HOW TO ENABLE SSL for OID

The following is an example of a default config set:

cn=configset, cn=osdldapd, cn=subconfigsubentry

cn=configset

objectclass=top

objectclass=orclConfigSet

objectclass=orclLDAPSubConfig

orclsslauthentication=32  (This can be 0, 32, or 64.)

orclsslenable=2

orclsslport=3060

orclserverprocs=1

Where:

for orclsslauthentication:

    0  - is mode 1 in SSL ODM client (No Authentication)

            + no authentication or confidentiality mode.

            + no server wallet or client wallet needed.

            + Diffie Hellman algorithms will be used.

    32 - is mode 2 in SSL ODM client (Server Authentication)

            + server authentication only

            + complete server wallet needed (private key, certificate, the

              signer certificate, and trustpoints)

            + client wallet needed (Client wallet only needs to have trustpoints

              so as to be able to verify the server certificates.

            + RSA algorithms will be used.

    64 - is mode 3 in SSL ODM client (Client and Server Authentication)

            + this SSL mode will requires server and client authentication.

            + complete server wallet needed (server private key, server

              certificate, trustpoints, etc...)

       + complete client wallet on ODM side (client private key, client

              certificate, trustpoints, etc..)

            + RSA algorithms will be used.

Notes:

1. The SSL mode must be consistent between the client and server.

2. If the server is setup with server mode (2), clients can use either mode 1

   or mode 2 (No Authentication or Server Authentication)

3. If the server is setup with mode 3 (Client and Server Authentication),

   clients can ONLY use mode 3 (SSL Client and Server Authentication).

4. If the server is setup with mode 1 (No Authentication) then the client can

   ONLY use mode 1 (No Authentication)

Security >> Wallet

Either Create a Self Signed or Import a existing wallet.

Click Oracle Internet Directory > Administration > Server Properties

Click on Change SSL Settings

From SSL Authentication Select from “No Authentication”  >> “Server Authentication”  or “Mutual Authentication”

-      Select ciphers (it is recommended to select ciphers based on enterprise security requirements)

-       Restart OID using opmnctl stopall; opmnctl startall

For Changing LDAP port#
http://bolagani.blogspot.com/2015/10/how-to-change-ldap-port-oid.html

OID OAM Env Issues on HP-UX

Issue Description or Issue Log#

$$ORACLE_HOME/bin/ldapsearch -h hostname -p 3060 \

> -D "cn=orcladmin" -w pwd -b \

> "cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory" \

> -s sub "objectclass=*" > profile.ldif

/usr/lib/hpux64/dld.so: Unsatisfied code symbol 'nzcrltlfc_temp_ldap_fetch_crl' in load module '/u01/oracle/mw/Oracle_IDM1/bin/ldapsearch'.

/usr/lib/hpux64/dld.so: Unsatisfied code symbol 'nzcrltliu_temp_ldap_is_url' in load module '/u01/oracle/mw/Oracle_IDM1/bin/ldapsearch'.

/usr/lib/hpux64/dld.so: Unsatisfied code symbol 'nzcrltlfc_temp_ldap_fetch_crldp' in load module '/u01/oracle/mw/Oracle_IDM1/bin/ldapsearch'.

Killed

Fix# Make sure env is pointing to IDM /OID

export SHLIB_PATH=/u01/oracle/mw/Oracle_IDM1/lib

$unset LD_LIBRARY_PATH

Check for any other env is pointing to any other Oracle Homes Except IDM/OID

Same for other ldap utilities like 

ldapadd       ldapbind      ldapdelete    ldapmodify    ldapsearch

ldapaddmt     ldapcompare   ldapmoddn     ldapmodifymt

Syntax#

ldapsearch -h hostname-p 3081 -D cn=orcladmin -w pwd -b "" -s sub -L "cn=oid1" orclnonsslport > modifyport.ldif

ldapmodify -h hostname -p 3081 -D cn=orcladmin -w pwd -f modifyport.ldif

How To Change LDAP Port OID

Oracle Internet Directory - Version 11.1.1.7.0 and later

1.   Issue a ldapsearch like the following:

ldapsearch -h hostname -p 3060 -D cn=orcladmin -w %pwd -b "" -s sub -L "cn=oid1" orclnonsslport > modifyport.ldif

2- Open the modifyport.ldif with vi and you should see the following:

dn: cn=oid1, cn=odsldapd,cn=subconfigsubentry
orclnonsslport: 3060

3-  Modify this file so it looks like the following
(setting the non-sslport to 3070)

dn: cn=oid1, cn=odsldapd,cn=subconfigsubentry
changetype: modify
replace: orclnonsslport
orclnonsslport: 3070

4- Run ldapmodify on the file modifyport.ldif
example:
ldapmodify -h hostname -p 3060 -D cn=orcladmin -w pwd -f modifyport.ldif

Output like#
modifying entry cn=oid1,cn=osdldapd,cn=subconfigsubentry

5- Stop OID 
opmnctl stopproc ias-component=oid1

6- Restart OID
opmnctl startproc ias-component=oid1

6- test a ldapbind on the new port
ldapbind -h hostname -p 3070
bind successful

For LDAP Options
https://docs.oracle.com/cd/E22289_01/html/821-1279/ldapmodify.html

Enhanced Features of EBS 12.2.5

Enhanced new Application DBA features of Oracle E-Business Suite Release 12.2.5 

Script to Automate Changing Oracle WebLogic Server Administration User Password (Conditional to be on patch set level R12.AD.C.Delta.7 and R12.TXK.C.Delta.7 )

• The procedure used to change the Oracle WebLogic Server Administration User Password has been simplified and largely automated by the introduction of a new utility that performs what were previously manual steps.
  
