This chapter explains how to create Oracle Virtual Directory Listeners and includes the following sections:
Section 11.2, "Understanding the Default Oracle Virtual Directory Listeners"
Section 11.3, "Configuring Oracle Virtual Directory to Listen on Privileged Ports"
Section 11.4, "Creating and Managing Listeners Using Fusion Middleware Control"
Oracle Virtual Directory provides services to clients through connections known as Listeners. Oracle Virtual Directory supports the following two types of Listeners:
LDAP: provides LDAPv2/v3 based services
HTTP: provides one or more services such as DSMLv2, or basic white page functions provided by an XSLT enabled Web Gateway
An Oracle Virtual Directory configuration can have any number of Listeners or it can even have zero Listeners, thus restricting access to only the administrative gateway. Most Oracle Virtual Directory deployments need no more than two HTTP Listeners and two LDAP Listeners, where one Listener is for SSL and one for non-SSL for each protocols.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load Listener configurations to the Oracle Virtual Directory server. This includes after creating, updating, or deleting a Listener.
Oracle Virtual Directory includes two Listeners by default: an HTTP Listener named Admin Gateway and an LDAP Listener named LDAP SSL Endpoint.
The HTTP Listener named Admin Gateway is the interface the Oracle Virtual Directory server uses to communicate with the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. You cannot communicate with the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces if you disable the Admin Gateway Listener. Refer to "Editing the Oracle Virtual Directory Administrative Listener Settings" for more information about editing the Oracle Virtual Directory Administrative Listener settings.
The LDAP Listener named LDAP SSL Endpoint is the interface Oracle Virtual Directory uses to provide performance metrics in Oracle Enterprise Manager Fusion Middleware Control. LDAP SSL Endpoint should always be enabled and secured using SSL Server Authentication. Do not delete or disable LDAP SSL Endpoint. If you need an LDAP Listener that is secured using a different SSL mode, create a new Listener using Oracle Enterprise Manager Fusion Middleware Control.
The communication between Oracle Virtual Directory and Oracle Enterprise Manager Fusion Middleware Control will be disrupted if you edit any of the following settings for the default Listeners (Admin Gateway and LDAP SSL Endpoint):
Listener Host
Listener Port
Enable / Disable SSL
If you edit any of these settings for the default Listeners, you must update the Oracle Enterprise Manager Fusion Middleware Control target discovery information so Oracle Virtual Directory and Oracle Enterprise Manager Fusion Middleware Control can communicate.
To update the Oracle Enterprise Manager Fusion Middleware Control target discovery information, perform the following steps:
Log in to Oracle Enterprise Manager Fusion Middleware Control.
Right-click the Farm entry in the navigation tree and select Agent-Monitored Targets. The Agent-Monitored Targets screen appears.
Click the Configure button for the appropriate Oracle Virtual Directory target in the Targets table. The Configure Target page appears.
Update the following settings according to your current Oracle Virtual Directory environment and click OK at the top of the Configure Target page:
Machine name
Virtual Directory Admin Port
Virtual Directory LDAP Port
See Also:
The Troubleshooting appendix of the Oracle Fusion Middleware Administrator's Guide.
Perform the following steps to enable Oracle Virtual Directory 11g Release 1 (11.1.1.2.0) and higher on UNIX/Linux platforms to listen on privileged ports, that is, port numbers less than 1024:
Note:
If your domain contains only the Oracle Virtual Directory component, you must use the following commands to individually stop and start Oracle Virtual Directory instead of performing step 2 and step 7 in the following procedure:
To stop Oracle Virtual Directory, type
$ORACLE_HOME/bin/hasocket $ORACLE_INSTANCE/bin/opmnctl stopproc ias-component=ovd1
To start Oracle Virtual Directory, type
$ORACLE_HOME/bin/hasocket $ORACLE_INSTANCE/bin/opmnctl startproc ias-component=ovd1
Using the opmnctl stopall
and opmnctl startall
commands when Oracle Virtual Directory is the only component in your domain will prevent Oracle Virtual Directory from listening on privileged ports.
