Skip Headers
Oracle® Access Manager Installation Guide
10g (10.1.4.3)

Part Number E12493-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

C Adding Directory Certificates After Component Installation

This appendix provides the information you need to change your directory server communication mode to SSL-enabled or to add certificates to connect to multiple directory servers without uninstalling and reinstalling Oracle Access Manager. Topics include:

C.1 About Directory Certificates

During installation of the Identity Server, Policy Manager, and Access Server, you specify a directory server communication mode, either open or SSL-enabled, as discussed in "Securing Directory Server Communications". The certificate must be stored on the directory server before Oracle Access Manager installation. The certificate store format for LDAP SSL certificates is cert8.db in Oracle Access Manager 10.1.4.

At times, you may want to enable SSL after Oracle Access Manager installation. For example, you may want change from an open communication mode to an SSL-enabled mode or you may want add directory certificates to connect to additional directory servers.

In such cases, you could either uninstall and reinstall Oracle Access Manager or use the steps that follow to create the cert8.db file needed by the Identity Server, Policy Manager, and Access Server.

Note:

Oracle Access Manager 10.1.4 works with both the cert7.db (upgraded environments) and cert8.db (new installations) certificate stores.

The default certificate store format and name has changed from cert7.db to cert8.db. When you upgrade earlier components to Oracle Access Manager 10.1.4, you continue to use the old LDAP SSL certificate store (cert7.db). When you run the configureAAAServer, setup_ois, or setup_accessmanager utilities (on UNIX systems these tools are named start_configureAAAServer, start_setup_ois, or start_setup_access_manager), the certificate store format and name is automatically modified to cert8.db.

Task overview: Enabling directory SSL after Oracle Access Manager installation

  1. Complete all "Prerequisites".

  2. Create a new certificate store, as described in "Creating a New Certificate Store".

  3. Populate the new store, as described in "Adding Certificates".

  4. Change the directory profile in Oracle Access Manager, as described in "Changing the Directory Server Configuration".

  5. Repeat the preceding sequence on the Policy Manager and Access Server, as needed, or copy the store with the new certificates to the Policy Manager and Access Server, as needed.

  6. See the Oracle Access Manager Identity and Common Administration Guide for details about transport security changes for Oracle Access Manager and the directory server using the appropriate utility for your platform: start_setup_ois (UNIX) or setup_ois (Windows).

C.2 Prerequisites

You need to have a copy of the Base 64 encoded root certificate from the certificate authority for all directory servers with whom the communication will be in SSL mode. This needs to be stored in the cert8.db store used by the Identity Server to establish the SSL connection with the directory server.

Note:

If you have a cert8.db file in \component_install_dir\identity\oblix\config, be sure to delete it before you start the procedures that follow.

With Active Directory, you need to enable SSL for all domain controllers and have a copy of the Microsoft CA Root Certificate available in Base64 encoded format.

C.3 Creating a New Certificate Store

The following procedure walks you through creating a new cert8.db certificate store. You can complete this task on the Identity Server, Policy Manager, and Access Server. Be sure to complete the prerequisites before you start.

Table C-1 lists the options you supply the command you provide to create the data store.

Table C-1 Options to Create the Data Store

Option Description

-d directory

This option identifies the directory for the cert8.db store.

-N

This option creates a new certificate database.


To create the new certificate store

  1. Obtain a copy of the Base64 encoded CA Root Certificate from your CA and store it on the computer hosting the installed Identity Server.

  2. Locate the certutil utility in IdentityServer_install_dir\identity\oblix\tools\certutil.

  3. In a command window, enter:

    C:\IdentityServer_install_dir\identity\oblix\tools\certutil>certutil -d c:\IdentityServer_install_dir\identity\oblix\config -N

    You will be prompted for the cert8.db store password, which must be entered to encrypt this key and any future keys. The password must be at least 8 characters in length and must contain at least one non-alphabetic character.

  4. Enter the cert8.db store password, then re-enter the password.

    The cert8.db store is created on the Identity Server and ready to populate.

C.4 Adding Certificates

Once you have created the new cert8.db store, you need to add the CA Root Certificate.Table C-2 lists the command options to complete this task.

Table C-2 Options to Add Certificates to the Data Store

Options Description

-d directory

The value is the full path to the cert8.db store.

-A

This option adds a certificate to the store.

-a

This option indicates an ASCII encoded certificate.

-n

This option indicates the certificate nickname.

-t C,,

This option provides trust attributes, where C,, indicates the Trusted CA to Certs (only for SSL, and implies a valid CA).

-i CAROOT.cer

This option provides input, where CAROOT.cer is the name of your Base64 encoded CA root certificate.

-L

This option requests a list of certificates in the data store directory.


To add certificates to the data store

  1. At the command prompt, enter the following to add certificates to the data store:

    C:\OracleAccessManager\identity\oblix\tools\certutil>certutil -d C:\OracleAccessManager\identity\oblix\config -A -a -n CAROOT -t C,, -i CAROOT.cer

  2. Verify that your certificate was added to the cert8.db store using the command to list the content of the cert8.db store directory.

    For example:

    C:\OracleAccessManager\identity\oblix\tools\certutil> certutil -d C:\OracleAccessManager\identity\oblix\config -L

    Table C-3 shows sample results from the list command, which confirms that the certificate was added to the database with the Nickname of CAROOT:

    Table C-3 Sample Results of the List Command

    Certificate Name Trust Attributes

    CAROOT

    C,,

    Example.com Code Signing CA

    ,,C

    Example.com Individual CA

    ,C,

    Example.com Server CA

    CG,,


C.5 Changing the Directory Server Configuration

After adding certificates you need to complete the process for the directory server configuration within the Identity System Console.

To change the directory profile

  1. Navigate to the Identity System Console, select System Configuration, then click Directory Options.

  2. Under the Configure Profiles label, click Directory Server.

  3. Select the appropriate Directory Server Security Mode*.

    Note:

    When you change fields marked with an asterisk, *, you must repeat product setup. For more information about re-running Identity System setup, see the Oracle Access Manager Identity and Common Administration Guide.
  4. Restart the Identity Server to have directory server changes take affect.

  5. Verify that the Identity Server is running in SSL / Cert Mode by checking the process start-up message.

    For example:

    UNIX: A message is returned to the console saying the Process has started. The port number and communication mode are included in the message.

    Windows: Look in the Event Viewer under Applications for the port number and communication mode.

  6. Create and populate Policy Manager and Access Server stores, configure their directory profiles, then restart the Policy Manager Web server and Access Server.

    Note:

    If directory server and CA details are the same for all Oracle Access Manager components that communicate with the directory, you can copy the Identity Server cert8.db store to the Policy Manager and Access Server. Be sure to complete all steps to finish and verify the configuration.

For more information about changing transport security modes after installation, see the Oracle Access Manager Identity and Common Administration Guide.