SSL Connectivity setup between OIM 11g (R1, R2) and Database

In this post I will cover the steps that are required to setup SSL connectivity between OIM and its underlying repository i.e. Oracle Database.



ROOT CA WALLET

Navigate to the following path:
/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin

Create a wallet by using the command:
./orapki wallet create -wallet /home/oracle/wallet/root -pwd welcome1

Add a self signed certificate to the CA wallet by using the command:
./orapki wallet add -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1

View the wallet using the command:
./orapki wallet display -wallet /home/oracle/wallet/root -pwd welcome1

Export the self signed certificate from the CA wallet using the command:
./orapki wallet export -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

DB SERVER WALLET

Create a server wallet using the command:
./orapki wallet create -wallet /home/oracle/wallet/server -auto_login -pwd welcome1

Add a certificate request to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1

Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:
./orapki wallet export -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request /home/oracle/wallet/server/server_creq.csr -pwd welcome1

Get the server wallet's certificate request signed using the CA signature:
./orapki cert create -wallet /home/oracle/wallet/root -request /home/oracle/wallet/server/server_creq.csr -cert /home/oracle/wallet/server/server_creq_signed.cert -validity 3650 -pwd welcome1

View the signed certificate using the command:
./orapki cert display -cert /home/oracle/wallet/server/server_creq_signed.cert -complete

Import the trusted certificate in to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -trusted_cert -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

Import this newly created signed certificate (user certificate) to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -user_cert -cert /home/oracle/wallet/server/server_creq_signed.cert -pwd welcome1

OIM SERVER - CREATING CLIENT SIDE WALLET

1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

cd /home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert -storepass xellerate

2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert
Password - Abcd1234  (same as xelsysadm)


cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib
keytool -import -trustcacerts -alias root_ca -noprompt -keystore cacerts -file /home/oracle/wallet/root/self_signed_CA.cert
keytool -import -trustcacerts -alias server_ca -noprompt -keystore cacerts -file /home/oracle/wallet/server/server_creq_signed.cert


Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

    1. Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

    2. Log in to Enterprise Manager.

    3. Navigate to Identity and Access, OIM.

    4. Right click and navigate to System MBean Browser.

   5. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and        DirectDB.

    6. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

    For example:

    url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))"

     7. Restart the Oracle Identity Manager server.

    8. This updated the /db/oim-config.xml in the mds, checked by exporting it out.

Update the Datasources:

For oimJMSStoreDS, oimOperationsDB, mds-oim.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))
javax.net.ssl.trustStorePassword=Abcd1234
javax.net.ssl.trustStore=/home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig/default-keystore.jks
javax.net.ssl.trustStoreType=JKS

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

     1. Ensure that Datasources are configured to SSL.

    2. In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

    3. Remove OIMAuthenticationProvider.

    4. Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

    5. Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

    6. Reorder the authenticators as:

        DefaultAuthenticator

        OIMAuthenticator

        OIMSignatureAuthenticator

        Other providers if any

    7. Restart all servers.



Additional Configuration DB Side Steps if required




DATABASE



open netmgr
>netmgr

go to Profile -> Oracle Advanced Security -> SSL -> Server and type /opt/oracle/oracle/product/11.2.0/db_1/owm/wallets/mywallet as the Wallet Directory
Uncheck the require client authentication box.







                                                                                                                                                                   

                                                                                                                                                                   
                                                                                                                                                                    
Then Go to listeners and change the protocol of Address2 to TCP/IP with SSL



                                                                                                                                                                   
                                                                                                                                                                    
                                                                                                                                                                    
                                                                                                                                                                   
Do the same for Service naming





                                                                                                                                                                   
                                                                                                                                                                    
                                                                                                                                                                   
                                                                                                                                                                   
Open tnsnames.ora and change the local listener to port 1522.

Restart the Database and the listener
>lsnrctl stop
>lsnrctl start


OIM

Import Root.ca and SubRoot.ca in Java, weblogic and OIM keystore. Also create jdbcKeystore with those certificates.

Then in weblogic change each databasesource. Change connection string to:

jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcps)(HOST = 172.27.89.21)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl)))

And at the following to the connection parameters:

javax.net.ssl.trustStorePassword=84c80J9f
javax.net.ssl.trustStore=/opt/oracle/Oracle/Middleware/user_projects/domains/oim_domain/config/fmwconfig/jdbcKeystore.jks
javax.net.ssl.trustStoreType=JKS



Also change the connect string of the OIMAuthenticator and the DirectDB config

Comments

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

OHS 12c (12.1.3) webgate deployment and configuration

Oracle Identity Manager (OIM) Interview Questions