Oracle Directory Services Manager is integrated with the Credential Store Framework (CSF), a secure storage framework provided by Oracle. This appendix explains how to manage ODSM's credentials.
This appendix contains the following topics:
ODSM creates a Java Key Store (JKS) file and assigns a random password to the JKS the first time ODSM is used. The JKS file has the name odsm.cer. It resides in a directory with a name of the form:
DOMAIN_HOME/servers/managed_server_name_where_odsm_is_deployed/tmp/_WL_user/odsm_11.1.1.1.0/random_number/war/conf
ODSM stores this random password in CSF. The WebLogic server administrator can retrieve the Java Key Store password stored in CSF. ODSM also generates a self-signed certificate for itself and stores it in the JKS. The only purpose for this keystore is to store backend CA certificates.
See Also:
The chapter on configuring the credential store in Oracle Fusion Middleware Security Guide for more information about CSF.
JavaTM Cryptography Architecture API Specification & Reference, at http://java.sun.com
keytool - Key and Certificate Management Tool, at http://java.sun.com
To manage ODSM's JKS, you must first retrieve ODSM's JKS password. The WebLogic administrator can retrieve it using the wlst command, as follows:
$ java -classpath weblogic.WLST -i listCred.py -map ODSMMap -key "ODSMKey.Wallet" Initializing WebLogic Scripting Tool (WLST) ... Type help() for help on available commands {map=ODSMMap, key=ODSMKey.Wallet} Please enter your username [weblogic] : weblogic Please enter your password [weblogic] : password Please enter your server URL [t3://localhost:7001] : t3://myhost:7001 Connecting to t3://localhost:7001 with userid weblogic ... Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'. Password is XDDFDFDD.
After you retrieve the Key Store password, you can manage it using the keytool command.
To list contents of odsm.cer, proceed as follows:
cd directory_where_odsm.cer_resides JAVA_HOME/bin/keytool -list -keystore odsm.cer \ -storepass password_obtained_from_CSF
For example:
$ cd /serverhome/user projects/domains/mydomain/servers/myserver/tmp/_WL_user/odsm_11.1.1.1.0/29840238030296/war/conf $ JAVA_HOME/bin/keytool -list -keystore odsm.cer -storepass "&M)S86)/RB" -v Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: serverselfsigned Creation date: Dec 26, 2008 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Serial number: 495586b6 Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009 Certificate fingerprints: MD5: 6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93 SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0 Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* Alias name: cn=rootca, o=oracle, c=us (0) Creation date: Dec 31, 2008 Entry type: trustedCertEntry Owner: CN=RootCA, O=Oracle, C=US Issuer: CN=RootCA, O=Oracle, C=US Serial number: 0 Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050 Certificate fingerprints: MD5: 72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF Signature algorithm name: MD5withRSA Version: 1 ******************************************* *******************************************
To delete trusted certificates in odsm.cer:
cd directory_where_odsm.cer_is_present JAVA_HOME/bin/keytool -delete -keystore odsm.cer -storepass password_obtained_from_CSF -alias "cn=rootca, o=oracle, c=us (0)"
For example
$> JAVA_HOME/bin/keytool -delete -keystore odsm.cer \ -storepass "&M)S86)/RB" -alias "cn=rootca, o=oracle, c=us (0)" [Storing odsm.cer]