As the same user that installed Oracle Virtual Directory, create the cap.ora file as follows:
echo `id -ng`: bind > /tmp/cap.ora
Using the Oracle Process Manager and Notification Server (OPMN) control command, stop all components:
$ORACLE_INSTANCE/bin/opmnctl stopall
Change to root user permissions:
su root
Update the ORACLE_HOME/bin/hasbind file by performing the following steps:
Change ownership of the file to root:
chown root $ORACLE_HOME/bin/hasbind
Change the permissions on the file as follows:
chmod 4755 $ORACLE_HOME/bin/hasbind
Copy the cap.ora file you created in step 1 to the /etc/ directory:
cp /tmp/cap.ora /etc/cap.ora
Change the permissions on the /etc/cap.ora file as follows:
chmod 644 /etc/cap.ora
As the same user that installed Oracle Virtual Directory, start Oracle Virtual Directory and enable it to listen on privileged ports by using the following command:
$ORACLE_HOME/bin/hasocket $ORACLE_INSTANCE/bin/opmnctl startall
Note:
To enable Oracle Virtual Directory to listen on privileged ports, you must start it using only this command.
After performing the steps in this procedure, Oracle Virtual Directory listeners can listen on privileged ports. You can create new listeners and enter privileged port numbers, or edit existing listeners to use privileged port numbers.
This section explains how to create and manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections:
Perform the following steps to create an LDAP Listener using Oracle Enterprise Manager Fusion Middleware Control. Typically, when running secure and non-secure LDAP, there are at least two Listeners configured; one for regular LDAP (default port is 6501) and one for secure LDAP using SSL (default port is 7501).
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where you want to create the LDAP Listener.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.
Click the Create button. The Add Listener screen appears.
Select LDAP from the Listener Type list and set values for the LDAP Listener configuration parameters as described in Table 11-1:
Table 11-1 LDAP Listener Configuration Parameters
Type | Parameter | Description |
---|---|---|
Basic |
Listener Name |
Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported. In addition, do no use the following characters in a listener name:
|
Listener Host |
Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting. If you set this parameter to an IP address or host, the Listener uses that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real. |
|
Listener Port |
The port number on which the Listener provides service. Only one Listener per server can be active on a port at any given time. If Oracle Virtual Directory is installed on the same server as an existing server, for example, an Active Directory domain controller, enter a port that does not conflict with the existing service. |
|
Threads |
The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. |
|
Listener Enabled |
Enables (selected) and disables (not selected) the Listener for service. |
|
LDAP Options |
Anonymous Bind |
Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Allow permits anonymous authentication; Deny prevents anonymous operations; and DenyDNOnly prevents empty password authentication. Note: According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard. |
Work Queue Capacity |
Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with |
|
Allow StartTLS |
Determines whether LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. |
|
Socket Options |
Backlog |
Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128. |
Read Timeout |
Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a nonzero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0. |
|
Reuse Address |
Determines whether the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. |
|
TCP Keep Alive |
Determines whether the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. |
|
TCP No Delay |
Determines whether the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. |
Click the OK button on the Add Listener screen to save the LDAP Listener.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
Perform the following steps to create an HTTP Listener using Oracle Enterprise Manager Fusion Middleware Control:
See:
Appendix C, "HTTP Listener's Web Gateway Service" for more information about the HTTP Listener's Web Gateway settings.
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where you want to create the HTTP Listener.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.
Click the Create button. The Add Listener screen appears.
