Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) E10029-02 |
|
Previous |
Next |
Oracle Directory Services Manager is integrated with the Credential Store Framework (CSF), a secure storage framework provided by Oracle. This appendix explains how to manage ODSM's credentials.
This appendix contains the following topics:
ODSM creates a Java Key Store (JKS) file and assigns a random password to the JKS the first time ODSM is used. The JKS file has the name odsm.cer
. It resides in a directory with a name of the form:
DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf
ODSM stores this random password in CSF. The WebLogic server administrator can retrieve the Java Key Store password stored in CSF. ODSM also generates a self-signed certificate for itself and stores it in the JKS.
See Also:
|
To manage ODSM's JKS, you must first retrieve ODSM's JKS password. The WebLogic administrator can retrieve it using the wlst
command, as follows:
$ORACLE_COMMON_HOME/common/bin/wlst.sh connect() listCred( map="ODSMMap", key="ODSMKey.Wallet" )
After the connect()
command, you will be prompted for your WebLogic username and password, and for the server URL. An example server URL is t3://
hostname
:7001
.
After you retrieve the Key Store password, you can manage it using the keytool
command.
To list contents of odsm.cer
, proceed as follows:
cd directory_where_odsm.cer_resides JAVA_HOME/bin/keytool -list -keystore odsm.cer \ -storepass password_obtained_from_CSF
For example:
$ cd DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf $ JAVA_HOME/bin/keytool -list -keystore odsm.cer -storepass "&M)S86)/RB" -v Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: serverselfsigned Creation date: Dec 26, 2008 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Serial number: 495586b6 Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009 Certificate fingerprints: MD5: 6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93 SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0 Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* Alias name: cn=rootca, o=oracle, c=us (0) Creation date: Dec 31, 2008 Entry type: trustedCertEntry Owner: CN=RootCA, O=Oracle, C=US Issuer: CN=RootCA, O=Oracle, C=US Serial number: 0 Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050 Certificate fingerprints: MD5: 72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF Signature algorithm name: MD5withRSA Version: 1 ******************************************* *******************************************
To delete trusted certificates in odsm.cer
:
cd directory_where_odsm.cer_is_present JAVA_HOME/bin/keytool -delete -keystore odsm.cer -storepass password_obtained_from_CSF -alias "cn=rootca, o=oracle, c=us (0)"
For example
$> JAVA_HOME/bin/keytool -delete -keystore odsm.cer \ -storepass "&M)S86)/RB" -alias "cn=rootca, o=oracle, c=us (0)" [Storing odsm.cer]
ODSM does not provide a web-based user interface for managing expired certificates. You must use keytool
to find expired certificates and delete them. To find expired certificates, you must list the content of odsm.cer
as described in "Listing the Contents of odsm.cer Java Key Store". The keytool lists the validity of certificates, enabling you to find all expired certificates. Delete the expired certificates as described in "Deleting the Trusted Certificate".