21 Configuring SSL

This chapter describes various ways to configure Oracle Beehive with SSL. It covers the following topics:

• SSL Checklist

• Configuring SSL with Oracle Beehive

• Configuring SSL with Oracle Beehive DMZ Instances

• Procedures Related to Configuring SSL

• Installing Non-SSL Oracle Beehive Site

• Installing Oracle Internet Directory in SSL mode

Note:

Refer to "Configuring Oracle Beekeeper for SSL Access" to configure SSL for Oracle Beekeeper.

If you do not want to use SSL with your Oracle Beehive deployment, follow the steps described in "Installing Non-SSL Oracle Beehive Site".

If you have a load balancer supports SSL termination or offloading, you may offload SSL processing to your load balancer so that your Oracle Beehive instances do not have to decrypt SSL-encrypted data, thereby reducing the load of your Oracle Beehive instances. Refer to "Configuring SSL Termination at Load Balancer" in "Installing Oracle Beehive in High Availability Environment" for more information.

SSL Checklist

After following the steps described in this module, ensure the following for all your application tiers:

• A properly configured Oracle wallet resides in <Oracle home>\Apache\Apache\conf\ssl.wlt\default for each application tier.

• For each Oracle Beehive instance, the property WalletDir is set to the properly configured Oracle wallet. In addition, the property WalletDir refer to the same location for each application tier.

• Each Oracle Beehive instance's wallet contains a valid certificate.

• The file <Oracle home of DMZ instance>\beehive\conf\bti.properties is configured properly for each Oracle Beehive DMZ instance.

• The file <Oracle home>\opmn\conf\opmn.xml is configured properly for each application tier.

Configuring SSL with Oracle Beehive

This section covers the following procedures:

• Configuring SSL with Test Certificates for Oracle Beehive

• Configuring SSL with Self-Signed Certificates During Installation of Oracle Beehive

• Configuring SSL with Self-Signed Certificates After Installation of Oracle Beehive

Configuring SSL with Test Certificates for Oracle Beehive

The following steps describe how to configure SSL with test certificates during or after the installation of one or more Oracle Beehive instances:

1. Install your first Oracle Beehive instance, if you have not already done so.

2. By default, an Oracle wallet with test certificates for OPMN is created in Oracle Beehive. This Oracle wallet is located in the following location:

   <Oracle Beehive home>\opmn\conf\ssl.wlt\default.

   Copy the contents of <Oracle Beehive home>\opmn\conf\ssl.wlt\default to the <Database home>\opmn\conf\ssl.wlt\default directory. This will overwrite the Oracle wallet files in this directory.

   If you are using Oracle RAC, copy the contents of <Oracle Beehive home>\opmn\conf\ssl.wlt\default to the <Database home>\opmn\conf\ssl.wlt\default directory on each Oracle RAC node.

3. Configure TLS on your first Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".

4. Perform the post-install steps for configuring Oracle RAC except step 7 (Register for ONS Notification). Refer to "Post-Install Steps" in "Configuring and Installing Oracle Beehive for Oracle RAC"

5. Configure the virtual server of your Oracle Beehive instance with a load balancer. Refer to "Configuring High Availability Environment with Load Balancer" in "Installing Oracle Beehive in High Availability Environment".

6. If you have more than one Oracle Beehive instance, configure TLS on all your other Oracle Beehive instances. Refer to "Configuring TLS on Multiple Instances" in "Configuring TLS with Oracle Wallet".

7. Enable ORMIS on all your Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet".

8. Enable AJPS on all your Oracle Beehive instances. Refer to "Enabling AJPS".

Note:

After configuring SSL with test (self-signed) certificates for an Oracle Beehive environment with multiple instances, you may receive an alert message similar to the following:

You have received an invalid certificate.... Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

In this scenario, create a self-signed certificate for each Oracle Beehive instance with a unique serial number. If you are using OpenSSL to create self-signed certificates, use the -set_serial option:

openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem
  -CAcreateserial -set_serial 01 -days 365 > server.crt

For more information about creating self-signed certificates with OpenSSL (and then importing them into Oracle Wallet), refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Configuring SSL with Self-Signed Certificates During Installation of Oracle Beehive

The following steps describe how to configure SSL with self-signed certificates during the installation of one or more Oracle Beehive instances:

1. Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.

