Configuring the Identity Store

8 Configuring the Identity Store

This chapter explains how to configure and use the identity store, and how to query it programmatically.

This chapter includes the following sections:

See also:

Overview of the Identity Directory API in Developing Applications with Identity Governance Framework

About the Identity Store

The identity store stores users and groups, and the service lets you query that data. By default, it supports querying a single LDAP identity store. You can configure the service to use a virtualized identity store that lets you query multiple LDAP identity repositories instead of just one. For information about identity virtualization, see Configuring the Identity Store.

Depending on the configuration, the service uses a file or (one or more) LDAP servers as the repository of identities. When the service is configured for LDAP, by default, it queries a single LDAP, but you can configure the service to query multiple LDAPs.

The service is available in Java SE environments. For information about virtualization in Java SE applications, see Configuring Virtualization in Java SE Applications.

Parent topic: Configuring the Identity Store

Configuring the Identity Store Provider

Before using the identity store, you must configure the identity store provider. OPSS supports both file and LDAP identity store providers, as the following configuration example illustrates:

<serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" 
 class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
      <description>LDAP IdentityStore Provider</description>
</serviceProvider>
 
<serviceProvider type="IDENTITY_STORE" name="idstore.xml.provider" 
 class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider">
      <description>XML-based IdentityStore Provider</description>
</serviceProvider>

If you set Active Directory as the identity store provider, then set the USERNAME_ATTR and USER_LOGIN_ATTR properties to sAMAccountName in jps-config.xml (or jps-config-jse.xml) if you want to override the default value (cn). For example:

<property value="sAMAccountName" name="username.attr"/>
<property value="sAMAccountName" name="user.login.attr"/>

Note:

If you set virtualize to true, then do not set the user.login.attr and username.attr properties.

Parent topic: Configuring the Identity Store

Configuring the Identity Store

The following sections explain how to configure the identity store:

Parent topic: Configuring the Identity Store

Identity Store Parameters

The following sections explain the use of the identity store configuration parameters:

Parent topic: Configuring the Identity Store

Query Parameters

Use the following parameters to configure queries to multiple LDAPs:

The virtualize property - This property can be either true (multiple LDAPs lookup) or false (single LDAP lookup). If unspecified, it defaults to false.
Global Connection Parameters (when the virtualize property is enabled) - The calling application uses these parameters to specify global LDAP configuration such as the search base, create base, and so on. If any of these parameters is unspecified, then OPSS uses a default value.
Back-end Connection Parameters - These parameters are specific to each LDAP store. One set of back-end parameters is specified for each LDAP. You do not need to set these parameters unless you want to overwrite default values.

Parent topic: Identity Store Parameters

Global Connection Parameters

Table 8-1 shows the global parameters. For a list of connection pool parameters, see Configuration Parameters for IDS in Developing Applications with Identity Governance Framework.

Table 8-1 Global LDAP Identity Store Parameters

Parameter	Default Value
`group.create.bases`	same as user.create.bases
`group.filter.object.classes`	groupofuniquenames
`group.mandatory.attrs`	No default value
`group.member.attrs`	uniquemember
`group.object.classes`	groupofuniquenames
`group.search.bases`	No default value
`group.selected.create.base`	No default value
`group.selected.search.base`	No default value
`groupname.attr`	cn
`max.search.filter.length`	No default value
`search.type`	No default value
`user.create.bases`	If only one authentication provider, then it uses the create base value. If multiple ones, then no default value is set.
`user.filter.object.classes`	inetorgperson
`user.login.attr`	uid
`user.mandatory.attrs`	No default value
`user.object.classes`	inetorgperson
`user.search.bases`	Same as group.search.bases
`username.attr`	cn

See also:

Table F-9

Parent topic: Identity Store Parameters

Back-End Connection Parameters

These parameters are specific to your particular LDAP store.

See also:

LDAP Identity Properties

Policy Store Service Properties

Parent topic: Identity Store Parameters

Understanding the Service Configuration

LDAP authentication providers are configured with Oracle WebLogic Remote Console or WebLogic Scripting Tool (WLST). At runtime, the server passes the configuration details to OPSS.

In WebLogic Server domains, you can configure multiple authentication providers in a given context. By default, the first authentication provider in the list is used to initialize the identity store. For information about authentication providers, see Support for Multiple Authentication Providers.

