O Managing Oracle Directory Services Manager's Java Key Store

ODSM stores its private key, certificate and trusted certificates in a Java Key Store (JKS). As administrator, you are responsible for managing ODSM's JKS. One important task you must perform is to remove ODSM's certificates from the JKS when they have expired. This appendix explains how.

This appendix contains the following topics:

• Introduction to Managing ODSM's Java Key Store

• Retrieving ODSM's Java Key Store Password

• Listing the Contents of odsm.cer Java Key Store

• Deleting Expired Certificates

O.1 Introduction to Managing ODSM's Java Key Store

The first time ODSM is invoked, it generates a random password and assigns the password to its JKS. The JKS file has the name odsm.cer. The file resides in a directory with a name of the form:

DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf

ODSM stores the password to its JDK in Credential Store Framework (CSF), a secure storage framework provided by Oracle. The WebLogic server administrator can retrieve the JDK password stored in CSF.

ODSM also generates a self-signed certificate for itself and stores it in its JKS. This self-signed certificate is valid for 15000 days from the date of generation. This self-signed certificate is intended for testing purposes only. Oracle recommends replacing this self-signed certificate with a certificate signed by a Certificate Authority (CA) for production purposes.

There is no web-based tool for managing a JKS. To manage ODSM's JKS, you use keytool, a command-line tool shipped with the Sun JRE/JDK. To get the JKS password from CSF, you use the wlst listCred command.

See Also:

• The chapter on configuring the credential store in Oracle Fusion Middleware Application Security Guide for more information about CSF.

• JavaTM Cryptography Architecture API Specification & Reference, at http://java.sun.com

• keytool - Key and Certificate Management Tool, at http://java.sun.com

O.2 Retrieving ODSM's Java Key Store Password

To manage ODSM's JKS, you must first retrieve ODSM's JKS password from CFS. The WebLogic administrator can retrieve it using the wlst command, as follows:

$ORACLE_HOME/common/bin/wlst.sh 
Initializing WebLogic Scripting Tool (WLST) ... 

Welcome to WebLogic Server Administration Scripting Shell 

Type help() for help on available commands 

wls:/offline> connect() 
Please enter your username [weblogic] :weblogic 
@ Please enter your password [weblogic] : 
Please enter your server URL [t3://localhost:7001] :t3://stadd54:7001 
Connecting to t3://stadd54:7001 with userid weblogic ... 
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'. 

Warning: An insecure protocol was used to connect to the 
server. To ensure on-the-wire security, the SSL port or 
Admin port should be used instead. 

wls:/base_domain/serverConfig> listCred( map="ODSMMap", key="ODSMKey.Wallet" ) 
{map=ODSMMap, key=ODSMKey.Wallet} 
Location changed to domainRuntime tree. This is a read-only tree with 
DomainMBean as the root. 
For more help, use help(domainRuntime) 

[Name : ODSM, Description : null, expiry Date : null] @ PASSWORD:_AQ-\<x<92 

See Also:

"Managing the Credential Store" in Oracle Fusion Middleware Application Security Guide for more information about managing credentials with wlst commands.

O.3 Listing the Contents of odsm.cer Java Key Store

After you retrieve the JKS password, you can manage the JKS by using keytool.

To list the contents of odsm.cer, use the keytool command, as follows:

cd directory_where_odsm.cer_resides
JAVA_HOME/bin/keytool -list -keystore odsm.cer \
   -storepass password_obtained_from_CSF 

For example:

$ cd DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf
$ JAVA_HOME/bin/keytool -list -keystore odsm.cer -storepass "&M)S86)/RB" -v


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: serverselfsigned
Creation date: Dec 26, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Serial number: 495586b6
Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009
Certificate fingerprints:
         MD5:  6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93
         SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0
         Signature algorithm name: SHA1withRSA         Version: 3


*******************************************
*******************************************

Alias name: cn=rootca, o=oracle, c=us (0)
Creation date: Dec 31, 2008
Entry type: trustedCertEntry

Owner: CN=RootCA, O=Oracle, C=US
Issuer: CN=RootCA, O=Oracle, C=US
Serial number: 0
Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050
Certificate fingerprints:
         MD5:  72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B
         SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF
         Signature algorithm name: MD5withRSA
         Version: 1


*******************************************
*******************************************

O.4 Deleting Expired Certificates

There is no automatic mechanism for removing certificates from the JDK when they expire. As administrator, you must determine when a certificate has expired and remove it.

This section contains the following topics:

• "Determining the Expiration Date of a Certificate"

• "Deleting a Certificate"

O.4.1 Determining the Expiration Date of a Certificate

As explained in "Listing the Contents of odsm.cer Java Key Store", you list all certificates in odsm.cer by using keytool. The listing contains the valid dates for each certificate. For example, the following certificate is valid until Sat Oct 31 09:41:23 PDT 2008:

Alias name: cn=ovd, ou=development, o=MyCompany, l=redwood shores, 
st=california, c=us (1241455283) 
Creation date: May 5, 2008 
Entry type: trustedCertEntry
 
Owner: CN=OVD, OU=Development, O=MyCompany, L=Redwood Shores, ST=California, C=US 
Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US 
Serial number: 49ff1ab3 
Valid from: Mon May 04 09:41:23 PDT 2008 until: Sat Oct 31 09:41:23 PDT 2008 
Certificate fingerprints: 
MD5: 93:0E:41:5E:95:88:71:BD:8A:49:ED:A9:29:3B:0A:1E 
SHA1: 84:C6:75:60:D9:BE:7B:CA:D6:8B:B5:4B:97:E4:20:39:44:82:FE:93 
Signature algorithm name: SHA1withRSA 
Version: 3 

If certificate's validity period has expired, delete it using keytool as explained in the next section.

O.4.2 Deleting a Certificate

To delete a certificate in odsm.cer, use keytool, as follows:

cd directory_where_odsm.cer_is_present
JAVA_HOME/bin/keytool -delete -keystore odsm.cer 
-storepass password_obtained_from_CSF -alias "cn=rootca, o=oracle, c=us (0)"

For example

$> JAVA_HOME/bin/keytool -delete -keystore odsm.cer \
   -storepass  "&M)S86)/RB"  -alias "cn=rootca, o=oracle, c=us (0)"
[Storing odsm.cer]