Configure SSL for Oracle Internet Directory (OID)

Oracle Internet Directory (OID) by default listens on two ports LDAP (non secure) and LDAPS (secure LDAP), In this post I am going to cover in detail how to configure SSL in OID 11g and key points related to SSL in OID.

1. OID listens on two ports (LDAP and LDAPS) and list of port used is displayed by opmnctl status -l (In example below, OID is listening on SSL port 3131)

[aiam@innowave21 ~]$ opmnctl status -l

Processes in Instance: asinst_1
———————————+——————–+———+——-
ias-component | process-type | pid | status | uid | memused | uptime | ports
———————————+——————–+———+——-
oid1 | oidldapd | 26253 | Alive | 412548771 | 662564 | 371:51:57 | N/A
oid1 | oidldapd | 26213 | Alive | 412548770 | 374372 | 371:51:58 | N/A
oid1 | oidmon | 26145 | Alive | 412548769 | 298736 | 371:52:02 | LDAPS:3131,LDAP:3060
EMAGENT | EMAGENT | 26144 | Alive | 412548768 | 63824 | 371:52:02 | N/A

2. OID on LDAPS (secure) port  can be configured in one of three modes (controlled by attribute orclSSLAuthentication)

a) SSL with No Authentication (orclSSLAuthentication = 1) – In this mode neither client (making connection to OID) nor Server (OID) presents SSL certificate . Data is transferred on SSL

b) SSL with Server Authentication Only (orclSSLAuthentication = 32) – In this mode Server (OID) presents its SSL certificate to client (making connection to OID) but client doesn’t present any certificate to Server . Data is transferred on SSL

c) SSL with Client and Server Authentication (orclSSLAuthentication = 64) – In this mode both Server (OID) and client (making connection to OID) presents their SSL certificate to each other. Data is transferred on SSL

Note: Default setting is SSL with No Authentication i.e. orclSSLAuthentication value 1. Common practice is to change this to SSL with Server Authentication Only i.e. orclSSLAuthentication = 32

 

3. When OID is configured in Server Authentication (orclSSLAuthentication = 32) or (orclSSLAuthentication = 64) then SSL certificate and Certifying Authority’s (CA) certificates are stored in WALLETS (More on wallets here and here). Wallet can be managed by EM (Enterprise Manager) or WLST or orapki or OWM

Note: To manage wallets in OID 11g using EM or WLST, OID must be integrated with WebLogic with Enterprise Manager (EM).

 

4. For SSL certificated of OID, you can generate self signed certificates or create certificate request file and submit to Certifying Authority like verisign and store certificates in wallet.

.

To configure SSL in OID

1. Configure Wallet to store SSL certificate and Certifying Authority’s certificates using EM or WLST or OWM or orapki

2. Create Certificate Request File -> Get Certificate from Certifying Authority (CA) -> Import certificate in Wallet

or

2. Generate Self Signed Certificate in Wallet

3. Configure SSL parameter using EM or WLST or update SSL related attributes for OID instance (orclSSLAuthentication, orclSSLVersion, orclSSLWalletURL)

a) Ensure that Enable SSL is checked

b) Select Wallet from drop down (list will be based on wallets created in previous step – You can have more than one wallet but only one wallet will be used)

c) Select SSL Authentication Mode (orclSSLAuthentication 1 or 32 or 64)

d) Select ciphers (it is recommended to select ciphers based on enterprise security requirements)

e) Select SSL version (version 3 is recommended)

4. Restart OID using opmnctl stopall; opmnctl startall

5. Test SSL connection from ldapbind or ODSM or using LDAP browser

 

Here is OID instance configuration after configuring  SSL

 

More on OID SSL configuration in  OID Administrators Guide

 

FREE Webinar on
Oracle Fusion Middleware Concepts / SSL

Webinar with Oracle ACE Atul Kumar on Oracle Fusion Middleware Concepts like Java VS System Component, SSL

Click here to register FREE Live Webinar

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

17 comments
» SSL configuration in OVD – Oracle Virtual Directory Online Apps DBA: One Stop Shop for Apps DBA’s says January 27, 2013

[…] SSL configuration in OVD – Oracle Virtual Directory Posted in January 27th, 2013 byAtul Kumar in idm, ovd, ssl This post covers key points and documentation to configure SSL in Oracle Virtual Directory (OVD) 11g. For SSL configuration in OID 11g click here […]

Reply
sunnyajmera says March 6, 2013

Hi Atul,

Is there way to disable the nonssl port in OID? My requirement is to force all ldapbind with LDAPS port.

