• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Configure SSL for Oracle Internet Directory (OID)

    Posted by "" in "oid, ssl" on 2013-01-24

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    Oracle Internet Directory (OID) by default listens on two ports LDAP (non secure) and LDAPS (secure LDAP), In this post I am going to cover in detail how to configure SSL in OID 11g and key points related to SSL in OID.

    1. OID listens on two ports (LDAP and LDAPS) and list of port used is displayed by opmnctl status -l (In example below, OID is listening on SSL port 3131)

    [aiam@innowave21 ~]$ opmnctl status -l

    Processes in Instance: asinst_1
    ———————————+——————–+———+——-
    ias-component | process-type | pid | status | uid | memused | uptime | ports
    ———————————+——————–+———+——-
    oid1 | oidldapd | 26253 | Alive | 412548771 | 662564 | 371:51:57 | N/A
    oid1 | oidldapd | 26213 | Alive | 412548770 | 374372 | 371:51:58 | N/A
    oid1 | oidmon | 26145 | Alive | 412548769 | 298736 | 371:52:02 | LDAPS:3131,LDAP:3060
    EMAGENT | EMAGENT | 26144 | Alive | 412548768 | 63824 | 371:52:02 | N/A

    2. OID on LDAPS (secure) port  can be configured in one of three modes (controlled by attribute orclSSLAuthentication)

    a) SSL with No Authentication (orclSSLAuthentication = 1) – In this mode neither client (making connection to OID) nor Server (OID) presents SSL certificate . Data is transferred on SSL

    b) SSL with Server Authentication Only (orclSSLAuthentication = 32) – In this mode Server (OID) presents its SSL certificate to client (making connection to OID) but client doesn’t present any certificate to Server . Data is transferred on SSL

    c) SSL with Client and Server Authentication (orclSSLAuthentication = 64) – In this mode both Server (OID) and client (making connection to OID) presents their SSL certificate to each other. Data is transferred on SSL

    Note: Default setting is SSL with No Authentication i.e. orclSSLAuthentication value 1. Common practice is to change this to SSL with Server Authentication Only i.e. orclSSLAuthentication = 32

     

    3. When OID is configured in Server Authentication (orclSSLAuthentication = 32) or (orclSSLAuthentication = 64) then SSL certificate and Certifying Authority’s (CA) certificates are stored in WALLETS (More on wallets here and here). Wallet can be managed by EM (Enterprise Manager) or WLST or orapki or OWM

    Note: To manage wallets in OID 11g using EM or WLST, OID must be integrated with WebLogic with Enterprise Manager (EM).

     

    4. For SSL certificated of OID, you can generate self signed certificates or create certificate request file and submit to Certifying Authority like verisign and store certificates in wallet.

    .

    To configure SSL in OID

    1. Configure Wallet to store SSL certificate and Certifying Authority’s certificates using EM or WLST or OWM or orapki

    2. Create Certificate Request File -> Get Certificate from Certifying Authority (CA) -> Import certificate in Wallet

    or

    2. Generate Self Signed Certificate in Wallet

    3. Configure SSL parameter using EM or WLST or update SSL related attributes for OID instance (orclSSLAuthentication, orclSSLVersion, orclSSLWalletURL)

    a) Ensure that Enable SSL is checked

    b) Select Wallet from drop down (list will be based on wallets created in previous step – You can have more than one wallet but only one wallet will be used)

    c) Select SSL Authentication Mode (orclSSLAuthentication 1 or 32 or 64)

    d) Select ciphers (it is recommended to select ciphers based on enterprise security requirements)

    e) Select SSL version (version 3 is recommended)

    4. Restart OID using opmnctl stopall; opmnctl startall

    5. Test SSL connection from ldapbind or ODSM or using LDAP browser

     

    Here is OID instance configuration after configuring  SSL

     

