Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
Configuring Key Manager Providers
Using the JKS Key Manager Provider
To Sign the Certificate by Using an External Certificate Authority
To Configure the JKS Key Manager Provider
Using the PKCS #12 Key Manager Provider
Using the PKCS #11 Key Manager Provider
Developing Custom Key Manager Providers
Configuring Trust Manager Providers
Overview of Certificate Trust Mechanisms
Using the Blind Trust Manager Provider
Using the JKS Trust Manager Provider
Using the PKCS #12 Trust Manager Provider
Configuring Certificate Mappers
Using the Subject Equals DN Certificate Mapper
Using the Subject Attribute to User Attribute Certificate Mapper
Using the Subject DN to User Attribute Certificate Mapper
Using the Fingerprint Certificate Mapper
Configuring SSL and StartTLS for LDAP and JMX
Configuring the LDAP and LDAPS Connection Handlers
To Enable a Connection Handler
To Specify a Connection Handler's Listening Port
To Specify a Connection Handler's Authorization Policy
To Specify a Nickname for a Connection Handler's Certificate
To Specify a Connection Handler's Key Manager Provider
To Specify a Connection Handler's Trust Manager Provider
To Enable SSL-Based Communication
Enabling SSL in the JMX Connection Handler
SASL Options for the ANONYMOUS Mechanism
SASL Options for the CRAM-MD5 Mechanism
SASL Options for the DIGEST-MD5 Mechanism
SASL Options for the EXTERNAL Mechanism
SASL Options for the GSSAPI Mechanism
SASL Options for the PLAIN Mechanism
Configuring SASL Authentication
Configuring SASL External Authentication
Configuring the LDAP Connection Handler to Allow SASL EXTERNAL Authentication
Configuring the EXTERNAL SASL Mechanism Handler
Configuring SASL DIGEST-MD5 Authentication
Configuring SASL GSSAPI Authentication
To Configure Kerberos V5 on a Host
To Specify SASL Options for Kerberos Authentication
Example Configuration of Kerberos Authentication Using GSSAPI With SASL
All Machines: Edit the Kerberos Client Configuration File
All Machines: Edit the Administration Server ACL Configuration File
KDC Machine: Edit the KDC Server Configuration File
KDC Machine: Create the KDC Database
KDC Machine: Create an Administration Principal and Keytab
KDC Machine: Start the Kerberos Daemons
KDC Machine: Add Host Principals for the KDC and Oracle Unified Directory Machines
KDC Machine: Add an LDAP Principal for the Directory Server
KDC Machine: Add a Test User to the KDC
Directory Server Machine: Install the Directory Server
Directory Server Machine: Create and Configure the Directory Server LDAP
Directory Server Machine: Configure the Directory Server to Enable GSSAPI
Directory Server Machine: Add a Test User to the Directory Server
Directory Server Machine: Obtain a Kerberos Ticket as the Test User
Client Machine: Authenticate to the Directory Server Through GSSAPI
Troubleshooting Kerberos Configuration
Testing SSL, StartTLS, and SASL Authentication With ldapsearch
ldapsearch Command Line Arguments Applicable To Security
Testing SASL External Authentication
Controlling Connection Access Using Allowed and Denied Rules
Property Syntax of Allowed and Denied Client Rules
Configuring Allowed and Denied Client Rules
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
Oracle Unified Directory provides a number of options for configuring and using SSL and StartTLS. The numerous possibilities for configuration might be daunting for those who are unfamiliar with the technology or who just want to get up and running as quickly as possible for testing purposes.
This chapter provides a rough list of the steps that must be performed to allow Oracle Unified Directory to accept SSL-based connections using a self-signed certificate. The chapter also demonstrates how to configure SSL and StartTLS if you install the server using the QuickStart utility. Each configuration step is described in more detail in the chapters that follow.
The procedures in this section presume a knowledge of truststores and keystores. For detailed information about keystores, see Configuring Key Manager Providers. For detailed information about truststores, see Configuring Trust Manager Providers.
This procedure assumes the following:
Oracle Unified Directory is installed on the system on which you are working.