2. For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

3. Install your first Oracle Beehive instance.

4. Configure TLS on your first Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".

5. Remove the test certificates using Oracle Wallet Manager from the wallets in Oracle Beehive. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default and <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

6. For the wallet located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default, create a self-signed server certificate for the Oracle Beehive server using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

   Repeat this step for the wallet located in the following locationL

   <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

7. Perform the post-install steps for configuring Oracle RAC except Step 7 (Register for ONS Notification).

8. Configure the virtual server of each Oracle Beehive instances with a load balancer. Refer to "Configuring High Availability Environment with Load Balancer" in "Installing Oracle Beehive in High Availability Environment".

9. Install an additional Oracle Beehive instance (software only install). In the following steps, this instance will be referred to as the second instance.

10. Replace orapki and Oracle Wallet Manager (owm.exe) binaries of the second instance with those from the first instance. Create new wallets located in <Oracle Beehive new instance home>\opmn\conf\ssl.wlt\default and <Oracle Beehive new instance home>/Apache/Apache/conf/ssl.wlt/default\Apache\Apache\conf\ssl.wlt\default. Refer to "Configuring TLS with Oracle Wallet".

11. Remove test certificates using Oracle Wallet Manager from the wallets in <Oracle Beehive new instance home>\opmn\conf\ssl.wlt\default and <Oracle Beehive new instance home>\Apache\Apache\conf\ssl.wlt\default, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.

12. Repeat Step 8 for the second instance.

13. Run the Config Wizard for the second instance and complete the configuration.

14. Configure TLS on all Oracle Beehive instances.

15. If you want to install another Oracle Beehive instance, repeat Steps 11 to 15.

16. Enable ORMIS on all Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet"

17. Enable AJPS on all Oracle Beehive instances. Refer to "Enabling AJPS".

Configuring SSL with Self-Signed Certificates After Installation of Oracle Beehive

The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive instances:

1. Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.

2. For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

3. Choose one of your Oracle Beehive instances on which to perform Steps 4 to 7 (you will repeat these steps on your other instances later). Configure TLS on the Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".

4. Remove the test certificates from the wallets of the Oracle Beehive instance. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default and <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

5. For the wallet located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default, create a self-signed server certificate for Oracle Beehive using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

   Repeat this step for the wallet located in the following location:

   <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

6. If you have multiple Oracle Beehive instances, repeat Steps 4 to 7 for each of your instances.

7. Enable ORMIS on all Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet"

8. Enable AJPS on all Oracle Beehive instances. Refer to "Enabling AJPS".

Configuring SSL with Oracle Beehive DMZ Instances

This section covers the following procedures:

• Configuring SSL with Test Certificates After Installation of DMZ Instances

• Configuring SSL with Self-Signed Certificates After Installation of DMZ Instances

Configuring SSL with Test Certificates After Installation of DMZ Instances

The following steps describe how to configure SSL with test certificates during the installation of one or more Oracle Beehive instances:

1. Install your DMZ instance.

2. Configure Oracle Wallet for the DMZ instance. For more information, refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances". This step involves creating an Oracle Wallet for your DMZ instance and editing the file <Oracle home of DMZ instance>\opmn\conf\opmn.xml so that it refers to the new Oracle Wallet.

3. Follow the steps described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances"

4. Configure the virtual server of your Oracle Beehive DMZ instances with a load balancer. For more information, refer to "Configuring High Availability Environment with DMZ Instances and Load Balancer" in "Installing Oracle Beehive in High Availability Environment".

Configuring SSL with Self-Signed Certificates After Installation of DMZ Instances

The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive DMZ instances:

1. Install your DMZ instance.

2. Configure Oracle Wallet for the DMZ instance. For more information, refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances". This step involves creating an Oracle Wallet for your DMZ instance and editing the file <Oracle home of DMZ instance>\opmn\conf\opmn.xml so that it refers to the new Oracle Wallet.

3. For the wallet located in <Oracle Beehive DMZ home>\opmn\conf\ssl.wlt\default, create a self-signed server certificate for the Oracle Beehive DMZ instance using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. For more information, refer to "Creating Self-Signed Certificate and Importing it into Wallet"

   Repeat this step for the wallet located in <Oracle Beehive DMZ home>\Apache\Apache\conf\ssl.wlt\default.

4. Follow the steps described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances"

5. Configure the virtual server of your Oracle Beehive DMZ instances with a load balancer. For more information, refer to "Configuring High Availability Environment with DMZ Instances and Load Balancer" in "Installing Oracle Beehive in High Availability Environment".

Procedures Related to Configuring SSL

This section covers the following procedures related to configuring SSL:

• Creating Self-Signed Certificate and Importing it into Wallet

• Creating CA-Signed Certificate and Importing it into Wallet

Creating Self-Signed Certificate and Importing it into Wallet

The following steps create a self-signed server certificate and imports it into an Oracle Wallet. You may also create a certificate signed by a certificate authority (CA) and import that into an Oracle Wallet. Refer to "Creating CA-Signed Certificate and Importing it into Wallet" for more information.

You will be performing these steps for the wallet you created in the following procedures:

• "Configuring TLS with Oracle Wallet" (which creates a wallet for Oracle Beehive)

• "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" (which creates a wallet for an Oracle Beehive DMZ instance)

1. Create your own certificate authority. This step uses OpenSSL. For more information about OpenSSL, refer to http://www.openssl.org/.

   openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 365
   

   This command generates two files named cakey.pem and cacert.crt.

2. Create and export a certificate request with Oracle Wallet Manager:

   1. Run Oracle Wallet manager, <Oracle Beehive home>\bin\owm. (Use <Database home>\bin\owm instead if you have not installed any Oracle Beehive instances.)

   2. Open the wallet (to which you want to add the certificate).

   3. Create a certificate request. Click the Operations tab. Click Add Certificate Request. Fill out the form. The Common Name should be the name of the server for which you are creating the certificate (such as the name of the Oracle RAC node). Click OK.

   4. Save the wallet.

   5. Click the Operation tab. Click Export Certificate Request. Enter the path and file name of the certificate request. These steps assume that the name of this file is certreq.csr. (Keep Oracle Wallet Manager open; you will use it in Step 4.)

3. From a command prompt, generate a server certificate with the following command:

   openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem
     -CAcreateserial -days 365 > server.crt
   

   This command generates two files, cacert.srl and server.crt (which is the server certificate).

4. In Oracle Wallet Manager, click the Operations tab. Click Import Trusted Certificate. Select the file cacert.crt. Click OK.

5. Click Import User Certificate. Select the file server.crt. Click OK.

6. Repeat Steps 2 to 5 (except Step 1; you can use the same cakey.pem and cacert.crt files for other servers) for each server for which you want to create a certificate. (In particular, you would repeat these steps for each Oracle RAC node.)

Using Oracle Wallet to Create Self-Signed Certificate

Alternatively, you may use Oracle Wallet to create a self-signed certificate.

Add a self-signed certificate to the wallet with the following command:

orapki wallet add
  -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
  -dn CN=user
  -keysize 2048
  -self_signed
  -validity 365

CN=user is the distinguished name of an arbitrary user who will be the certificate owner.