Select HTTP from the Listener Type list and set values for the HTTP Listener configuration parameters as described in Table 11-2:
Table 11-2 HTTP Listener Configuration Parameters
Type | Parameter | Description |
---|---|---|
Basic |
Listener Name |
Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported. |
Listener Host |
Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting. If you set this parameter to an IP address or host, the Listener uses that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real. |
|
Listener Port |
The port number on which the Listener provides service. Only one Listener per server can be active on a port at any given time. |
|
Threads |
The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. |
|
Listener Enabled |
Enables (selected) and disables (not selected) the Listener for service. |
|
DSML V2 Service |
Realm Name |
Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user. |
Web Gateway Service Section |
Allow Anonymous Access |
Enables and disables anonymous access to the Web Gateway. |
Search Root |
The root distinguished name (namespace) of the directory tree where the Web Gateway starts its sub-tree search for user identity names (UIDs) provided after a user authentication challenge. |
|
Search Attributes |
The attribute the Web Gateway attempts to match when searching for a UID. |
|
User Object Classes |
The objectclasses the Web Gateway uses when searching for users to authenticate. |
|
Result Cache Life (seconds) |
Maximum time that Oracle Virtual Directory waits before re-querying a user credential stored in the directory source. |
|
HTDocs Path |
The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located. |
|
Certificate Attributes |
Indicates which attributes contain binary PKI certificate information. The default value is usercertificate. |
|
Photo/Image Attributes |
Indicates which attributes contain graphical images. The default value is jpegphoto. |
|
Image Display Height |
The height the Web Gateway scales photos to. The default value is 100. |
|
Image Display Width |
The width the Web Gateway scales photos to. The default value is 100. |
Click the OK button on the Add Listener screen to save the HTTP Listener.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
Use the information in this section to configure and test a TLS Listener for Oracle Virtual Directory, such as when you need a Start_TLS extension that allows you to negotiate a secure connection on a non-SSL port.
To secure the TLS connection, you can either use the existing, out-of-box keys.jks
or create a new keystore as follows:
Open Oracle Virtual Directory and navigate to Security > Keystores.
Create a new keystore just for TLS named, TLSKeyStore.jks
.
Add a self-signed certificate ensuring that the CN of the certificate matches the fully qualified hostname.
Navigate to ovd1 > Administration > Listeners and create a new TNS Listener by specifying the following parameters:
Type: LDAP
Listener Name: TLS
Listener Port: 9999
Listener Enabled: Checked
Include Anonymous Ciphers: Not checked
Anonymous Bind: Allow
Allow StartTLS: Checked
Select the new TLS Listener and click Edit.
Select (check) the Include Anonymous Ciphers parameter.
Specify the following parameter settings in the Change SSL settings section,
Enable SSL |
Select (check) this box. The other parameters in this section become editable. |
---|---|
Server Keystore and Truststore |
Ensure these parameters match the keystore you want to use (see step 1) and that you set passwords for the keystore and truststore. |
Specify the following parameter settings in the Advanced Settings section:
SSL Authentication |
Server Authentication. |
---|---|
All |
Select (check) this box. |
SSL Protocol Version |
Select All from the drop-down menu, and deselect v3. The entry should read, |
Use the following command to stop Oracle Virtual Directory:
opmnctl stopproc ias-component=ovd1
From command line, navigate to the following location and edit the listners.os_xml
file.
$ORACLE_INSTANCE/config/OVD/ovd1
Note:
The updates that are made to the listners.os_xml
file by the GUI interface with your new Listener are not correct or complete.
You must remove all of the <cipher>
lines in the cipherSuites section so that cipherSuites
is just the inclusion of anonCiphers
. The lines should read:
<cipherSuites includeAnonCiphers="true"/>
Use the following sample, to verify the listener.os_xml
entry for your new TLS Listener.
<ldap id="TLS" version="3"> <port>9999</port> <host>0.0.0.0</host> <threads>10</threads> <active>true</active> <ssl enabled="false"> <protocols>TLSv1,SSLv2Hello</protocols> <cipherSuites includeAnonCiphers="true"/> <authType>Server</authType> <keyStore password="{AES-CBC}b2vWJAN48ufpbxla9gohlj/M+eBP/9FLwh6tLfiWF0o=">TLSkeyStore.jks</keyStore> <trustStore password="{AES-CBC}rOk44ucwkpQ2QRcTDK4bJRklj/OmALyUWQMjQAYoNJY=">TLSkeyStore.jks</trustStore> </ssl> <extendedOps/> <anonymousBind>Allow</anonymousBind> <workQueueCapacity>100</workQueueCapacity> <allowStartTLS>true</allowStartTLS> <socketOptions> <backlog>128</backlog> <reuseAddress>false</reuseAddress> <keepAlive>false</keepAlive> <tcpNoDelay>true</tcpNoDelay> <readTimeout>0</readTimeout> </socketOptions> <useNIO>false</useNIO> </ldap>
Start Oracle Virtual Directory using the following command:
opmnctl startproc ias-component=ovd1
Test TLS with a client that supports TLS, such as Apache Directory Studio.
