SSL Connectivity setup between OIM 11g (R1, R2) and Database

-
In this post I will cover the steps that are required to setup SSL connectivity between OIM and its underlying repository i.e. Oracle Database.



ROOT CA WALLET

Navigate to the following path:
/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin

Create a wallet by using the command:
./orapki wallet create -wallet /home/oracle/wallet/root -pwd welcome1

Add a self signed certificate to the CA wallet by using the command:
./orapki wallet add -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1

View the wallet using the command:
./orapki wallet display -wallet /home/oracle/wallet/root -pwd welcome1

Export the self signed certificate from the CA wallet using the command:
./orapki wallet export -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

DB SERVER WALLET

Create a server wallet using the command:
./orapki wallet create -wallet /home/oracle/wallet/server -auto_login -pwd welcome1

Add a certificate request to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1

Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:
./orapki wallet export -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request /home/oracle/wallet/server/server_creq.csr -pwd welcome1

Get the server wallet's certificate request signed using the CA signature:
./orapki cert create -wallet /home/oracle/wallet/root -request /home/oracle/wallet/server/server_creq.csr -cert /home/oracle/wallet/server/server_creq_signed.cert -validity 3650 -pwd welcome1

View the signed certificate using the command:
./orapki cert display -cert /home/oracle/wallet/server/server_creq_signed.cert -complete

Import the trusted certificate in to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -trusted_cert -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

Import this newly created signed certificate (user certificate) to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -user_cert -cert /home/oracle/wallet/server/server_creq_signed.cert -pwd welcome1

OIM SERVER - CREATING CLIENT SIDE WALLET

1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

cd /home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert -storepass xellerate

2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert
Password - Abcd1234  (same as xelsysadm)


cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib
keytool -import -trustcacerts -alias root_ca -noprompt -keystore cacerts -file /home/oracle/wallet/root/self_signed_CA.cert
keytool -import -trustcacerts -alias server_ca -noprompt -keystore cacerts -file /home/oracle/wallet/server/server_creq_signed.cert


Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

    1. Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

    2. Log in to Enterprise Manager.

    3. Navigate to Identity and Access, OIM.

    4. Right click and navigate to System MBean Browser.

   5. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and        DirectDB.

    6. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

    For example:

    url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))"

     7. Restart the Oracle Identity Manager server.

    8. This updated the /db/oim-config.xml in the mds, checked by exporting it out.

Update the Datasources:

For oimJMSStoreDS, oimOperationsDB, mds-oim.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))
javax.net.ssl.trustStorePassword=Abcd1234
javax.net.ssl.trustStore=/home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig/default-keystore.jks
javax.net.ssl.trustStoreType=JKS

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

     1. Ensure that Datasources are configured to SSL.

    2. In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

    3. Remove OIMAuthenticationProvider.

    4. Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

    5. Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

    6. Reorder the authenticators as:

        DefaultAuthenticator

        OIMAuthenticator

        OIMSignatureAuthenticator

        Other providers if any

    7. Restart all servers.



Additional Configuration DB Side Steps if required




DATABASE



open netmgr
>netmgr

go to Profile -> Oracle Advanced Security -> SSL -> Server and type /opt/oracle/oracle/product/11.2.0/db_1/owm/wallets/mywallet as the Wallet Directory
Uncheck the require client authentication box.







                                                                                                                                                                   

                                                                                                                                                                   
                                                                                                                                                                    
Then Go to listeners and change the protocol of Address2 to TCP/IP with SSL



                                                                                                                                                                   
                                                                                                                                                                    
                                                                                                                                                                    
                                                                                                                                                                   
Do the same for Service naming





                                                                                                                                                                   
                                                                                                                                                                    
                                                                                                                                                                   
                                                                                                                                                                   
Open tnsnames.ora and change the local listener to port 1522.

Restart the Database and the listener
>lsnrctl stop
>lsnrctl start


OIM

Import Root.ca and SubRoot.ca in Java, weblogic and OIM keystore. Also create jdbcKeystore with those certificates.

Then in weblogic change each databasesource. Change connection string to:

jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcps)(HOST = 172.27.89.21)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl)))

And at the following to the connection parameters:

javax.net.ssl.trustStorePassword=84c80J9f
javax.net.ssl.trustStore=/opt/oracle/Oracle/Middleware/user_projects/domains/oim_domain/config/fmwconfig/jdbcKeystore.jks
javax.net.ssl.trustStoreType=JKS



Also change the connect string of the OIMAuthenticator and the DirectDB config

Comments

Post a Comment

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

-
Image
In this post I am posting the sample code for a sample SOA approval workflow. Some of the features that this workflow addresses are Approval to Manager or Role Owners is dynamic based on the custom OIM system property "approval-condition". Value is set either "AND" or "OR". Manager or Role Owner can be set to be notified only with no approval required. In this case only email is sent to notify them but no approval is required from them. Custom OIM system property are created to address this.   manager-notify-only = TRUE or FALSE  TRUE = only notify the manager no approval request sent. FALSE = notify the manager and send an approval request.   roleowner-notify-only = TRUE or FALSE  TRUE = only notify the role owner no approval request sent. FALSE = notify the role owner and send an approval request. Third Level System Notification was required but it should be dynamic.  Custom OIM system property are created to address this sysadmin-noti
Read more

Oracle Identity Manager (OIM) Interview Questions

-
This is my 100th post on my blog and in this post, I will list down interview questions on OIM. This post will always be work in progress as I keep appending this list with more and more questions. Please find the list of questions below :-) What are the new features in PS3 ? What are the differences between PS2 and PS3 ? How do you identify rogue account creation in target system ? What is the high level architecture of OIM 11g ? List out difference between OIM 9.1 and 11g and possibly 11gR2 What are the new features in 11gR2 PS2 , PS3 How do you save multi-valued attribute in process form and how the linking happens between process form & child form ,   1 child form per multi valued attribute Can we still use entity adapters in OIM 11g What is pluginservice in oim 11g/  What is the orchestration service in oim 11g. what is the difference between entity match found  and process match found ? what are service accounts in oim ? why remote manager is used ? What is a c
Read more

OHS 12c (12.1.3) webgate deployment and configuration

-
In this post, I will cover the deployment and configuration of webgate 12c webgate. OHS 12c comes pre-bundled with a webgate so we don't have to separately download and install any webgate. If you have installed OHS then you have a webgate which you can configure to protect OHS. Also there is no gui screens involved as all configurations are done via command line tools. In the previous post i covered installation and configuration of OHS 12c. This post builds on top of that. Step 1 deploy webgate ./deployWebGateInstance.sh -w /OHS_12c_WEBSERVER_HOME/webserver/instances/instance1/config/fmwconfig/components/OHS/ohs1 -oh /OHS_12c_MW_HOME/ Copying files from WebGate Oracle Home to WebGate Instancedir Step 2 Config webgate export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/OHS_12c_MW_HOME/lib cd /OHS_12c_MW_HOME/webgate/ohs/tools/setup/InstallTools/ ./EditHttpConf -w /OHS_12c_WEBSERVER_HOME/webserver/instances/instance1/config/fmwconfig/components/OHS/ohs1 -oh /OHS_12c_MW_HO
Read more