The Java keytool utility is in your path. If it is not, either add it to your path or provide the complete path to it when invoking the commands. The keytool utility is provided with the Java Runtime Environment (JRE).
The administration connector is listening on the default port (4444) and the dsconfig command is accessing the server running on the local host. If this is not the case, the --port and --hostname options must be specified.
For example:
$ keytool -genkeypair -alias server-cert -keyalg rsa \ -dname "CN=myhost.example.com,O=Example Company,C=US" \ -keystore config/keystore -storetype JKS
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. The default name used by the server is server-cert.
-keyalg algorithm. Specifies the algorithm that should be used to generate the private key. This should almost always be rsa.
-dname subject. Specifies the subject to use for the certificate.
Change the value of the -dname argument so that it is suitable for your environment:
The value of the CN attribute should be the fully-qualified name of the system on which the certificate is being installed.
The value of the O attribute should be the name of your company or organization.
The value of the C attribute should be the two-character abbreviation for your country.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist. The default keystore path used by the server is config/keystore.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If the password is not provided, you will be prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If the password is not provided, you will be prompted for it. The server expects the password used for the -keypass and \-storepass options to be the same.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, for example, the value should always be JKS.
You are prompted for a password to protect the contents of the keystore and for a password to protect the private key.
For example:
$ keytool -selfcert -alias server-cert -validity 1825 \ -keystore config/keystore -storetype JKS
-alias alias. Specifies the name that should be used to refer to the certificate in the keystore. This name should be the same as the value used when creating the private key with the -genkeypair option.
-validity days. Specifies the length of time in days that the certificate should be valid. The default validity is 90 days.
-keystore path. Specifies the path to the keystore file. The file will be created if it does not already exist.
-keypass password. Specifies the password that should be used to protect the private key in the keystore. If this is not provided, then you will be interactively prompted for it.
-storepass password. Specifies the password that should be used to protect the contents of the keystore. If this is not provided, then you will be interactively prompted for it.
-storetype type. Specifies the keystore type that should be used. For the JKS keystore, the value should always be JKS.
When you are prompted for the keystore password, enter the same password that you provided in the previous step.
The file must contain the password that you chose to protect the contents of the keystore. If you change this file, remember that it must match the keystore manager configuration. If you decide to create a file with a different name, for example, the corresponding keystore manager's key-store-file property for JKS must match the path and file name.
For example:
$ keytool -exportcert -alias server-cert -file config/server-cert.txt -rfc \ -keystore config/keystore -storetype JKS
For example:
$ keytool -importcert -alias server-cert -file config/server-cert.txt \ -keystore config/truststore -storetype JKS
This step is required only if the SSL and StartTLS settings were not specified during installation, or if you want to change those settings.
For example:
$ dsconfig -D "cn=directory manager" -w password -n set-key-manager-provider-prop \ --provider-name JKS --set enabled:true $ dsconfig -D "cn=directory manager" -w password -n set-trust-manager-provider-prop \ --provider-name "Blind Trust" --set enabled:true $ dsconfig -D "cn=directory manager" -w password -n set-connection-handler-prop \ --handler-name "LDAPS Connection Handler" \ --set "trust-manager-provider:Blind Trust" --set key-manager-provider:JKS \ --set listen-port:1636 --set enabled:true
Port 1636 is the standard LDAPS port, but you might not be able to use this port if it is already taken or if you are a regular user. If you need to accept SSL-based connections on a port other than 1636, change the listen-port property in the last command to the port number being used.
If, in step 3, you created a text file with a location and name other than that config/keystore.pin, for example a text file called config/mykeystore.pin, specify that information as follows:
$ dsconfig -D "cn=directory manager" -w password -n set-key-manager-provider-prop \ --provider-name JKS --set enabled:true \ --set keystore-pin-file:/config/mykeystore.pin
For detailed information about keystores, see Configuring Key Manager Providers. For detailed information about truststores, see Configuring Trust Manager Providers.
$ ldapsearch --port 1636 --useSSL --baseDN "" --searchScope base "(objectClass=*)"
You are prompted to trust the server's certificate. On typing yes, the root DSE entry should be returned.