    More on OID SSL configuration in  OID Administrators Guide

    Related Posts for OID


    1. Oracle Internet Directory OID
    2. Oracle Internet Directory – Basics II
    3. OID to OID/Active Directory/iPlanet other LDAP Server Integration
    4. Multi Master OID Replication
    5. OID Architecture
    6. Oracle Internet Directory , OID Troubleshooting
    7. Server Chaining in OID
    8. OID Quesries/ Scripts FAQ
    9. OIDADMIN Client
    10. Oracle Identity Management (OID) 11g installation Issues on Linux
    11. OID 11g – Oracle Directory Services Manager (ODSM)
    12. DIP : Synchronization, Provisioing, Connectors, DSS in Oracle Directory Services (ODS) 11g
    13. OID Replication – Suppliers, Consumers, DRG, ASR/LDAP based replication
    14. ASR setup has failed – Error occurred while dropping database link : ORA-02084 : database name is missing a component while Configuring Multi Master OID replication using “remtool -asrsetup”
    15. OID 11g Down : Unable to Start OID 11g using OPMN (ODS schema locked ORA-28002)
    16. OID/Directory Services 11g – Schema, Object Class, Attributes
    17. OID 11g Distributed Install : DIP/ODSM (Java Component) & OID (LDAP/REPLD) on different machine
    18. OID Server Mode R, RW, RM: LDAP: error code 53 – Server currently in read only mode
    19. How to change OID 11g database schema (ODS) password
    20. How to add custom attribute, Object Classe in OID from command line or GUI
    21. Oracle Internet Directory (OID) and Real Application Cluster (RAC) database : Things you must know
    22. How to Update User Password in OID (single account or bulk) – command line or GUI
    23. Error starting OID 11g during configuration stage of OID installation on Windows Server “ProvisionException: Failed to start the component”
    24. How to delete Entries in OID 11g in Bulk – Delete Failed : Ldap Error Code 66 Not allowed on Non-Leaf
    25. How to find latest changelog number (or changes) in OID ?
    26. Context Initialization Error on running ldapsearch commands on OID Server
    27. How to find OID version and patches applied on OID Home ?
    28. How to change OID 11g LDAP/LDAPS listen port
    29. How to find/audit Failed Login Attempts in OID 11g
    30. Step by Step configuration of OID Multi Master Replication – LDAP based in OID 11g
    31. OID 11g LDAP based Multi Master replication : Configuration Entries you must know
    32. Configure SSL for Oracle Internet Directory (OID)
    33. How to backup Oracle Internet Directory (OID) 11g – Data : Full / Partial
    34. SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI
    35. How to debug OID : LDAP Error code 50 – Insufficient Access Rights
    36. What Hashing Algorithm OID uses to store user Password : SSHA or MD5

    6 Responses to “Configure SSL for Oracle Internet Directory (OID)”

    1. […] SSL configuration in OVD – Oracle Virtual Directory Posted in January 27th, 2013 byAtul Kumar in idm, ovd, ssl This post covers key points and documentation to configure SSL in Oracle Virtual Directory (OVD) 11g. For SSL configuration in OID 11g click here […]

    2. sunnyajmera says:

      Hi Atul,

      Is there way to disable the nonssl port in OID? My requirement is to force all ldapbind with LDAPS port.

      Regards,
      Sunny

    3. Atul Kumar says:

      @Sunnyajmera,
      You can change LDAP port to LDAPS port. Use EM to change listener from NON-SSL to SSL , you can do same by changing LDAP attributes too.

    4. […] about  SSL basics in WebLogic like Certifying Authority and Certificate and configuring SSL for OID and SSL for OVD  using Graphical User Interface (GUI) like Fusion Middleware Control […]

    5. […] recently configured LDAP Adapter in OVD (acting as proxy in front of OID) where OID is listening on SSL. This configuration worked and user’s were able to access OID data via OVD using LDAP […]

    6. […] OID/OVD is configured to listen on SSL (for steps on how to configure OID/OVD in SSL click here and here ) then you select checkbox SSL Enabled in Provider Specific […]

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP