Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
Default Self-Signed Certificate
Viewing the Default Self-Signed Certificate
Creating, Requesting and Installing Certificates for Directory Proxy Server
To Create a Non-default Self-Signed Certificate for Directory Proxy Server
To Request a CA-Signed Certificate for Directory Proxy Server
To Install a CA-Signed Server Certificate for Directory Proxy Server
Renewing an Expired CA-Signed Certificate for Directory Proxy Server
To Renew an Expired CA-Signed Server Certificate for Directory Proxy Server
Exporting a Certificate to a Back-End LDAP Server
To Configure Directory Proxy Server to Export a Client Certificate to a Back-End LDAP Server
Backing Up and Restoring a Certificate Database for Directory Proxy Server
Prompting for a Password to Access the Certificate Database
To Prompt for a Password to Access the Certificate Database
To Disable the Password Prompt to Access the Certificate Database
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
To run the Secure Sockets Layer (SSL) on Directory Proxy Server, you must either use a self-signed certificate or a Public Key Infrastructure (PKI) solution.
The PKI solution involves an external Certificate Authority (CA). For a PKI solution you need a CA-signed server certificate, which contains both a public key and a private key. This certificate is specific to one Directory Proxy Server instance. You also need a trusted CA certificate, which contains a public key. The trusted CA certificate ensures that all server certificates from your CA are trusted. This certificate is sometimes called a CA root key or root certificate.
For information about how to create a non-default self-signed certificate and to request and install a CA-signed certificate, see the following procedures.
When you create a Directory Proxy Server instance, a default self-signed certificate is automatically provided. If you want to create a self-signed certificate with non-default settings, use this procedure.
The procedure creates the public and private key pair for a server certificate, where the public key is signed by Directory Proxy Server. A self-signed certificate is valid for three months.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpadm add-selfsign-cert instance-path cert-alias
where cert-alias is the name of the self-signed certificate.
For example, you could create a certificate called my-self-signed-cert as follows:
$ dpadm add-selfsign-cert /local/dps my-self-signed-cert
For a description of all command options, see the dpadm(1M) man page or type dpadm add-selfsign-cert --help at the command line.
Self-signed certificates are useful for test purposes. However, in a production environment, using trusted Certificate Authority (CA) certificates is more secure.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpadm request-cert instance-path cert-alias
where cert-alias is the name of the certificate that you are requesting. Certificate Authorities might require all of the options of the command to identify the server. For a description of all command options, see the dpadm(1M) man page.
The process for obtaining a CA certificate depends on the CA that you use. Some commercial CAs provide a web site that allows you to download the certificate. Other CAs will send the certificate to you in email.
For example, you could request a certificate called my-CA-signed-cert as follows:
$ dpadm request-cert -S cn=my-request,o=test /local/dps my-CA-signed-cert -----BEGIN NEW CERTIFICATE REQUEST----- MIIBYDCBygIBADAhMQ0wCwYDVQQDEwRnZXJpMRAwDgYDVQQDEwdteWNlcnQ0MIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQC3v9ubG468wnjBDAMbRrEkmFDTQzT+LO30D/ALLXOiElVsHrtRyWhJ PG9cURI9uwqs15crxCpJvho1kt3SB9+yMB8Ql+CKnCQDHlNAfnn30MjFHShv/sAuEygFsN+Ekci5 W1jySYE2rzE0qKVxWLSILFo1UFRVRsUnORTX/Nas7QIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA fcQMnZNLpPobiX1xy1ROefPOhksVz8didY8Q2fjjaHG5lajMsqOROzubsuQ9Xh4ohT8kIA6xcBNZ g8FRNIRAHCtDXKOdOm3CpJ8da+YGI/ttSawIeNAKU1DApF9zMb7c2lS4yEfWmreoQdXIC9YeKtF6 zwbn2EmIpjHzETtS5Nk= -----END NEW CERTIFICATE REQUEST-----
When you request a certificate by using the dpadm request-cert command, the certificate request is a PKCS #10 certificate request in Privacy Enhanced Mail (PEM) format. PEM is the format specified by RFCs 1421 through 1424. For more information, see http://www.ietf.org/rfc/rfc1421.txt. The PEM format represents a base64-encoded certificate request in ASCII format.
When you request a CA-signed certificate, a temporary self-signed certificate is created. When you receive and install the CA-signed certificate from the CA, the new certificate replaces the temporary self-signed certificate.
Save the certificate request for future reference. You may need it while renewing the certificate.
After you have sent your request, you must wait for the CA to respond with your certificate. Response time for your request varies. For example, if your CA is internal to your company, the response time can be short. However, if the CA is external to your company, the CA can take several weeks to respond to your request.
Save your certificate in a text file, and back up the certificate in a safe location.
To trust the CA-signed server certificate, you must install the certificate on a Directory Proxy Server instance. This procedure installs the public key of a CA certificate to the certificate database on Directory Proxy Server.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
To do this, list all installed CA certificates, as described in To List CA Certificates.
$ dpadm add-cert instance-path cert-alias cert-file
where cert-alias is the name of the trusted CA certificate and cert-file is the name of the file containing the trusted CA certificate.
$ dpadm add-cert instance-path cert-alias cert-file
Where cert-alias is the name of the CA-signed server certificate and cert-file is the name of the file containing the CA-signed server certificate.
Note - The cert-alias name must be the same as the cert-alias used in the certificate request.
For example, you can add a CA-signed server certificate named CA-cert to the certificate database on/local/dps as follows:
$ dpadm add-cert /local/dps CA-cert /local/safeplace/ca-cert-file.ascii