later
Information in this document applies to any platform.
GOAL
How to configure ODI Studio with external authentication.
SOLUTION
This is done with the help of the Oracle Platform Security Services (OPSS)
ODI 12c
For ODI 12c all steps are detailled in the documenation.
You may use the attached jps-config-jse.xml files bellow as a reference.

ODI 12c standalone agent configuration
For configuring ODI 12c standalone agent with external authentication refer to steps in this documentation.
ODI 11g
The steps are as follows:
1. Copy one of the following jps-config.xml files according to your LDAP server type to <ODI_HOME>\oracledi\client\odi\bin or use the
existing one in your environment.
7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 2/8
Novell Edirectory jps-config-Novell-Edirectory.xml For integrating ODI console with Novell Edirectory the following
two property lines should be added to the global section of jps-
config.xml
<property
name="oracle.security.jps.enterprise.user.class"
value="weblogic.security.principal.WLSUserImpl"/>
<property
name="oracle.security.jps.enterprise.role.class"
value="weblogic.security.principal.WLSGroupImpl"/>

2. Rename the file to jps-confg.xml.
3. Edit the jps-config.xml and modify the following section:
<!-- JPS AD LDAP Identity Store Service Instance -->
idstore.ad" provider="idstore.ldap.provider">
<property name="subscriber.name" value="DC=ad,DC=oracle,DC=com" />
<property name="idstore.type" value="ACTIVE_DIRECTORY" /> /* when using Microsoft Active Directory
*/
<property name="bootstrap.security.principal.map" value="jps_map"/> /* specified when creating the cred map */
<property name="bootstrap.security.principal.key" value="jps_key"/> /* specified when creating the cred map
*/



<property name="ldap.url" value="ldap://localhost:389" />
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>CN=Users,DC=ad,DC=oracle,DC=com</value>
</values>
</extendedProperty>
<extendedProperty>
<name>group.search.bases</name>
<values>
<value>CN=Builtin,DC=ad,DC=oracle,DC=com</value>
</values>
</extendedProperty>
username.attr" value="sAMAccountName" />

<!--property name="groupname.attr" value="cn" /-->
</serviceInstance>
This section should be modified by customer to match the LDAP directory environment.
4. Here we are describing what should be set in the above mentioned section:
idstore.type : The value of this attribute depends on the LDAP directory type.
XML - file-based identity store. Because XML is the only possible value for a file-based identity store, idstore.type need not be specified in
this case.
OID - Oracle Internet Directory
OVD - Oracle Virtual Directory
ACTIVE_DIRECTORY - Active Directory
IPLANET - Sun Java System Directory Server
WLS_OVD - WebLogic OVD
EDIRECTORY - Novell Edirectory
CUSTOM - Any other type

7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 3/8
If using a custom authenticator, the service instance configuration must include one of the following properties:
<property name="idstore.type" value="<your-idstore-type>"
<property name="ADF_IM_FACTORY_CLASS" value="<your-IDM-FACTOY_CLASS_NAME>"

For more details please refer to Oracle Fusion Middleware Application Security Guide 11g Release 1 (11.1.1)