To query multiple LDAPs requires setting up the virtualize property.

The following sections explain several configurations:

Parent topic: Configuring the Identity Store

Configuring the Service for a Single LDAP

The following example illustrates the configuration of a single LDAP service instance:

<!-- JPS WLS LDAP Identity Store Service Instance -->
        <serviceInstance name=idstore.ldap provider=idstore.ldap.provider>
            <property name=idstore.config.provider                       value=oracle.security.jps.wls.internal.idstore.
                      WlsLdapIdStoreConfigProvider/>
            <property name=CONNECTION_POOL_CLASS                       
                      value=oracle.security.idm.providers.stdldap.JNDIPool/>
        </serviceInstance>

Parent topic: Understanding the Service Configuration

Configuring the Service for Multiple LDAPs without Virtualization

In cases when the virtualize property cannot be set, configure the service to query more than one LDAP and override the configuration in WebLogic Server. To specify multiple LDAPs, use a comma separated list of LDAP URLs:

<property name="ldap.url", value="ldap://host1:port1,ldap://host2:port2"/>

Parent topic: Understanding the Service Configuration

Configuring the Service for Multiple LDAPs with Fusion Middleware Control

To configure the service for multiple LDAPs with Fusion Middleware Control:

Choose the domain in the navigation pane on the left.
Go to Security, then Security Provider Configuration.
Expand the Identity Store Provider section of the page.
Click Configure.
The Identity Store Configuration page appears.
Under Custom Properties, click Add.
Add the new property:
```
Property Name=virtualize
Value=true
```
Be sure to also add this property to the service instance in the default context of the OPSS configuration file.
Click OK.

Parent topic: Understanding the Service Configuration

Configuring the Service with WLST

To configure and use virtualization using WLST:

Create a script file to connect to the Administration Server in the domain of interest. You must specify the userName, userPass, localHost, and portNumber attributes for this operation. For information about configuring services with scripts, See Configuring Services with Scripts.
Go to $ORACLE_HOME/common/bin.
Run wlst.sh.
For example, if the domain configuration file contains the idstore.ldap authentication provider, then the following command configures the provider for multiple LDAPs lookup:
```
wlst.sh /tmp/updateServiceInsta, nceProperty.py -si idstore.ldap 
-key "virtualize" -value "true"
```

Parent topic: Understanding the Service Configuration

Configuring the Timeout Setting with WLST

To set adapter timeout using WLST:

Run the listAdapters command to obtain the list of adapters.
Run the modifyLDAPAdapter command to set the timeout for each adapter to, for example, 120 seconds:

modifyLDAPAdapter('<ADAPTER NAME>', 'OperationTimeout', 120000)
Restart WebLogic Server.

See also:

modifyLDAPAdapter in WebLogic Scripting Tool Command Reference for Identity and Access Management

Parent topic: Understanding the Service Configuration

Configuring Other Parameters

Optionally, update the configuration in the jps-config.xml file to set query parameters listed in Identity Store Parameters. These parameters are optional and have default values.

Parent topic: Understanding the Service Configuration

Restarting Servers

After configuring queries to multiple LDAPs, restart WebLogic Administration Server and Managed Servers.

Parent topic: Understanding the Service Configuration

Configuring Single and Multiple LDAPs

The following example illustrates the configuration of a single LDAP:

        <serviceInstance name=idstore.ldap provider=idstore.ldap.provider>
            <property name=idstore.config.provider                       value=oracle.security.jps.wls.internal.idstore.
                      WlsLdapIdStoreConfigProvider/>
            <property name=CONNECTION_POOL_CLASS                       
                      value=oracle.security.idm.providers.stdldap.JNDIPool/>
        </serviceInstance>

The following example illustrates the configuration of a multiple LDAPs:

