Leave a Comment:
12 comments
hi atul, you promised to give us a post about changing hostname/domian name on apps, can we have this soon.
Reply Apologies Fadi,
I missed it completely. I will do it in post next to the one I am posting tomorrow (This one I have already prepared only final bits left so..)
You should see this by thursday.
Atul
Reply Atul,
Have you ever worked with passing certificates to OID? Have HTTPS traffic to load balancer and grabbing certificate. Want to pass that certificate to OID behind the load balancer.
Thanks
Steve
Steve,
Do you mean storing SSL Certificates into OID (LDAP Server) instead of Oracle Wallets (OWM) , if this Yes you can use ldap commands or OWM to upload certificates to OID .
If you are looking for somthing else could you elaborate on that ..
Atul
Reply Looking to have client (user) certificates stored in OID so that they map to user/password/resource. We have done that part. Challenge it to configure so that the cert is passed thru a load balancer. We can login with the cert when the load balancer is not used.
The load balancer requires the client cert and then places it in the HTML header to be passed to the SSO server. All of this traffic is encrypted so I can not get info from watching the network traffic. The Oracle DBA has put SSLVerifyClient require in the httpd.conf file. Before SSLVerifyClient require was put in the httpd.conf file, we were successfully logging in to the SSO server using userid/passwd thru the load balancer. After the variable is set to require, we get ‘page not displayed’.
Thanks for any suggestions.
Steve
Reply Steve,
If I understood your issue properly , You want users to verify their certificates (To make sure they are authentic users)
Your client user certificates are stored in OID (Could you confirm if this is client certificates or server certificates ?? ) If this is client certificate in which attribute you are storing Client passwd ?
When you set client to verify for SSL its not working (Is it not working via loadbalancer only or its not working even without loadbalancer ?)
Atul
Reply Atul,
Thanks for following up.
We are storing client cert and authenicating the user with the client cert (or hope to be with this new config which includes the load balancer). Working with Oracle we have determined that we do not have to have SSLVerifyClient require set, and we can pass the traffic unencrypted behind the load balancer.
Working with a web page to display variables we have verified that the Oracle sever does not have a value in the SSL_CLIENT_CERT field. The load balancer is putting the client certificate in the HTML header with that title, I can see that in the network traffic. Seems like we are missing a setting to tell Oracle to populate that field.
We have the following lines at the end of the httpd.conf file. As we understand it, once we get SSL_CLIENT_CERT populated, Oracle should be ready to use it.
AddCertHeader SSL_CLIENT_CERT
SimulateHttps on
Again, I appreciate any suggestions.
Steve
Reply Steve,
I don’t have idea on this at this minute but I’ll check on this & will get back to you in weeks time .
Your doubt is in my to be sorted list …
Atul
Reply hi,
in the blog you said oracle OCA component can be install on
Oracle AS Cluster ( Identity Management )-> Active – Active but the oracle notes says otherwise can you please update me on this
Yes You are right OCA is not certified on Active- Active Cluster
Though figure below shows
http://download-uk.oracle.com/docs/cd/B14099_19/core.1012/b14003/infra_im.htm#CHDIFDGI
OCA but a line after that says that it is not supported
Reply hi,
just like to know if i want to connect my active directory to oid
do when i have 2 domain controllers to i have to run dipassistant on both my server if the configuration is active – active another this is will there be a single map file or multiple map files and how can i use the plugins provided by oracle is this scenario
thanks
Reply Hi,
To be frank, I am not personally integrated multi domain AD controller so give me this weekend and I’ll respoond you by this weekend with refernces and if you don’t see my messages (for some reason) request you to ping/msg me.