Creating CA-Signed Certificate and Importing it into Wallet

Alternatively, you may create a certificate signed by a certificate authority (CA), and import that into the Oracle Beehive wallet:

1. Add a certificate request to the Oracle Beehive wallet:

   orapki wallet add
     -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
     -dn CN=user
     -keysize 2048
     -validity 365
   

   The directory <Oracle home>/Apache/Apache/conf/ssl.wlt/default/ is the Oracle Beehive default wallet directory. CN=user is the distinguished name of an arbitrary user who will be the certificate owner.

2. Export the certificate request to a file:

   orapki wallet export
     -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
     -dn CN=user
     -request certificate_request.txt
   

   The file certificate_request.txt is the exported certificate request.

3. With your certificate authority (CA) and your certificate request (certificate_request.txt), create a signed user certificate. In addition, export the trusted certificate from your CA. These steps use the file user_certificate.txt as the signed user certificate and the file trusted_certificate.txt as the trusted certificate exported from your CA.

   You may use Oracle Wallet as a CA for testing purposes by following these steps.

   1. Create an auto-login wallet to act as a certificate authority. These steps assume that this wallet is stored in /private/ca_wallet. Create a signed certificate from the request for test purposes:

      orapki cert create
        -wallet /private/ca_wallet
        -request certificate_request.txt
        -cert user_certificate.txt
        -validity 365
      

      The file user_certificate.txt is the signed user certificate.

   2. Export the trusted certificate from the CA wallet:

      orapki wallet export
        -wallet /private/ca_wallet
        -dn CN=ca_user
        -cert trusted_certificate.txt
      

      The file trusted_certificate.txt is the exported (test) trusted certificate from the CA wallet.

4. Add the trusted certificate from the CA to the Oracle Beehive wallet:

   orapki wallet add
     -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
     -trusted_cert
     -cert trusted_certificate.txt
   

5. Add the user certificate to the Oracle Beehive wallet:

   orapki wallet add
     -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
     -user_cert -cert user_certificate.txt
   

Installing Non-SSL Oracle Beehive Site

The following steps describe how to install a non-SSL Oracle Beehive site in which none of its tiers communicate using SSL:

Note:

Because Oracle Beehive DMZ instances have SSL enabled by default, the following steps will not work for DMZ instances unless you configure them to receive non-SSL notifications as described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances".

1. Install your first Oracle Beehive application tier. Note that this application tier, by default, will have SSL disabled for Oracle Notification Service (ONS), which is used by OPMN of this application tier to communicate with other OPMNs in the site. In the next step, you will disable SSL (if necessary).

2. Ensure that the value of NotificationServerSslEnabled in the _current_site:OpmnCluster component in the first Oracle Beehive application tier is false:

   beectl list_properties
     --component _current_site:OpmnCluster
     --name NotificationServerSslEnabled
   

   If NotificationServerSslEnabled is true, then set it to false:

   beectl modify_property
     --component _current_site:OpmnCluster
     --name NotificationServerSslEnabled
     --value false
     --activate_configuration
   

3. In the first Oracle Beehive application tier, set the value of HttpServerSslEnabled in the _current_site:HttpServerCluster component to false, then run beectl modify_local_configuration_files:

   beectl modify_property
     --component _current_site:HttpServerCluster
     --name HttpServerSslEnabled
     --value false
     --activate_configuration
   
   beectl modify_local_configuration_files
   

4. Install any additional Oracle Beehive application tiers. You do not need to perform any additional steps for these application tiers.

Installing Oracle Internet Directory in SSL mode

Oracle Identity Management Infrastructure and Oracle Identity Federation are supported on the following Operating System versions:

• Red Hat Enterprise Linux AS Release 4

• Red Hat 2.1

• Red Hat 3

• SuSE 9

• UnitedLinux 1.0

The following steps describe how to install Oracle Internet Directory in a Secure Sockets Layer (SSL):

1. Download Oracle Identity Management Infrastructure and Oracle Identity Federation from the following URL:

   http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

   • Download x86 version from Linux column (Both Disk1 and Disk2) to an empty directory. (Prefer a subdirectory of /scratch/$USER/)

   • To verify the integrity of the downloaded file, after the file has been transferred to a Unix host, run cksum and compare with the cksum information listed on the download page.