 <serviceProviders>
        <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" 
    class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
            <description>LDAP IdentityStore Provider</description>
        </serviceProvider>
 </serviceProviders>
 <serviceInstances>
        <!-- IDstore instance connecting to multiple ldap  -->
        <serviceInstance name="idstore.virtualize" provider="idstore.ldap.provider">
        <!-- indicates using WLS ldap authentication providers -->
            <property name="idstore.config.provider" 
   value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
	    <!-- enable virtualization -->
            <property name="virtualize" value="true"/>
    <!-- ldap properties (if not supplied, then it uses default values) --> 
            <extendedProperty>
                <name>user.create.bases</name>
                <values>
                   <value>cn=users_front,dc=us,dc=example,dc=com</value>
                </values>
            </extendedProperty>
            <extendedProperty>
                <name>group.create.bases</name>
                <values>
                  <value>cn=groups_front,dc=us,dc=example,dc=com</value>
                </values>
            </extendedProperty>
        </serviceInstance>
 </serviceInstances>
  <jpsContexts default="default">
        <!-- the identity store uses multiple ldaps -->
        <jpsContext name="default">
            <!-- use multiple ldap -->
            <serviceInstanceRef ref="idstore.virtualize"/>    
            <!-- .....other services -->
        </jpsContext>
  </jpsContexts>
</jpsConfig>

Note that:

The virtualize property of the service instance is true, and this allows queries to multiples LDAP directories.
The extendedProperty element allows you to set front-end parameters to override default values.

See also:

Identity Store Parameters

Parent topic: Understanding the Service Configuration

Configuring Split Profiles

Identity virtualization supports split profiles, which lets applications access identity attributes when they are stored in more than one LDAP repository.

This feature requires additional configuration explained in Configuring Adapters for Identity Virtualization.

Parent topic: Configuring the Identity Store

Configuring Custom Authentication Providers

OPSS supports WebLogic Authentication providers to access identities. If the available providers are not suitable to your particular LDAP server, then, typically, you customize one. This section explains how to configure and use a custom authentication provider.

When using a custom LDAP authentication provider, the following configuration illustrates how to specify the LDAP type so that the provider can find the proper LDAP plug-in by overriding idstore.type in jps-config.xml:

<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
    <property name="idstore.config.provider"
value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"
/>
    <property name="CONNECTION_POOL_CLASS"
value="oracle.security.idm.providers.stdldap.JNDIPool" />
    <property value="true" name="virtualize" />
    <serviceInstanceRef ref="myGenericLDAPName"/>
  </serviceInstance>
  <serviceInstance name="myGenericLDAPName" provider="idstore.ldap.provider">
    <!-- overrides the 'idstore.type' property -->
    <property name="idstore.type" value="ACTIVE_DIRECTORY" />
  </serviceInstance>

To override additional LDAP provider instances, insert similar entries. For information about provider configuration, see Configuring Security Providers with Fusion Middleware Control.

Parent topic: Configuring the Identity Store

Configuring Virtualization in Java SE Applications

For Java SE applications, you set all configurations in the jps-config-jse.xml file. According to your needs, edit this file to:

Define a new service instance.
Add the new service instance to the context and replace any previously defined instances.
Enable virtualize.

Parent topic: Configuring the Identity Store

Querying the Identity Store Programmatically

To programmatically query the identity store, use OPSS APIs to obtain a context. This context acts like a bridge to obtain the store instance. Subsequently you use the User and Role API to query the store instance:

 try {
         //find the JPS context
         JpsContextFactory ctxFactory = JpsContextFactory.getContextFactory();
         JpsContext ctx = ctxFactory.getContext();
        
         //find the JPS IdentityStore service instance 
         //(assuming the back-end is ldap type)
         LdapIdentityStore idstoreService = (LdapIdentityStore)ctx.getServiceInstance(IdentityStoreService.class)

         //get the User/Role API's Idmstore instance
          oracle.security.idm.IdentityStore idmIdentityStore = idstoreService.getIdmStore();
 
        //use the User/Role API to query ID store
        //

//alternatively, instead of using IdentityStore, use the 
//IdentityDirectory to access LDAP
oracle.igf.ids.IdentityDirectory ids = idstoreService.getIdentityStore();
 } catch (Exception e) {
  e.printStackTrace()
}

See also:

Configuring Services with MBeans

Parent topic: Configuring the Identity Store

Configuring SSL for the Identity Store

You can use Secure Sockets Layer (SSL) connections between the identity store and the LDAP server(s). Both the Identity Directory API and the User and Role API can operate with multiple LDAPs.

When the connection to the identity store originates at a client in WebLogic Server, then the SSL configuration is handled by the server.

See also:

Administering Oracle Fusion Middleware:

Parent topic: Configuring the Identity Store