For example,
Start Apache Directory Studio, and then click LDAP > New Connection.
On the Network Parameter screen, set the following parameters:
Hostname |
Enter the fully qualified hostname that matches the CN of the certificate. |
Port |
9999 (or whatever port you used) |
Encryption Method |
Use StartTLS extension. |
Click Check Network Parameter.
When a pop-up displays prompting you to accept the certificate, click Next.
The Authentication screen displays where you must set the following parameters:
Enter Bind Dn: |
cn=orcladmin |
Enter Bind Password: |
welcome1 |
Click Finish and you should see the base container.
You can now browse the directory over a secure connection.
This section explains how to manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections:
Perform the following steps to update settings for an existing Listener (LDAP or HTTP) using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where the Listener you want to edit resides.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.
Select the Listener you want to edit by clicking on it.
Click the Edit button. The Edit Listener screen appears displaying the Listener's current settings.
Edit the settings as desired.
Refer to Table 11-1, "LDAP Listener Configuration Parameters" for information about each LDAP Listener parameter.
Refer to Table 11-2, "HTTP Listener Configuration Parameters" for information about each HTTP Listener parameter.
Click the OK button on the Add Listener screen to save the HTTP Listener.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
You can edit the settings for the Oracle Virtual Directory Administrative Listener in the same manner that you edit settings for LDAP or HTTP Listeners. However, if you disable the Admin Gateway Listener, you cannot communicate with the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. Refer to "Understanding the Default Oracle Virtual Directory Listeners" for more information about the Admin Listener.
Perform the following steps to edit settings for the Admin Gateway Listener using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.
Select the Admin Gateway Listener by clicking on it.
Click the Edit button. The Edit Listener screen appears displaying the Admin Gateway Listener's current settings.
Edit the Administrative Listener settings as desired and click Submit. Each Administrative Listener setting is described below in the "Administrative Listener Settings" section.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
Use the opmnctl updatecomponentregistration
command to update the registration of the Oracle Virtual Directory component that contains the Admin Listener you edited.
The syntax for opmnctl updatecomponentregistration
is:
$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration [-adminHost hostname] [-adminPort weblogic_port] [-adminUsername weblogic_admin] [-adminPasswordFile 'FILE_WITH_WEBLOGIC_ADMIN_PASSWORD'] [-componentType OVD] -componentName componentName [-Host OVD_HOST_NAME]
Note:
If you do not use the -Host
option, the value in listeners.os_xml will be used.
Both the componentName
and componentType
parameters are required.
For example:
$ORACLE_INSTANCE/bin/opmnctl updatecomponentregistration -adminHost myhost \
-adminPort 7001 -adminUsername weblogic -componentType OVD -componentName ovd1
Administrative Listener Settings
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host.
Notes:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting.
If you edit the Host setting, you must immediately perform step 6 or you cannot communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.
The port on which Oracle Virtual Directory provides administrative services. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server.
Note:
If you edit the Listener Port setting, you must immediately perform step 6 or you cannot communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.
The number of active worker threads the Listener uses to concurrently process incoming requests.
Select to enable the Listener for service. If you disable the Admin Gateway Listener, you cannot communicate with Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. The default setting is Enabled.
Displays the current SSL setting (Enabled or Disabled) for the Listener and provides a link to change the Listener's SSL settings. To edit the Listener's SSL Settings, click the link and refer to "Configuring SSL for Listeners Using Fusion Middleware Control" for more information.
Note:
If you edit the SSL setting (Enabled or Disabled), you must update the Oracle Virtual Directory component registration by referring to Updating the Component Registration of an Oracle Instance Using OPMNCTL. If you do not update the Oracle Virtual Directory component registration after editing the SSL setting, you cannot communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.
Perform the following steps to delete an existing Listener (LDAP or HTTP) using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where the Listener you want to delete resides.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.
Click the Listener you want to delete.
Click the Delete button. A dialog box appears asking you to confirm deleting the Listener.
