• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • SSL configuration in OVD – Oracle Virtual Directory

    Posted by "" in "idm, ovd, ssl" on 2013-01-27

    This post covers key points and documentation to configure SSL in Oracle Virtual Directory (OVD) 11g. For SSL configuration in OID 11g click here

    1. SSL Authentication Mode – OVD and any other SSL listener can be configured in one of three Authentication Mode
    a. SSL No-Auth Mode : Neither client nor server are required to authenticate by showing their certificate. This mode is also called as anonymous or no authentication mode.
    b. Server Authentication Mode : In this mode Server Authenticate itself to client by presenting SSL certificates but client does not Authenticate itself using certificate. This mode is also called as one-way SSL or Server authentication.
    c. Mutual Authentication : In this mode both client and server authenticates each other using SSL certificates. This mode is also called as two-way SSL or Client authentication.

    Note: OVD SSL Listener by default is configured in Server Authentication Mode.

    2. OVD by default listens on four ports (More on OVD listeners  here)
    a)  LDAP Listener – Non SSL LDAP default port 6501
    b)  LDAPS Listener – SSL LDAP default port 7501
    c)  Admin Listener – SSL Admin port 8899
    d)  DSML Gateway – Non SSL HTTP port 8080

    Note: Client’s usually connect to OVD using LDAP or LDAPS Listener

    3. LDAPS and Admin Gateway Listener by default comes with SSL with self signed certificate. You can change from self signed certificates to certificates issues trusted CA like Verisign/Thawte or you can use your own CA.

    4. SSL certificates (issued to OVD listeners) and Certifying Authority’s Certificates (Certificates of Authority that issues these certificate ) are stored in Keystore.

    5. Keystore – In Oracle Fusion Middleware there are two type of keystores.

    a) JKS Keystore and Truststore (aka Java Key Store)
    b) Oracle Wallets

    Note : OVD uses Java Key Store to store certificates. System Components of Fusion Middleware like OID & OHS uses Oracle Wallets to store SSL certificates.

    6. You can configure/manage SSL in OVD (LDAPS listener) using

    a) WebLogic Scripting Tool (WLST)
    b) Fusion Middleware Enterprise Manager Control (/em)

    Note: To manage SSL certificates using EM or WLST, OVD must be configured with Weblogic Server with EM application deployed .

    7. Java Keystore lifecycle includes

    a) Creating keystore
    b) viewing/updating keystore
    c) exporting/importing keystore
    d) deleting keystore

    8. To create/manage  keystore in OVD –
    a) Login to EM
    b) Navigate to ovd -> Security -> Keystores



    9. OVD by default creates following Keystore

    a) keys.jks (Trust Store and SSL Keys for OVD LDAPS Listeners)

    b) Optional – If LDAP Adapter using TLS/SSL is defined then adapters.jks (containing SSL certificate and trust store for OVD to LDAP connection on SSL )

    10. Location of Key Store for OVD LDAPS Listener is defined in OVD EM : Administration -> Listeners -> LDAP SSL End Point (Edit) -> Change SSL Settings



    11. Location of Key Store for OVD LDAP Adapter is defined in OVD EM : Administration -> Server Properties (Under TLS Configuration Section)


    12. Java Keystore (JKS) for OVD is stored on File System under $ORACLE_INSTANCE/config/OVD/[ovd1]/keystores

    13. If you don’t want to use self signed certificate and wish to use certificates signed by trusted certifying certificate (like verisign or thawte) or signed by your companies PKI then

    a. Create Java keystore using /em or wlst
    b. Generate CSR (Certificate Signing Request)
    c. Send CSR to Certifying Authority (CA) for signing the certificates
    d. Once you get signed certificate from CA (Certifying Authority) then import signed certificate in to keystore
    e.  If certificates are signed by companies PKI then ask OVD clients (including ODSM) to include CA’s certificates (as trusted certificate)

    Note: Certificates can be DER-encoded or Base-64 encoded format. You cannot use FMW control to import DER-encoded certificate.


    References/Further Reading


    2 Responses to “SSL configuration in OVD – Oracle Virtual Directory”

    1. […]  SSL basics in WebLogic like Certifying Authority and Certificate , configuring SSL for OID and SSL for OVD  using Graphical User Interface (GUI) using Fusion Middleware Control […]

    2. […] is configured to listen on SSL (for steps on how to configure OID/OVD in SSL click here and here ) then you select checkbox SSL Enabled in Provider Specific […]

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP