Oracle® Beehive Installation Guide Release 1 (1.4) for Solaris Operating System (SPARC 64-Bit) Part Number E13793-02 |
|
|
View PDF |
This module describes how to configure Oracle Beehive LDAP-based authentication with certificate authority (CA) verification. It covers the following topics:
Complete these tasks before configuring SSL for LDAP integration:
Configure your LDAP server for SSL so that your directory server authenticates itself to the client. If you are using Oracle Internet Directory as your LDAP server, choose SSL Server Authentication as your SSL authentication method. For more information, refer to Section 17.4.2, "Configure Oracle Internet Directory for SSL" in Chapter 17, "Secure Sockets Layer (SSL) and the Directory" in Oracle Internet Directory Administrator's Guide.
Request a certificate from your CA for your Oracle Beehive instance. When the CA sends the signed user certificate and its associated trusted certificate, import them into a wallet configured for your Oracle Beehive instance. Enable auto login for the wallet.
To configure an Oracle Beehive instance to use a wallet, refer to "Configuring TLS with Oracle Wallet". Refer to the following sections in Oracle Application Server Administrator's Guide for more information about certificates, importing certificates into Oracle Wallet, and enabling auto login:
Section 10.5, "Certificates and Oracle Wallets" in Chapter 10, "Overview of Secure Sockets Layer (SSL) in Oracle Application Server"
Section 11.1.3, "How to Create a Complete Wallet: Process Overview" and Section 11.1.4.14, "Using Auto Login" in Chapter 11, "Managing Wallets and Certificates"
You may use Oracle Application Server Certificate Authority as your CA. For more information, refer to Oracle Application Server Certificate Authority Administrator's Guide.
Configure LDAP with Oracle Beehive as described in "Integrating and Synchronizing LDAP with Oracle Beehive".
Follow these steps to specify that your LDAP server is SSL-enabled and the location of your wallet that contains your CA certificates.
Get the value of LdapServer
of your LDAP directory. This example assumes that you are using Oracle Internet Directory as your directory:
beectl list_properties --component oidldapdirectoryprofile --------------------------------------------------------------------------- | Property name | Property value | --------------------------------------------------------------------------- | LdapServer | oidldapdirectoryprofile_example.com | | PollInterval | 15 | | DirectoryAttributeMap | c1bd400e-8dbe-4cf1-97c5-89b725c02f7b | | ProfileState | DISABLE | | DefaultFlag | DEFAULT | | ProfileMode | SYNC | | EnterpriseMap | dd33e82e-6842-4b24-8bf7-9a7b968ac9f1 | | UserTypeMap | fca1999e-7b1d-4c05-9e19-b71e52ed9c25 | | GroupTypeMap | 35571103-caaf-4d7a-8601-90e81a5be389 | | Alias | oidldapdirectoryprofile | ---------------------------------------------------------------------------
In the LdapServer
object, set the value of SslEnabled
to true
:
beectl modify_property --component oidldapdirectoryprofile_example.com --name SslEnabled --value true Changes to configuration repository are not activated. Successfully stored the property for component id 9d2cc036-01a3-4ee6-94c8-c90311624070.
Get the name of your Oracle Beehive instance:
beectl list_components --type BeehiveInstance ------------------------------------------------------- | Component type | Component identifier | ------------------------------------------------------- | BeehiveInstance | beehive_instance_example.com |
In your Oracle Beehive instance, set the value of WalletDir
to the location of the wallet that contains your CA certificates:
beectl modify_property --component beehive_instance_example.com --name WalletDir --value <Your wallet directory> Successfully stored the property for component id 09386579-b66c-41d7-96e6-88f44673ec55.
Run the following commands to activate your changes:
beectl activate_configuration beectl modify_local_configuration_files
Restart BEECORE
:
beectl restart --component BEECORE_example.com
After you have configured Oracle Beehive authentication with CA verification, users may get the following request every time they perform an operation on a WebDAV folder: "Choose a digital certificate. The website you want to view requests identification. Please choose a certificate."
To eliminate this request, edit the file <Oracle home>
/Apache/Apache/conf/httpd.conf
as follows:
DocumentRoot "Oracle_home/Apache/Apache/htdocs" <Directory "Oracle_home/Apache/Apache/htdocs"> <LimitExcept GET POST OPTIONS> deny from all </LimitExcept> Options -FollowSymLinks -Includes -Indexes AllowOverride None Order allow,deny Allow from all </Directory>
The only change is to append OPTIONS
after GET POST
in the <LimitExcept>
tag.
With this change, when the WebDAV folder issues the OPTIONS HTTP access method on the document root, Apache HTTP Server will return 200 status and not issue the request for a client certificate.