Regards,
Sunny

Reply
Atul Kumar says March 7, 2013

@Sunnyajmera,
You can change LDAP port to LDAPS port. Use EM to change listener from NON-SSL to SSL , you can do same by changing LDAP attributes too.

Reply
» SSL / Wallets in OID/OHS : How to manage certificates in Wallet using command line ?? ORAPKI Online Apps DBA: One Stop Shop for Apps DBA’s says August 24, 2013

[…] about  SSL basics in WebLogic like Certifying Authority and Certificate and configuring SSL for OID and SSL for OVD  using Graphical User Interface (GUI) like Fusion Middleware Control […]

Reply
» OVD LDAP Adapter for OID : LDAPException LDAP Error Code 2 : malformedRequest Protocol Error LDAPException Server Message Protocol Error Online Apps DBA: One Stop Shop for Apps DBA’s says October 29, 2013

[…] recently configured LDAP Adapter in OVD (acting as proxy in front of OID) where OID is listening on SSL. This configuration worked and user’s were able to access OID data via OVD using LDAP […]

Reply
» Security:090294 could not get connection javax. net. ssl. SSLKeyException FATAL Alert BAD_CERTIFICATE – A corrupt or unuseable certificate was received Online Apps DBA: One Stop Shop for Apps DBA’s says February 7, 2014

[…] OID/OVD is configured to listen on SSL (for steps on how to configure OID/OVD in SSL click here and here ) then you select checkbox SSL Enabled in Provider Specific […]

Reply
Ashutosh says June 4, 2015

Hi Atul,

I have configured SSL on OID server as per steps mention in blog and i am able to connect to LDAP server using SSL port from ODSM application and able to configure SSL connection in OAM Data Source.
But how can we test it using any LDAP browser or web based application?
Any suggestion will be helpful and appreciated.

Regards,
Ashutosh

Reply
Atul Kumar says June 4, 2015

@ Ashutosh,
You download LDAP Browser like Apache LDAP client and then when you are connecting to OID select SSL and give SSL listener port of OID .

Reply
Ashutosh says June 4, 2015

Thanks Atul for your reply.
I tried using Apache LDAP browser and jexplorer both and unable to connect.
Steps followed to configure SSL.
1. Created Wallet with auto login.
2. Added a Self-Signed Certificate in to wallet.
3. Configure SSL parameter using wlst. But i have not configured “NO Authentication” in SSL configuration.
4. At last, restarted OID instance.

Let me know, if missing any steps and does LDAP browser required any SSL certificate to connect to server?

Reply
Atul Kumar says June 4, 2015

This looks good, when apache browser hit LDAPS on OID and if certificate on OID server are not in trust store of Apache LDAP , Apache is going to prompt to verify and accept certificate .

If you are not going till that stage, this means

a) Either firewall between client or OID
b) or Issue in OID SSL listener

Check OID access logs to see if request is coming to OID or not .

Reply
Ashutosh says June 8, 2015

Hi Atul,

I tried disabling firewall on IDM server and now while trying to connect using Apache LDAP browser after passing login information and selecting Simple Authentication, getting following error ”
The authentication failed
– The response queue has been emptied, no response was found.
org.apache.directory.api.ldap.model.exception.LdapException: The response queue has been emptied, no response was found.
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1117)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:368)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
at org.apache.directory.studio.connection.core.jobs.CheckBindRunnable.run(CheckBindRunnable.java:79)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:122)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: TimeOut occurred
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1089)
… 7 more

The response queue has been emptied, no response was found.
“.
Tried looking on OID access log, i am not seeing any connection request.

Please advise.

Thanks,
Ashutosh

Reply
Ashutosh says June 11, 2015

Thanks Atul for guiding me.
Issue resolved, it was due to wrong jdk version. Apache LDAP browser was unable to connect.
Later able to connect using some other browser (jexplorer) with jdk 1.7.x.

Reply
Ashutosh says June 12, 2015

Another Question – Is it possible to generate or export certificate from wallet (configured SSL on OID with self sign certificate) for any web based application? If yes, then How.