Click OK on the dialog box to delete the Listener. The Listener is removed from the list of existing Listeners.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
This section explains how to manage Oracle Virtual Directory Listeners using WLST and contains the following sections:
See Also:
Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command line tool.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information WLST command tool syntax.
You can use WLST to update the settings for an existing Listener as follows:
Launch the WLST command line tool shell.
Connect to the WebLogic Admin Server. For example:
connect('username', 'password','t3://host_name:Admin_Server_Port')
Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:
custom() cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Move to the MBean node for the Listener you want to update, for example, the Listener named LDAP SSL Endpoint:
cd('../..') cd('oracle.as.ovd') cd('oracle.as.ovd:type=component.Listenersconfig.sslconfig,name=LDAP SSL Endpoint,instance=asinst_1,component=ovd1')
Using the WLST set()
command, update the appropriate setting. The following example updates the Threads setting:
set('Threads', 20)
Notes:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.
If you edit the Host, Port, or SSL setting for the Admin Listener, you must update the Oracle Virtual Directory component registration by referring to Updating the Component Registration of an Oracle Instance Using OPMNCTL. If you do not update the Oracle Virtual Directory component registration after editing any of these settings for the Admin Listener, you cannot communicate with Oracle Virtual Directory using WLST.
See Also:
The following sections to learn more about the Listener settings you can configure using WLST:
Save the changes and then refresh the MBean. For example:
cd('../..') cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g)) invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
The following is a list and description of the Admin Listener settings you can configure using WLST:
See Also:
"Understanding the Default Oracle Virtual Directory Listeners" for more information about the Admin Listener.
Determines whether the Listener is enabled or disabled. Supported values are true and false. If you disable the Admin Listener, you cannot communicate with Oracle Virtual Directory using Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces.
Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.
None configures the Listener for SSL No-Authentication Mode
Server configures the Listener for SSL Server Authentication Mode
Mutual configures the Listener for SSL Mutual Authentication
The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.
Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
An LDAP URL that defines a group of users with privileges to use the Admin Listener. These users have near root privileges when accessing the Oracle Virtual Directory server through the Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager interfaces.
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host.
Note:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.
The name of the JKS keystore containing the SSL artifacts.
The name of the Listener.
The port on which Oracle Virtual Directory provides administrative services. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server.
The protocol the Admin Listener uses to provide service. Supported values are HTTP and HTTPS.
Determines whether SSL is enabled on the Listener. Supported values are true and false.
The supported protocols for SSL communication. The following is a list of the supported values:
TLSv1
SSLv2Hello
Note:
The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.
SSLv3
The number of active worker threads the Listener uses to listen for connections on the port.
The name of the JKS keystore containing the SSL artifacts.
The following is a list and description of the LDAP Listener settings you can configure using WLST:
Determines whether the Listener is enabled or disabled. Supported values are true and false.
Determines whether LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. Supported values are true and false. The default value is false.
Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Supported values are listed in Table 11-3:
Table 11-3 LDAP Anonymous Authentication Options
Option | Control |
---|---|
Allow |
Allow anonymous authentication. |
Deny |
Prevent anonymous operations. |
DenyDNOnly |
Prevent empty password authentication. Note: According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard. |
Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.
None configures the Listener for SSL No-Authentication Mode
Server configures the Listener for SSL Server Authentication Mode
Mutual configures the Listener for SSL Mutual Authentication
The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.
Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
In addition to the normal LDAP operations supported by the LDAP protocol, you can define your own LDAP operation using this setting. This setting is the full java class name that implements your user-defined LDAP operation.
The unique name for your user-defined LDAP operation identified by the ExtendedOpsClass setting.
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0.
Note:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.
The name of the JKS keystore containing the SSL artifacts.
The name of the Listener.
The port number on which the LDAP Listener provides service. Only one Listener per server can be active on a port at any given time.
The protocol the LDAP Listener uses to provide service. Supported values are LDAP and LDAPS.
Determines whether SSL is enabled on the Listener. Supported values are true and false.
The supported protocols for SSL communication. The following is a list of the supported values:
TLSv1
SSLv2Hello
Note:
The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.
SSLv3
Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128.
