23 Configuring SSL for LDAP Integration

This module describes how to configure Oracle Beehive LDAP-based authentication with certificate authority (CA) verification. It covers the following topics:

• Requirements

• Configure SSL for LDAP Verification

• Configure Apache HTTP Server for WebDAV Folders

Requirements

Complete these tasks before configuring SSL for LDAP integration:

1. Configure your LDAP server for SSL so that your directory server authenticates itself to the client. If you are using Oracle Internet Directory as your LDAP server, choose SSL Server Authentication as your SSL authentication method. For more information, refer to Section 17.4.2, "Configure Oracle Internet Directory for SSL" in Chapter 17, "Secure Sockets Layer (SSL) and the Directory" in Oracle Internet Directory Administrator's Guide.

2. Request a certificate from your CA for your Oracle Beehive instance. When the CA sends the signed user certificate and its associated trusted certificate, import them into a wallet configured for your Oracle Beehive instance. Enable auto login for the wallet.

   To configure an Oracle Beehive instance to use a wallet, refer to "Configuring TLS with Oracle Wallet". Refer to the following sections in Oracle Application Server Administrator's Guide for more information about certificates, importing certificates into Oracle Wallet, and enabling auto login:

   • Section 10.5, "Certificates and Oracle Wallets" in Chapter 10, "Overview of Secure Sockets Layer (SSL) in Oracle Application Server"

   • Section 11.1.3, "How to Create a Complete Wallet: Process Overview" and Section 11.1.4.14, "Using Auto Login" in Chapter 11, "Managing Wallets and Certificates"

   You may use Oracle Application Server Certificate Authority as your CA. For more information, refer to Oracle Application Server Certificate Authority Administrator's Guide.

3. Configure LDAP with Oracle Beehive as described in "Integrating and Synchronizing LDAP with Oracle Beehive".

Configure SSL for LDAP Verification

Follow these steps to specify that your LDAP server is SSL-enabled and the location of your wallet that contains your CA certificates.

1. Get the value of LdapServer of your LDAP directory. This example assumes that you are using Oracle Internet Directory as your directory:

   beectl list_properties --component oidldapdirectoryprofile
   ---------------------------------------------------------------------------
   | Property name         | Property value                                  |
   ---------------------------------------------------------------------------
   | LdapServer            | oidldapdirectoryprofile_example.com             |
   | PollInterval          | 15                                              |
   | DirectoryAttributeMap | c1bd400e-8dbe-4cf1-97c5-89b725c02f7b            |
   | ProfileState          | DISABLE                                         |
   | DefaultFlag           | DEFAULT                                         |
   | ProfileMode           | SYNC                                            |
   | EnterpriseMap         | dd33e82e-6842-4b24-8bf7-9a7b968ac9f1            |
   | UserTypeMap           | fca1999e-7b1d-4c05-9e19-b71e52ed9c25            |
   | GroupTypeMap          | 35571103-caaf-4d7a-8601-90e81a5be389            |
   | Alias                 | oidldapdirectoryprofile                         |
   ---------------------------------------------------------------------------
   

2. In the LdapServer object, set the value of SslEnabled to true:

   beectl modify_property
     --component oidldapdirectoryprofile_example.com
     --name SslEnabled
     --value true
   Changes to configuration repository are not activated.
   Successfully stored the property for component id 9d2cc036-01a3-4ee6-94c8-c90311624070.
   

3. Get the name of your Oracle Beehive instance:

   beectl list_components --type BeehiveInstance
   -------------------------------------------------------
   | Component type       | Component identifier         |
   -------------------------------------------------------
   | BeehiveInstance      | beehive_instance_example.com |
   

4. In your Oracle Beehive instance, set the value of WalletDir to the location of the wallet that contains your CA certificates:

   beectl modify_property
     --component beehive_instance_example.com
     --name WalletDir
     --value <Your wallet directory>
   Successfully stored the property for component id 
   09386579-b66c-41d7-96e6-88f44673ec55.
   

5. Run the following commands to activate your changes:

   beectl activate_configuration
   beectl modify_local_configuration_files
   

6. Restart BEECORE:

   beectl restart --component BEECORE_example.com
   

Configure Apache HTTP Server for WebDAV Folders

After you have configured Oracle Beehive authentication with CA verification, users may get the following request every time they perform an operation on a WebDAV folder: "Choose a digital certificate. The website you want to view requests identification. Please choose a certificate."

To eliminate this request, edit the file <Oracle home>\Apache\Apache\conf\httpd.conf as follows:

DocumentRoot "Oracle_home/Apache/Apache/htdocs"

<Directory "Oracle_home/Apache/Apache/htdocs">
    <LimitExcept GET POST OPTIONS>
        deny from all
    </LimitExcept>
    Options -FollowSymLinks -Includes -Indexes 
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

The only change is to append OPTIONS after GET POST in the <LimitExcept> tag.

With this change, when the WebDAV folder issues the OPTIONS HTTP access method on the document root, Apache HTTP Server will return 200 status and not issue the request for a client certificate.