• Find us:
    +1 415 655 1723   |   +91-844-844-8901
  • Free Newsletter

     
     

  • Archive

  • Categories


  • Configure Oracle Unified Directory in SSL Mode with Self-signed Certificate

    Posted by "" in "FMW" on 2014-11-13

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    In this post, I will walk you through the steps involved in configuring Oracle Unified Directory to accept connections over SSL using a self-signed certificate. To know more about Oracle Unified Directory, check this post: http://trainings.k21technologies.com/oracle-unified-directory-at-a-glance/
    Below are the steps involved in creating a self-signed certificate and using it with OUD to enable it to accept SSL connections:

    1. Export JAVA_HOME environment variable:
    >export JAVA_HOME=/u01/java/jdk1.6.0_45

    2. The below commands need to be executed from the location: <OUD_INSTANCE_ORACLE_HOME>
    e.g. /u01/oracle/config/instances/instance1/OUD/

    3. Generate a private key for the self-signed certificate using the command:
    >/u01/java/jdk1.6.0_45/bin/keytool -genkeypair -alias oudcert -keyalg rsa -dname “CN=myhostname.mycompany.com,O=MyOrganisation,C=GB” -keystore config/keystore -storetype JKS
    alias- certificate name
    keyalg- algorithm to be used to generate the private key
    dname- subject name for the certificate
    keystore- path to the keystore file (It must be config/keystore)
    storetype- keystore type (It must be JKS)

    You will be prompted to enter the passwords for keystore and private key.

    4. The next step is to generate a self-signed certificate:
    >/u01/java/jdk1.6.0_45/bin/keytool -selfcert -alias oudcert -validity 1825 -keystore config/keystore -storetype JKS
    alias- certificate name (It must be the same name which we used in the previous step)
    validity- the validity of the certificate in terms of days
    keystore- path to the keystore file (It must be config/keystore)
    storetype- keystore type (It must be JKS)
    You will be prompted to enter the password for the keystore. It has to be the same password which we specified in previous step.

    5. Create a file keystore.pin inside config folder which stores the password which we used to protect the keystore

    6. Next we will export the public key for the certificate which we created in step 4:
    >/u01/java/jdk1.6.0_45/bin/keytool -exportcert -alias oudcert -file config/oudcert.txt -rfc -keystore config/keystore -storetype JKS
    alias- certificate name (It must be the same name which we used in step 3)
    file- path to the certificate file. Certificate will be exported to this file.
    rfc- exportcert command uses DER format by default. Rfc option changes it to PEM (RFC 1421) format.

    7. Now import the certificate in a new trust store:
    >/u01/java/jdk1.6.0_45/bin/keytool -importcert -alias oudcert -file config/oudcert.txt -keystore config/truststore -storetype JKS

    8. Enable Key Manager provider in OUD
    >/u01/oracle/product/access/oud/bin/dsconfig -h -p 4444 -D “cn=oudadmin” -j /u01/stage/password.txt -X -n set-key-manager-provider-prop –provider-name JKS –set enabled:true

    9. Enable Trust Manager provider in OUD:
    >/u01/oracle/product/access/oud/bin/dsconfig -h -p 4444 -D “cn=oudadmin” -j /u01/stage/password.txt -X -n set-trust-manager-provider-prop –provider-name “Blind Trust” –set enabled:true

    10. Enable Connection Handler in OUD:
    >/u01/oracle/product/access/oud/bin/dsconfig -h -p 4444 -D “cn=oudadmin” -j /u01/stage/password.txt -X -n set-connection-handler-prop –handler-name “LDAPS Connection Handler” –set “trust-manager-provider:Blind Trust” –set key-manager-provider:JKS –set listen-port:1636 –set enabled:true

    11. Provide the keystore pin file to OUD which we created in step 5
    >/u01/oracle/product/access/oud/bin/dsconfig -h -p 4444 -D “cn=oudadmin” -j /u01/stage/password.txt -X -n set-key-manager-provider-prop –provider-name JKS –set enabled:true –set key-store-pin-file:config/keystore.pin

    So now we have enabled OUD to access SSL connections on port 1636 with the self signed certificates. To test the SSL port, execute the following command:
    >ldapsearch –port 1636 –useSSL –baseDN “” –searchScope base “(objectClass=*)”

    On trusting the certificate, you will be able to see Root DSE entry of the OUD instance.

    References:

    https://docs.oracle.com/cd/E49437_01/admin.111220/e22648/security_clients_severs.htm#solCONFIGURING-SECURITY-BETWEEN-CLIENTS-AND-SERVERS

    Ganesh Kamble works as Oracle Fusion Middleware Consultant and is an Oracle Certified Specialist in Access Management. Having started his career in product development at Oracle, Ganesh got excellent exposure to the middleware technologies during his work in integration of Tier-1 banking product Oracle Banking Platform with Oracle Fusion Middleware products. He was honored with Outstanding Contribution award by Oracle.
    His key areas of interest are Oracle Identity and Access Management, Oracle Service Oriented Architecture and Java with passion for blogging on various encounters with Oracle products. He publishes blogs regularly on http://k21technologies.com/blog/. He can be reached at ganesh.kamble@k21technologies.com and http://twitter.com/ganeshk_8
    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    Leave a Reply

    Your email address will not be published. Required fields are marked *



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    128 Uxbridge Road, Hatchend,,
    London, HA5 4DS

    US: +1 415 655 1723
    India: +91-844-844-8901

  • Copyright 2019, K21 Technologies. All rights reserved
  • TOP
    TOP