Determines whether the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. Supported values are true and false. The default value is false.
Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a nonzero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0.
Determines whether the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. Supported values are true and false. The default value is false.
Determines whether the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. Supported values are true and false. The default value is true.
The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.
The name of the JKS keystore containing the SSL artifacts.
Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with DSA is busy
error. The default value is 1024.
Note:
The DSA is busy
error usually appears when a large number of requests are sent to the Oracle Virtual Directory server in a short time period and the LDAP Listener cannot support them.
The following is a list and description of the HTTP Listener settings you can configure using WLST:
Determines whether the Listener is enabled or disabled. Supported values are true and false.
Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.
None configures the Listener for SSL No-Authentication Mode
Server configures the Listener for SSL Server Authentication Mode
Mutual configures the Listener for SSL Mutual Authentication
The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.
Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Base URL for the location of the customer developed custom web service.
Name of the realm used by Oracle Virtual Directory to protect the custom web service when the custom web service is security enabled.
To use your own web application to handle HTTP connections, instead of using the HTTP Listener's Web Gateway, DSMLv2 Gateway, or both use this setting to specify the path to the your custom web application war file.
Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user.
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0.
Note:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.
The name of the JKS keystore containing the SSL artifacts.
The name of the Listener.
The port number on which the HTTP Listener provides service. Only one Listener per server can be active on a port at any given time.
The protocol the HTTP Listener uses to provide service. Supported values are HTTP and HTTPS.
Determines whether SSL is enabled on the Listener. Supported values are true and false.
The supported protocols for SSL communication. The following is a list of the supported values:
TLSv1
SSLv2Hello
Note:
The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.
SSLv3
The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.
The name of the JKS keystore containing the SSL artifacts.
Enables and disables anonymous access to the Web Gateway. Supported values are true and false.
Indicates which attributes contain binary PKI certificate information. The default value is usercertificate.
The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located.
The attribute the Web Gateway should attempt to match when searching for a UID. The default value is uid, mail, cn.
The objectclasses the Web Gateway should use when searching for users to authenticate. The default value is inetorgperson, user.
Indicates which attributes contain graphical images. The default value is jpegphoto.
The height the Web Gateway scales photos to. The default value is 100.
The width the Web Gateway scales photos to. The default value is 100.
The root distinguished name (namespace) of the directory tree where the Web Gateway starts its sub-tree search for user identity names (UIDs) provided after a user authentication challenge.
Name of the realm used by Oracle Virtual Directory to protect the Web Gateway service when the Web Gateway service is security enabled.
Maximum time (in seconds) that Oracle Virtual Directory waits before re-querying a user credential stored in the directory source.
You can use WLST to delete an existing Listener as follows:
Launch the WLST command line tool shell.
Connect to the WebLogic Admin Server. For example:
connect('username', 'password','t3://host_name:Admin_Server_Port')
Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:
custom() cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Move to the Oracle Virtual Directory Listeners configuration MBean. For example:
cd('../..') cd('oracle.as.ovd/oracle.as.ovd:type=component.Listenersconfig,name=Listenersco nfig,instance=asinst1,component=ovd1')
Delete the appropriate Listener, for example, the Listener named test1, as follows:
invoke('deleteListener',jarray.array([java.lang.String('test1')],java.lang.Obje ct),jarray.array(['java.lang.String'],java.lang.String))
Save the changes and then refresh the MBean. For example:
cd('../..') cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g)) invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
This section explains how to secure Oracle Virtual Directory Listeners using SSL and contains the following sections:
Note:
The following information describes SSL configuration for a single component. If you are configuring SSL for multiple components, you can use the Oracle SSL Automation Tool, which enables you to configure SSL for multiple components using a domain-specific CA.
Refer to the Oracle Fusion Middleware Administrator's Guide for complete information about the Oracle SSL Automation Tool.
Perform the following steps to secure Oracle Virtual Directory Listeners with SSL using Oracle Enterprise Manager Fusion Middleware Control:
Note:
If you are configuring the Listener for SSL No-Auth mode, do not perform step 2 and steps 3e through 3h in the following procedure.
See Also:
The information about enabling SSL for Oracle Virtual Directory Listeners in the Oracle Fusion Middleware Administrator's Guide.