Reply
Atul Kumar says June 12, 2015

@Ashutosh,
You can copy whole wallet to another location and use it . Just copy and paste

Reply
Satish says September 27, 2015

Hi Atul,
it’s really a usable post,we are trying to enable SSL every where for my OBIEE setup which uses LDAP for authentication I followed all the above steps which you listed in this article but when I am trying to perform reassociatation of policy store from my OBIEE it’s error out with message like no trusted certificate found I can I open wallet and see what are all certificates are present in that ,how can I debug this.

thanks in advance .

Satish K.

Reply
Satish says September 27, 2015

Hi Autl,
it’s a lengthy query please bare with me.
Thanks for your quick reply ,here is what my current requirement is and what I followed in-order to make SSL every where .
My WLS uses LDAP for Authentication/Authorization so as a part of SSL every where in LDAP/WLS level I followed below set of instructions.
Related to certificate I have below files
1.trust.jks
2.identity.jks
3.root.cert
4.ewallet.p12
5.cwallet.sso
6.cacerts
LDAP Level SSL:
I placed my ewallet.p12 & cwallet.sso in some xyz directory and for “orclsslWalletURL” I provided that directory path and orclSSLAuthentication value as 32 even my db is SSL enabled so I modified sqlnet.ora and tnsnames.ora file accordingly post modifing all these changes I restarted all opmn components every thing looks fine upto this level.
WLS Console:
Under “keystores” tab Keystore type change to “Custom Identity and Custom Trust” and provided custom Identity/Trust Keystore file location and private key alias under “SSL” tab
WLS EM:
For Business Intelligence coreapplication component under Secure Socket Layer tab I provided CA certificate location and restarted all the services including Node manager.
Apart from above changes I replaced old certs file of jdk which wls server is using with the one I have in hand.

at the time of installation of WLS it’s plain env so ldap protocol and port numbers are ldap/3060 ,in-order to change those value from plain to SSL in weblogic I find a script of reassociation when I am attempting to run that script it error out with a message

Starting policy store reassociation.
Command FAILED, Reason: javax.naming.CommunicationException: simple bind failed: xyz.domain.com:3131 Root exception is javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from yzx.domain.com – 10.147.45.97 was not trusted causing SSL handshake failure.

Certificate related file which I listed above have below conent
For some reasons I am just hiding the dtls and replacing with xyz

1.identity.jks
keytool -list -v -keystore identity.jks -storepass xyz
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: xyz
Creation date: Mar 17, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=xyz, OU=xyz, O=xyz, L=xyz, ST=xyz, C=xyz
Issuer: CN=xyz, OU=xyz, O=xyz, L=xyz, ST=xyz, C=xyz
Serial number: xyz
Valid from: Tue Mar 17 21:57:39 IST 2015 until: Tue Dec 11 21:57:39 IST 2018
Certificate fingerprints:
MD5: xyz
SHA1: xyz
SHA256: xyz
Signature algorithm name: SHA1withRSA
Version: 3

2.trust.jks

keytool -list -v -keystore trust.jks -storepass xyz

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: xyz
Creation date: Mar 17, 2015
Entry type: trustedCertEntry

Owner: CN=xyz, OU=xyz, O=xyz, L=xyz, ST=xyz, C=xyz
Issuer: CN=xyz, OU=xyz, O=xyz, L=xyz, ST=xyz, C=xyz
Serial number: xyz
Valid from: Tue Mar 17 21:57:39 IST 2015 until: Tue Dec 11 21:57:39 IST 2018
Certificate fingerprints:
Signature algorithm name: SHA1withRSA
Version: 3

Alias name: mykey
Creation date: Apr 10, 2015
Entry type: trustedCertEntry

Owner: CN=xyz, OU=xyz, O=xyz, C=xyz, EMAILADDRESS=xyz
Issuer: CN=xyz, OU=xyz, O=xyz, C=xyz, EMAILADDRESS=xyz
Serial number: xyz
Valid from: Mon Aug 31 21:07:13 IST 2009 until: Sun Mar 26 01:02:21 IST 2034
Certificate fingerprints:
xyz
SHA256: xyz
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:
xyz

3.cacerts
4.ewallet.p12
when I try to open this file using below command it’s telling it has 0 entries ,that’s the culprit causes this issue,if how can I populate this file using above files which I have along with me.
keytool -list -storetype pkcs12 -keystore ewallet.p12 -storepass xyz

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

how can debug and fix this issue .

thanks again.

Satish K.

Reply
Add Your Reply