subscriber.name : set this attribute to the base DN of your root node of your LDAP server.
ldap.url: This is the hostname:port of your LDAP directory Server.
user.search.bases: Specifies base DNs in the LDAP directory for searching users.This is the Distinguished Names(DNs) of the LDAP
node(s) under which the ODI users will be located in the LDAP server.
Example:
<extendedProperty>
<name>user.search.bases</name>
<values>
<value>OU=Resources,OU=AVEA,DC=tt-tim,DC=tr</value>
<value>OU=Users,OU=AVEA,DC=tt-tim,DC=tr</value>
</values>
</extendedProperty>
group.search.bases: Specifies base DNs in the LDAP directory for searching roles (groups).These are the DN of your groups in the LDAP
server.
username.attr: This is the user's objectclass attribute which can identify the user (Something like the table's primary key in RDBMS) and
it might differs based on LDAP directory implementation, for MS active directory it is the "sAMAccountName", some other LDAP directory
implementation might use other attribute like ("UID","CN","EMAIL")
user.filter.object.classes: For any LDAP directory not having the users based on "USER" objectclass the following section should be
added to the xml file specifying the correct user objectclass, for example for Oracle Internet Directory which uses "inetOrgPerson" and it
might be customized by the customer in his LDAP server to any other objectclass name, so it's the customer responsibility to determine
which user's object class he is using then the following section needs to be added to the jps-config.xml to define the user's objectclass:
<extendedProperty>
<name>user.filter.object.classes</name>
<values>
<value>inetOrgPerson</value>
</values>
</extendedProperty>
More details regarding OPSS properties configuration could be found in Oracle Fusion Middleware Security Guide
5. Create a wallet file for an LDAP user having administration privileges in the external LDAP directory.
For example:
For AD use "Administrator" user
For OID use "ORCLADMIN" user
For creating this wallet file we assume that you are having Weblogic installed on this machine.
Steps:
one way for creating this wallet is by running the odi-credtool.cmd (find a sample attached to this note).
a. In ODI Studio create a user with the same name as the LDAP administrator user and set its password then grant that user a supervisor
privilege, connect and designer.
b. Make sure you are able to login with this user to ODI studio.
c. Copy the attached odi-credtool.cmd to <ODI_HOME>\oracledi\client\odi\bin
d. Modify the path to the jar files according to your environment otherwise it will generate CLASS_NOT_FOUND errors.
e. Open a command line and navigate to\oracledi\client\odi\bin then execute the odi-credtool.cmd file and provide the following parameters:
[input] Map:jps_map
[input] Key:jps_key
[input] User name:CN=Administrator,CN=Users,DC=ad,DC=vm,DC=oracle,DC=com
Map: Should be set to the same bootstrap.security.principal.map property in the jps-config.xml
7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 4/8
Key : Should be set to the same bootstrap.security.principal.key property in the jps-config.xml
User name: Should be set to The Distinguished Name (DN) of the Administrator account used to connect to the LDAP directory with Administrator
privileges
[input] Password:******
Password: This is the password used to connect to the LDAP Directory as Administrator with DN :
"CN=Administrator,CN=Users,DC=ad,DC=oracle,DC=com" in case of Active Directory and this is NOT the password specified in step 'a' above.
After running the odi-credtool.cmd the following will be displayed:
C:\oracle\Middleware\Oracle_ODI1\oracledi\client\odi\bin>java -classpath ..\..\.
.\..\oracledi.sdk\lib\odi-core.jar;..\..\..\..\modules\oracle.jps_11.1.1\jps-man
ifest.jar -Doracle.security.jps.config=.\jps-config.xml oracle.odi.core.security
.JPSContextCredTool
[input] Map:jps_map
[input] Key:jps_key
[input] User name:CN=Administrator,CN=Users,DC=ad,DC=oracle,DC=com
[input] Password:
04-Dec-2012 12:36:59 oracle.security.jps.internal.common.util.XmlSchemaValidatio
nUtil$StrictErrorHandler warning
WARNING: Failed to validate the xml content. SchemaLocation: schemaLocation valu
e = 'http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd' must have e
ven number of URI's. Location: line 2 column 272.
04-Dec-2012 12:37:04 oracle.security.jps.internal.common.util.XmlSchemaValidatio
nUtil$StrictErrorHandler error
WARNING: Failed to validate the xml content. cvc-complex-type.2.4.a: Invalid con
tent was found starting with element 'property'. One of '{"http://xmlns.oracle.c
om/oracleas/schema/11/jps-config-11_1.xsd":extendedProperty, "http://xmlns.oracl
e.com/oracleas/schema/11/jps-config-11_1.xsd":extendedPropertySetRef, "http://xm
lns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd":serviceInstanceRef}' is e
xpected. Location: line 80 column 58.
The credential has been successfully added to the Oracle wallet file: ./cwallet.
sso.
Please update your jps-config.xml file accordingly on values of the two properti
es: bootstrap.security.principal.map, bootstrap.security.principal.key
C:\oracle\Middleware\Oracle_ODI1\oracledi\client\odi\bin>
Discard the above error and check the created wallet file under the same folder.
6. Create an external LDAP user called Supervisor and make sure that user is able to connect to the external LDAP. The steps varies according to
the LDAP type you are using.
7. Switch the authentication from internal to external as follows:
Launch ODI studio and in the ODI menu select "Switch Authentication Mode".
Provide the password for the Master Repository database user then click next then click finish button.
7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 5/8
7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 6/8
Now try to connect again to the ODI studio using the Supervisor user but with his password you specified in the external LDAP not the one
stored in local ODI repository.
For other newly created ODI users:
At the time of switch authentication all the ODI user having users in external LDAP will be switched fine but if after switching authentication you
decide to add more users you need to do the following steps for each added user:
Each ODI user should be having a corresponding user entry created in the LDAP server with the same name he has in OID.
7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 7/8
Open ODI studio and login with the master user.
Open USER and retrieve LDAP password (GUID) button.
Save and disconnect
Reconnect with that with his password in the LDAP directory.
You should be able now to connect using the external LDAP authentication.

For all external users you should create internal ODI users in the local ODI repository using the ODI studio for assigning ODI
profiles, each local user should be mapped to an external user through the GUID attribute value that is fetched from the
external LDAP to the local user entry.

For troubleshooting LDAP issues it's very useful to use any LDAP client to browse the LDAP tree, you can download ldap
client here

For any LDAP directory other than Microsoft Active Directory (MSAD) we have to make sure that the property
user.filter.object.classes is set correctly to the user's objectclass which is by default is set to "USER" if not specified which is
correct for (MSAD) but not for others. The attached XML files are having this property set correctly.
After following this note and successfully switching to external authentication,If you are having ODI console and J2EE agent
installed in this environment, after switching ODI Studio to external authentication you will not be able to login into ODI
console and the J2EE agent will fail, you have to configure these two ODI components as well for external authentication
with the same LDAP server. The procedure for this is documented in Note 1510434.1


ODI11g Standalone agent configuration
For configuring ODI11g standalone agent with external authentication do the following:
1. After configuring ODI studio with external authentication copy the jps-config.xml and the generated wallet files from the ODI studio's bin
folder and past them into the ODI standalone agent's bin folder.
2. Restart the agent.
3. If during starting the agent you face error 'JPS-01061: Access to boostrap credential store denied to application code.' you have to follow
Note 1602223.1 to resolve it.
SSL Configuration
If the LDAP directory communicates in SSL we have to do the following configuration in the JPS-CONFIG.xml file:
1. Specify the LDAP URL as ldaps:// instead of ldap://
Add another property "connection.pool.protocol" to specify that the ldap communication protocol is in SSL, the default value is flat.
<property name="connection.pool.protocol" value="ssl"/>
REFERENCES
NOTE:1296817.1 - After Successful Setup Of External Authentication Using OID, ODI Studio And ODI Console Connection With Supervisor Login
Fails With 'ODI-1404: Agent OracleDIAgent start failure'
NOTE:1555788.1 - 'javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]' Displayed When Switching ODI to
External Authentication
NOTE:1510434.1 - How To Configure ODI Console and J2EE Agent For External Authentication
NOTE:1602223.1 - 'JPS-01061: Access to boostrap credential store denied to application code.' Error Signaled When Launching Standalone Agent
When ODI 11g is Configured With External Authentication
7/17/2014 Document Display
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=mvt2njh1h_4 8/8
BUG:14790233 - IMPOSSIBLE TO CONFIGURE EXTERNAL AUTHENTICATION WITH MICROSOFT ACTIVE DIRECTORY