   • Go to the directory and extract the contents by using the following command.

     cpio -idvm < <Dick1 cpio_file>
     cpio -idvm < <Disk2 cpio file>
     

2. If an old installation exists, reboot the system and remove the directory containing the previous OID installation.

3. Start the installation of OID using Disk1/runInstaller. Execute orainstRoot.sh present in oraInventory directory to start the installation.

   Click Next wherever no input is asked.

   • On the Specify File Locations screen, change the Destination Path to your Oracle Home.

   • On the Select a Product to Install screen, select Oracle Application Server Infrastructure 10g and click Next.

   • On the Select Installation Type screen, select Identity Management and Metadata Repository.

   • On the Product-specific Prerequisite Checks screen, let the check complete. It may show one warning. Select the checkbox Checking security kernel parameters and click Next.

   • On the Confirm Pre-Installation Requirement screen, select the checkbox Root Privileges and click Next.

   • On the Select Configuration Options screen, select the checkbox Oracle Application Server Certificate Authority (OCA) and click Next.

   • On the Specify Port Configuration Options screen, select Automatic and click Next.

   • On the Specify Namespace in Internet Directory screen, leave the Suggested Namespace selected and click Next.

   • On the Specify OCA Distinguished Name screen, enter "test" in all three textboxes under Typical DN, leave it selected and click Next.

   • On the Specify OCA Key Length screen, select the needed Key Length and click Next. Prefer '1024' unless otherwise needed.

   • On the Specify OCA Administrator's Password screen, specify the password as "Welcome1" and click Next.

   • On the Specify Database Configuration Options screen, ensure that the database file location is a subdirectory of $ORACLE_HOME and click Next. (You may want to note down the details on this page.)

     Note:

     If the specified SID already exists choose a name of your choice.

   • On the Specify Database Schema Passwords screen, select Use the same password for all the accounts, specify the password as "Welcome1" and click Next.

   • On the Specify Instance Name and ias_admin Password screen, specify a suitable instance name, specify the password as "Welcome1", confirm it and click Next.

4. The Confirmation screen displays the summary of what you have selected, check the details and click install.

5. When the installation starts, if your disk 2 is not in the same directory, the system will prompt you for the location of the disk 2 directory, specify the path and proceed further.

6. In between the installation, the system will ask you to run a script as a root user, run the script and click OK on the pop-up message.

7. Save the configuration details in a file for reference.

To test the installation:

• Run the following script to check whether ldapbind works:

  $ORACLE_HOME/bin/ldapbind -D cn=orcladmin -w Welcome1 -U 1 -h <OID_hostname> -p <port>
  

• "-U 1" is for non-SSL mode

• See Appendix to find out the port

Configuring the OID in SSL mode

1. Create an Auto Login Wallet with self signed user certificate by running the following commands:

   setenv ORACLE_HOME /scratch/$USER/OraHome_1cd $ORACLE_HOME/binorapki wallet create -wallet /home/$USER/ORACLE/WALLET -auto_login -pwd Welcome1orapki wallet add -wallet /home/$USER/ORACLE/WALLET -keysize 1024 -dn "cn=<OID_hostname>" -self_signed -validity 365
   

2. Add a new configuration set:

   1. In the navigator pane, select Oracle Internet Directory Servers, then Directory Server instance, and then select Server Management.

   2. Select Directory Server. The numbered configuration sets are listed beneath your selection.Right click on the Configuration Set 1 and select Create Like.In the new configuration set window, enter Non SSL port that is not already in use.