  You can set the Oracle WebLogic Server Administration User password to a non-default value during Oracle E-Business Suite installation. if you need to change the password at a later time, you can do so on the run file system by shutting down all application tier services except the Admin Server, then running the new$FND_TOP/patch/115/bin/txkUpdateEBSDomain.pl script with the -action=updateAdminPassword option.

Support for Middle Tier EBS Technology Checker

• The new middle tier checker (MT-ETCC) technology script complements the original ETCC database checker script (now called DB-ETCC). The scripts report respectively on any missing middle tier and database tier bugfixes and patches that are required for Release 12.2.

Simplified Procedure for Changing WLS Data Source

• Changing the APPS schema password in the WLS Data Source with FNDCPASS or AFPASSWD has now been simplified and partially automated. The required sequence of actions on the run file system of the primary node includes shutting down the application tier services; starting AdminServer with the adadminsrvctl.sh script; running thetxkManageDBConnectionPool.pl script and choosing the 'updateDSPassword' option; and finally restarting the application tier services. Reference: Chapter 6, Basic DBA Tasks, Oracle E-Business Suite Maintenance Guide.

Improved Delete Node and Delete Managed Server APIs

• The improvements include addition of more validations.

Mandatory Definitions of Context Variables

• Definition of the following is mandatory in the pairs file used for standard clone and for addition of nodes:
• s_webentryurlprotocol
• s_webentryhost
• s_webentrydomain
• s_active_webport

Various Fixes for Oracle Database 12c

• These include cleanup of existing integrations following run of Rapid Clone.

Automatic Execution of ETCC on Database Tier After Cloning

• This now takes place automatically, instead of as a manual step after database tier cloning.

 Various adop Enhancements and Fixes

• These include enhancemente to validations, logging and security.

3.1 Enhanced adop user interface

Category	Description	Parameters
Changed UI	The UI of the adop utility has been significantly enhanced, to display more selective information on the console. Messages, prompts and other elements have also been extensively refined to increase the ease of use of the various patching commands.	Dependent on operation

3.2 New adop monitoring and validation features

Category	Description	Parameters
New features	Progress of an online patching cycle can be followed by running the new Online Patching Monitoring utility (adopmon). This utility can be used to follow the overall progress of a patching cycle, as well as identifying the various individual adop actions being taken.	$ adopmon
	Before you start a new patching cycle by running the prepare phase, you can optionally check your system's readiness by running adop with the 'validate' option. If you do this while a patching cycle is in progress, validation will take place for the cutover phase.	$ adop -validate

3.3 Support for new EBS Installation Central Inventory

Category	Description	Parameters
New feature	Support for an instance-specific EBS Installation Central Inventory has been introduced as an option for the application tier on UNIX platforms. The inventory is identified by <s_base>/oraInventory/oraInst.loc. This feature is useful where multiple Oracle E-Business Suite installations exist on the same host, helping to avoid issues when fs_clone is run simultaneously on different instances. To use the EBS Installation Central Inventory, all application tier Oracle Homes registered in the global inventory for the instance must be migrated to the new inventory.	Not applicable

To use the EBS Installation Central Inventory, all application tier Oracle Homes registered in the global inventory for the instance must be migrated to the new inventory. This is done by running the following steps on the primary application tier node:

1.    Source the run edition file system.

2.    Edit the context file and set the value of the context variable s_ebs_central_inventory to 'true'.

3.    Run AutoConfig.

4.    Run the following command:

$ perl <FND_TOP>/patch/115/bin/txkMigrateInventory.pl -contextfile=<CONTEXT_FILE>

Ensure that all application tier Oracle Homes have been migrated to the EBS Installation Central Inventory.

Repeat all the above steps on any non-shared nodes and shared master nodes (for example, in a hybrid setup). For all shared slave nodes, perform Steps 1 to 3 (only) on each node.

Once the inventory is migrated, any subsequently added nodes will be automatically configured to use the EBS Installation Central Inventory, and any new target instance cloned from this instance will automatically be configured to use it.

3.4 Oracle WebLogic Server performance improvements

Category	Description	Parameters
New options	A new -DserverType=wlx start argument for managed servers reduces their memory footprint, by preventing startup of the Enterprise JavaBeans (EJB), Java EE Connector Architecture (JCA), and Java Message Service (JMS) services.	-DserverType=wlx
	To reduce oacore startup time, the Portlet Producer libraries are no longer deployed to the EBS domain. A new context variable, s_deploy_portlet, has been introduced to cater for cases where portlet-related configuration is required, such as in instances needing Webcenter integration.	s_deploy_portlet
New mode	The default value of s_forms-c4wsstatus is now set to 'Disabled'.Thus, the formsc4-ws servers are no longer started during a 'start all' operation.	s_forms-c4wsstatus

Several related enhancements have been made to Oracle WebLogic Server:

• A new -DserverType=wlx start argument for managed servers reduces their memory footprint, by preventing startup of the Enterprise JavaBeans (EJB), Java EE Connector Architecture (JCA), and Java Message Service (JMS) services.
• The default value of s_forms-c4wsstatus is now set to 'Disabled'.Thus, the formsc4-ws servers are no longer started during a 'start all' operation.
• To reduce oacore startup time, the Portlet Producer libraries are no longer deployed to the EBS domain. A new context variable, s_deploy_portlet, has been introduced to cater for cases where portlet-related configuration is required, such as in instances needing Webcenter integration.

3.5 New 'dualfs' option in standard cloning

Category	Description	Parameters
New option	A new 'dualfs' option is available when performing a standard clone, as well as while adding a new node. With the 'dualfs' option, both the run and patch file systems are cloned and configured in a single operation.	dualfs

Doc ID 2050998.1