OIM 11G R2 PS2 : How to generate self signed certificates and use it to for OIM to DB SSL Connectivity
ROOT CA WALLET
Navigate to the following path:
/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin
Create a wallet by using the command:
./orapki wallet create -wallet /home/oracle/wallet/root -pwd welcome1
Add a self signed certificate to the CA wallet by using the command:
./orapki wallet add -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1
View the wallet using the command:
./orapki wallet display -wallet /home/oracle/wallet/root -pwd welcome1
Export the self signed certificate from the CA wallet using the command:
./orapki wallet export -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1
DB Server Side Wallet
Create a server wallet using the command:
./orapki wallet create -wallet /home/oracle/wallet/server -auto_login -pwd welcome1
Add a certificate request to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1
Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:
./orapki wallet export -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request /home/oracle/wallet/server/server_creq.csr -pwd welcome1
Get the server wallet's certificate request signed using the CA signature:
./orapki cert create -wallet /home/oracle/wallet/root -request /home/oracle/wallet/server/server_creq.csr -cert /home/oracle/wallet/server/server_creq_signed.cert -validity 3650 -pwd welcome1
View the signed certificate using the command:
./orapki cert display -cert /home/oracle/wallet/server/server_creq_signed.cert -complete
Import the trusted certificate in to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -trusted_cert -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1
Import this newly created signed certificate (user certificate) to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -user_cert -cert /home/oracle/wallet/server/server_creq_signed.cert -pwd welcome1
OIM - Creating Client Side Wallet
1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:
cd /home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert -storepass xellerate
2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert
Password - Abcd1234 (same as xelsysadm)
cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib
keytool -import -trustcacerts -alias root_ca -noprompt -keystore cacerts -file /home/oracle/wallet/root/self_signed_CA.cert
keytool -import -trustcacerts -alias server_ca -noprompt -keystore cacerts -file /home/oracle/wallet/server/server_creq_signed.cert
Updating Oracle Identity Manager
You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:
Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.
Log in to Enterprise Manager.
Navigate to Identity and Access, OIM.
Right click and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.
Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.
For example:
url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"
Restart the Oracle Identity Manager server.
This updated the /db/oim-config.xml in the mds, checked by exporting it out.
Update the Datasources:
For oimJMSStoreDS, oimOperationsDB, mds-oim.
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))
javax.net.ssl.trustStorePassword=Abcd1234
javax.net.ssl.trustStore=/home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig/default-keystore.jks
javax.net.ssl.trustStoreType=JKS
Updating Oracle Identity Manager Authenticators
The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:
Ensure that Datasources are configured to SSL.
In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.
Remove OIMAuthenticationProvider.
Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.
Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.
Reorder the authenticators as:
DefaultAuthenticator
OIMAuthenticator
OIMSignatureAuthenticator
Other providers if any
Restart all servers.
Navigate to the following path:
/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin
Create a wallet by using the command:
./orapki wallet create -wallet /home/oracle/wallet/root -pwd welcome1
Add a self signed certificate to the CA wallet by using the command:
./orapki wallet add -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1
View the wallet using the command:
./orapki wallet display -wallet /home/oracle/wallet/root -pwd welcome1
Export the self signed certificate from the CA wallet using the command:
./orapki wallet export -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1
DB Server Side Wallet
Create a server wallet using the command:
./orapki wallet create -wallet /home/oracle/wallet/server -auto_login -pwd welcome1
Add a certificate request to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1
Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:
./orapki wallet export -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request /home/oracle/wallet/server/server_creq.csr -pwd welcome1
Get the server wallet's certificate request signed using the CA signature:
./orapki cert create -wallet /home/oracle/wallet/root -request /home/oracle/wallet/server/server_creq.csr -cert /home/oracle/wallet/server/server_creq_signed.cert -validity 3650 -pwd welcome1
View the signed certificate using the command:
./orapki cert display -cert /home/oracle/wallet/server/server_creq_signed.cert -complete
Import the trusted certificate in to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -trusted_cert -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1
Import this newly created signed certificate (user certificate) to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -user_cert -cert /home/oracle/wallet/server/server_creq_signed.cert -pwd welcome1
OIM - Creating Client Side Wallet
1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:
cd /home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert -storepass xellerate
2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert
Password - Abcd1234 (same as xelsysadm)
cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib
keytool -import -trustcacerts -alias root_ca -noprompt -keystore cacerts -file /home/oracle/wallet/root/self_signed_CA.cert
keytool -import -trustcacerts -alias server_ca -noprompt -keystore cacerts -file /home/oracle/wallet/server/server_creq_signed.cert
Updating Oracle Identity Manager
You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:
Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.
Log in to Enterprise Manager.
Navigate to Identity and Access, OIM.
Right click and navigate to System MBean Browser.
Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.
Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.
For example:
url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"
Restart the Oracle Identity Manager server.
This updated the /db/oim-config.xml in the mds, checked by exporting it out.
Update the Datasources:
For oimJMSStoreDS, oimOperationsDB, mds-oim.
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))
javax.net.ssl.trustStorePassword=Abcd1234
javax.net.ssl.trustStore=/home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig/default-keystore.jks
javax.net.ssl.trustStoreType=JKS
Updating Oracle Identity Manager Authenticators
The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:
Ensure that Datasources are configured to SSL.
In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.
Remove OIMAuthenticationProvider.
Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.
Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.
Reorder the authenticators as:
DefaultAuthenticator
OIMAuthenticator
OIMSignatureAuthenticator
Other providers if any
Restart all servers.
Comments
Post a Comment