   3. Select the SSL Settings tab, modify the fields as described below:

      SSL Authentication: SSL Server Authentication

      SSL Enable: Both SSL and Non-SSL

      SSL Wallet URL: file://home/<username>/ORACLE/WALLET

      SSL Port: 1636 (Any unused port)

   4. Click Ok.

      You can review the settings by clicking the newly created configuration set node.

   5. Exit the Oracle Directory Manager.

3. Start a new instance by running the following command:

   $ORACLE_HOME/bin/oidctl connect=orcl server=oidldapd instance=2 configset=2 start
   

4. Test if the SSL is working by running the following command:

   $ORACLE_HOME/bin/ldapbind -p 1636 -U 2 -W file:/home/$USER/ORACLE/WALLET -P Welcome1 -h <hostname>
   

   Note:

   If the wallet does not contain any user certificate or if there is a mismatch in certificate.

   $ldapbind -p 1636 -U 2 -W file:/home/$USER/ORACLE/WALLET -P welcome1
   Unknown Error Encountered
   

   If you make any changes in the configuration set, you must restart the instance that is running the configuration set for the changes to take effect by running the following commands:

   oidctl connect=orcl server=oidldapd instance=nn configset=<config no.> stopoidctl connect=orcl server=oidldapd instance=nn configset=<config no.> start
   

Appendix

1. Shell variables that need to be set:

   • $ORACLE_HOME=/scratch/$USER/OraHome_1

   • $ORACLE_SID=orcl

2. Find out the ports on which the OID is listening:

   1. Run the following command:

      ps -ef | grep oidldapd
      

   2. Look for options -port and -sport.

3. Start the OID manager:

   1. Run the following command to start the OID manager:

      $ORACLE_HOME/bin/oidadmin
      

   2. Enter the following details:

   • User: orcladmin

   • Password: Welcome1

   • Add a new server with hostname and port by clicking the icon against Server.

     Note:

     Port number can be found out by running the following command:

     ps -ef | grep oidldapd
     

   • Click Login.

4. To restart OID after rebooting the system:

   1. Place the following content in a file /scratch/$USER/.ENV

      setenv ORACLE_HOME /scratch/$USER/OraHome_1setenv ORACLE_SID orclsetenv PATH ${PATH}:${ORACLE_HOME}/bin
      

   2. Use the following command to start the database:

      source /scratch/$USER/.ENVsqlplus "sys/Welcome1 as sysdba" <<EOF?startup?EOFlsnrctl start
      

   3. Use the following command to all instances of OID:

      oidmon connect=orcl start
      

   4. Use the following command to start the only one of the instances of OID:

      oidctl connect=orcl server=oidldapd instance=nn configset=cf start
      

Configuring Beehive to connect to OID in non-SSL and SSL modes

Before you begin to configure Beehive to connect to OID, ensure the following:

• For non-SSL mode:

  • OID is installed in the $ORACLE_HOME folder.

  • ldapbind is working correctly; to check, the following command should give outputas "Bind Successful".

    $ORACLE_HOME/bin/ldapbind -D cn=orcladmin -w Welcome1 -U 1 -h <OID_hostname> -p <port>
    

  • $MWH is Beehive installation Directory.

• For SSL mode:

  • Include $ORACLE_HOME/bin in $PATH environment variable.

  • OID is listening only on SSL-port in SSL-only mode.

  • /home/$USER/ORACLE/WALLET contains self signed certificate of OID with cn = hostname of OID, and the same certificate in the trusted certificate list.

  • ldapbind is working correctly; to check, following command should give output as "Bind Successful"

    ldapbind -p <SSL-port> -U 2 -W file:/home/$USER/ORACLE/WALLET -P Welcome1
    

  • $MWH is Beehive installation Directory.

  • Keytool utility is available, if not, include the bin directory of jdk6 or later in the $PATH environment variable.

  • OID entries and profile entries match. See Initial configuration in non-SSL mode.