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target of the Listener you want to secure with SSL.
Create a keystore if one does not already exist by selecting Security and then Keystores from the Oracle Virtual Directory menu. The Java Keystore screen appears. Refer to the information about creating a keystore using Oracle Enterprise Manager in the Oracle Fusion Middleware Administrator's Guide for additional information.
Configure the Listener by performing the following steps:
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.
Select the Listener you want to secure with SSL by clicking on it and then click the Edit button. The Edit Listener: Listener Name screen appears.
Click the Change SSL Settings link.
Click the Enable SSL option to enable SSL on the Listener. If you are configuring the Listener for SSL No-Auth mode, skip to step i now.
Select the keystore you want to use from the Server Keystore Name field.
Note:
If you select a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics.
To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet:
Export the Oracle Virtual Directory server certificate by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -exportcert \ -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \ -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent's Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet \ $ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Enter the password for the keystore in the Server Keystore Password field.
Note:
The password for the keystore that is created during the Oracle Virtual Directory installation is the same as the password set for the Oracle Virtual Directory administrator during installation.
Select the truststore you want to use from the Server Truststore Name field.
Enter the password for the truststore in the Server Truststore Name field.
Select one of the following authentication modes for the Listener from the Client Authentication field.
To configure the Listener for SSL No-Authentication Mode, select No Authentication.
To configure the Listener for SSL Server Authentication Mode, select Server Authentication.
To configure the Listener for SSL Mutual Authentication mode between the Oracle Virtual Directory server and the client, select Mutual Authentication.
Note:
The Optional Client Authentication mode is not supported for Oracle Virtual Directory Listeners.
Select the appropriate option from the Cipher Suite field. You can select All, or a combination of individual options.
Note:
If you are configuring the Listener for SSL No-Auth mode, you must select at least one DH_anon cipher. For all other SSL modes, you must select at least one RSA cipher.
Select the appropriate option from the SSL Protocol Version field.
Note:
The v2Hello option is not supported by itself. That is, you cannot select the v2Hello option alone—you must select it in combination with at least one additional SSL Protocol Versions from the list.
Click the OK button.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
To configure SSL for Oracle Virtual Directory using the WLST command line tool:
See Also:
The "WLST Reference for SSL" information in the Oracle Fusion Middleware Administrator's Guide.
Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command line tool.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information about WLST commands.
Launch the WLST command line tool shell.
Go to the custom tree using the following command:
custom()
Navigate to the root Oracle Virtual Directory mBean using the following commands:
cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=COMPONENT_ NAME,instance=INSTANCE_NAME')
Initialize the Oracle Virtual Directory configuration from the remote Oracle Virtual Directory server into the WebLogic server using the following command:
invoke('load',jarray.array([],java.lang.Object),jarray.array([], java.lang.String))
Display the existing SSL configuration for the Listener you want secure (LDAP SSL Endpoint in this example) using the following command:
getSSL('instance1','ovd1','ovd','LDAP SSL Endpoint')
Display the existing keystores using the following command:
listKeyStores('instance1','ovd1','ovd')
If necessary, create a new keystore and a self-signed certificate using the following commands.
To create the new keystore, execute the following command:
createKeyStore('instance1','ovd1','ovd','NEW_KEYSTORE_NAME','PASSWORD_FOR_NEW_KEYSTORE')
To create a self-signed certificate in the new keystore, execute the following command:
generateKey ('instance1','ovd1','ovd','NEW_KEYSTORE_NAME','PASSWORD_FOR_NEW_KEYSTORE', 'DN', 'keySize', 'alias')
Identify the name of the SSL MBean for the Oracle Virtual Directory Listener by executing the following command:
getSSLMBeanName('instance1','ovd1','ovd','LDAP SSL Endpoint')
Set the passwords for the keystore and truststore in the MBean as follows:
Change to level /oracle.as.ovd/oracle.as.ovd
by using (cd)
and then cd ('
SSL_MBEAN_NAME
')
.