To configure Beehive to connect to OID (in non-SSL mode):

1. Set the initial configuration. Refer the Appendix section to start oiddas. Skip this step if already done.

   If group Extps exists in your ldap_profile xml, add the group to OID using oiddas.

2. Make the following necessary changes in ldap_profile xml file; skip the step if already done.

   • Change the host name, port number, and SSL-port to match the OID installation. Refer the Appendix section to find out the port numbers.

   • Add a tag <user_objectclass>person</user_objectclass> in the xml file inside <ldap_server> tag after <group_search_base> tag. If the tag exists, skip the step.

   • Comment out the entry <directory_attribute_map_entry> which has the tag <source_object>EXTENDED_ENTERPRISE_USER</source_object>.

   • Run the following command:

     beectl>list_organizations --scope enpr=OracleOrganization name: <orgn_name>
     

     In the xml file, search for "orgn=" and modify the Organization name by the name listed in the above command.

   • Run the following commands:

     $cd $MWH/instance_Oracle_BH1/beehive/bin$./beectlbeectl>  obfuscate --expiration_time_in_minutes 0
     

     Enter the value of password as Welcome1.Use the string generated to replace the value of <ldap_user_password> tag in xml file.

3. Make the Beehive installation (both 32-bit and 64-bit) to use the OID 32-bit for authentication:

   beectl> add_directory_profile --file <PATH_TO_PROFILE>/oidprofile.xmlbeectl> modify_property --component _AuthenticationService --name AuthStoreType --value ldapbeectl> activate_configurationbeectl> modify_local_configuration_filesbeectl> validate_directory_entry --all_users --profile ldap_profilebeectl> validate_directory_entry --all_users --profile ldap_profile --commitbeectl> modify_local_configuration_files
   

4. To test the configuration:

   • Add a user in OID using oiddas, refer the Appendix section.

     For example, user ID "abcd", password: "Welcome1".

   • Try to login from the command line by using the following command:

     beectl> login --authuser junk --authpassword Welcome1
     

   • Try to login from a browser application such as /zimbra or /bconf

     1. Browse for http://hostname:7777/zimbra

     2. On the login page provide username: "abcd" and password "Welcome1"

     3. Click Login.

To configure Beehive to connect to OID (in SSL mode):

1. Save the trusted certificate of OID to a keystore.

   1. Using Oracle Wallet Manager, open /home/$USER/ORACLE/WALLET and export trusted certificate with cn=<OID_hostname> to file /some_directory/<OID_hostname>cert.

   2. Copy the exported certificate and cwallet.sso certificate to home directory of user on which Beehive is installed; cwallet.sso certificate is required to sync Beehive with OID.

   3. Start Oracle Wallet Manager (OWM) by executing ./owm OWM can be located in $ORACLE_HOME/bin.

   4. Use the following command to add the exported certificate to a keystore.

      keytool -importcert -trustcacerts -file <directory where the certificates are copied on to beehive> -keystore ~/<OID_hostname>.jks
      

   5. Give password for the keystore as Welcome1.

2. Do step 1 and 2 of non-SSL mode if that is not done.

3. Add Oracle Wallet to Beehive by running the following command:

   beectl>list_components --type BeehiveInstance
   beectl> modify_property --component  beehive_instance_beehive.adc2171171.us.oracle.com --name  WalletDir --value <Wallet Directory>
   beectl> modify_secure_property --component  beehive_instance_beehive.adc2171171.us.oracle.com --name  WalletPassword --value <wallet-password> --activate_configuration
   

4. Add Keystore to the Beehive instance:

   beectl> modify_property --component  beehive_instance_beehive.adc2110271.us.oracle.com --name  KeystoreFile --value /home/rnataraj/<OID_hostname>.jksbeectl> modify_secure_property --component  beehive_instance_beehive.adc2110271.us.oracle.com --name  KeystoreFilePassword --value <key store password> --activate_configurationmodify_local_configuration_files
   

5. Make the Beehive installation (both 32-bit and 64-bit) to use the OID 32-bit for authentication.

   Modify the non-SSL port in the profile to unused port, run modify_local_configuration_files if validate_directory_entry fails.

   beectl> add_directory_profile --file PATH_TO_PROFILE/oidprofile.xmlbeectl> modify_property --component _CURRENT_SITE:LdapServer --name SslEnabled --value truebeectl> modify_property --component _AuthenticationService --name AuthStoreType --value ldapbeectl> activate_configurationbeectl> modify_local_configuration_filesbeectl> validate_directory_entry --all_users --profile ldap_profilebeectl> validate_directory_entry --all_users --profile ldap_profile --commitbeectl> modify_local_configuration_files
   

6. If the profile was already added to Beehive in non-SSL mode, do the following steps:

   1. To ensure that Beehive is connected to OID in SSL mode, change the non-SSL port of ldap Server to unused port by using the following command:

      beectl> modify_property --component _CURRENT_SITE:LdapServer --name LdapServerPort --value <unused port>
      

   2. Make sure the SSL port matches the instance of OID running in SSL port:

      beectl> modify_property --component _CURRENT_SITE:LdapServer --name LdapServerSslPort --value <SSL port>
      

   3. Enable the SSL mode by running the following command:

      beectl> modify_property --component _CURRENT_SITE:LdapServer --name SslEnabled --value true --activate_configuration
      

7. Run following commands:

   beectl> validate_directory_entry --all_users --profile ldap_profilebeectl> validate_directory_entry --all_users --profile ldap_profile --commitbeectl> modify_local_configuration_files
   

8. Login to /zimbra with an OID user.

   http://beehive_hostname:7777/zimbra

Appendix

1. Shell variables that need to be set:

   • $ORACLE_HOME=/scratch/$USER/OraHome_1

   • $ORACLE_SID=orcl

2. Add a user to OID:

   1. Make sure OID is running on default configuration set. If not, run the following command.

      $ORACLE_HOME/bin/oidctl connect=orcl server=oidldapd instance=1 configset=0 start
      

   2. Run $ORACLE_HOME/opmn/bin/opmnctl status to ensure that atleast OC4J_SECURITY and HTTP_Server are running. If not the start them using the following command:

      $ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY$ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
      

   3. Browse the following link:

      http://hostname:7777/oiddas/

   4. Select Directory from the tabs, or click Directory link on the right side of the page.

   5. On the Login page, login using orcladmin/Welcome1.

   6. Click Create and fill the mandatory details to add the user.

   7. Click Submit to create the user.

3. Add a group to OID:

   1. After login to oiddas, click Groups in the horizontal panel.

   2. Click Create and enter the mandatory details to add the group.

   3. Click Submit to create the group.

4. To find out on which port the OID is listening, run the following command:

   ps -ef | grep oidldapd
   

   Look for the number after port for non-SSL and sport for SSL.

5. Start the OID manager:

   1. Run the following command to start the OID manager:

      $ORACLE_HOME/bin/oidadmin
      

   2. Fill up following details

      User: orcladminPassword: Welcome1Add a new server with a hostname and port by clicking the icon against Server.

      Note:

      Port can be found out by running the following command:

      ps -ef | grep oidldapd
      

   3. Click Login.

6. To restart OID after rebooting the system:

   1. Place the following content in a file /scratch/$USER/.ENV

      setenv ORACLE_HOME /scratch/$USER/OraHome_1setenv ORACLE_SID orclsetenv PATH ${PATH}:${ORACLE_HOME}/bin
      

   2. Use the following command to start the database:

      source /scratch/$USER/.ENVsqlplus "sys/Welcome1 as sysdba" <<EOF?startup?EOFlsnrctl start
      

   3. Use the following command to start all instances of OID:

      oidmon connect=orcl start
      

   4. Use the following command to start any one of the instances of OID:

      oidctl connect=orcl server=oidldapd instance=nn configset=cf start