Execute the following commands:
set('KeyStorePassword',java.lang.String('PASSWORD').toCharArray()) set('TrustStorePassword',java.lang.String('PASSWORD').toCharArray())
Configure the SSL settings for the Listener using the following command and file.prop. An sample file.prop file is given for reference:
configureSSL ('instance1', 'ovd1', 'ovd', 'LDAP SSL Endpoint', 'PATH_TO_file.prop')
Note:
If you configure a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics.
To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet:
Export the Oracle Virtual Directory server certificate by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -exportcert \ -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \ -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent's Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet \ $ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Example 11-1 Sample file.prop File
SSLEnabled=true AuthenticationType=auth_type SSLVersions=version Ciphers=cipher KeyStore=name_of_your_keystore TrustStore=name_of_your_keystore
Important Notes Regarding the file.prop File:
Replace the variable values in the Example 11-1 with the values for your environment.
If you are configuring the Listener for SSL No-Auth mode, you must select at least one DH_anon cipher. For all other SSL modes, you must select at least one RSA cipher.
You must specify the value of the KeyStore parameter when configuring SSL for server-auth and mutual-auth modes.
If you specify only AES ciphers, the SSLVersions parameter must contain TLSv1.
The text in the file.prop file is case sensitive.
Do not use spaces after cipher entries in the file.prop file.
Refer to the "Properties Files for SSL" section in the Oracle Fusion Middleware Administrator's Guide for more information about the contents of the file.prop file.
See Also:
The following sections for information about the AuthenticationType, SSLVersions, and Ciphers you can configure in File.prop:
Save your changes and then refresh the MBean. For example:
cd('../..') cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asinst1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.String)) invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))
Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.
This section explains how to validate SSL connections for each SSL mode and contains the following sections:
Note:
If you are using default settings after installing 11g Release 1 (11.1.1), you can use the following values for the following variables described in this section:
For OVD_KEY_STORE_FILE, use:
ORACLE_INSTANCE/config/OVD/ovd1/keystores/keys.jks
For OVD_SERVER_CERT_ALIAS, use serverselfsigned
For PASSWORD used for the -storepass
and -jkspwd
options, use the same password as orcladmin
To validate a connection secured by SSL No-Authentication mode, execute the following command:
ORACLE_HOME/bin/ldapbind -D cn=orcladmin -q -U 1 -h HOST -p SSL_PORT
To validate a connection secured by SSL Server Authentication mode, perform the following steps:
Create an Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet create -wallet DIRECTORY_FOR_SSL_WALLET \ -pwd WALLET_PASSWORD
Export the Oracle Virtual Directory server certificate by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -exportcert -keystore OVD_KEYSTORE_FILE \ -storepass PASSWORD -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet DIRECTORY_FOR_SSL_WALLET \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Use the Oracle Wallet from step 3 while executing the following command:
ORACLE_HOME/bin/ldapbind -D cn=orcladmin -q -U 2 -h HOST -p SSL_PORT \ -W "file://DIRECTORY_FOR_SSL_WALLET" -Q
To validate a connection secured by SSL Mutual Authentication mode, perform the following steps:
Create an Oracle wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet create -wallet DIRECTORY_FOR_SSL_WALLET \ -pwd WALLET_PASSWORD
Transform the Oracle Virtual Directory keystore file to an Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet jks_to_pkcs12 \ -wallet DIRECTORY_FOR_SSL_WALLET -pwd WALLET_PASSWORD \ -keystore ORACLE_INSTANCE/config/OVD/OVD_COMPONENT/keystores/keys.jks \ -jkspwd PASSWORD
Export the client certificate in Base64 format by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet export -wallet . -dn CLIENT_DN \ -cert ./b64certificate.txt
Import the client certificate you created in step 2 into the Oracle Virtual Directory keystore as a trusted entry by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -importcert \ -keystore ORACLE_INSTANCE/config/OVD/OVD_COMPONENT/keystores/keys.jks -storepass JKS_PASSWORD -alias ALIAS -file b64certificate.txt -noprompt
Verify the SSL connection using the bind DN of the client certificate by executing the following command:
ORACLE_HOME/bin/ldapbind -U 3 -h HOST -p SSL_PORT -W "file://DIRECTORY_FOR_SSL_WALLET" -Q