4 Configuring Delegated Administrator for LDAPS

This chapter describes how to configure Oracle Communications Delegated Administrator for LDAPS.

Enabling LDAPS

You can enable LDAP over SSL (LDAPS) for Delegated Administrator to communicate with Directory Server. This applies only to Direct LDAP mode.

Note:

If you are using Linux to complete this procedure, you must you must configure the LDAP client before you restart LDAP (shown in "Restart LDAP" in the instructions that follow). To do so follow these steps:
  1. Open /etc/openldap/ldap.conf

  2. Insert the following lines of code at the end of the file:

    .
    TLS_CACERT=CA certfile path
    TLS_REQCERT never
    

Prior to configuring Delegated Administrator for LDAPS, you need to create a certificate with CN as FQDN, and enable SSL in ODSEE.

To create the required certificate and enable SSL in ODSEE:

  1. Create the LDAP server certificate request:

    dsadm request-cert --name FQDN - F ascii --org org --org-unit org unit name -o lDAP Server CSR File ldap instance
    

    For example:

    /da7/dsee7/bin/dsadm request-cert --name blr2262372.idc.example.com -F ascii --org example --org-unit example -o server.csr /var/ds7ins6
    
  2. Create the CA Certificate. This involves three sub-steps:

    1. Create the CA key:

      openssl genrsa -des3 -out CA Key file 1024
      

      Provide the key password in this step. For example:

      openssl genrsa -des3 -out CA.key 1024
      
    2. Create the CA certificate request:

      openssl req -new -key CA Key file -x509 -days 365 -out CA CSR file
      

      For example:

      openssl req -new -key ./CA.key -x509 -days 365 -out ./CA.csr
      
    3. Create the self signed CA certificate:

      openssl x509 -in CA CSR file -out CA Cert file -signkey CA key file -days 365
      

      For example:

      openssl x509 -in CA.csr -out CA.cer -signkey CA.key -days 365
      
  3. Sign the LDAP certificate using the CA file:

    openssl x509 -req -days 365 -in lDAP Server CSR File -CA CA Cert file -CAkey CA key file -CAcreateserial -out lDAP Server Cert file -outform PEM
    

    For example:

    openssl x509 -req -days 365 -in ./server.csr -CA ./CA.cer -CAkey ./CA.key -CAcreateserial -out ./server.pem -outform PEM
    
  4. Import the LDAP certificate back to ODSEE:

    dsadm add-cert ldap instance ldap alias name LDAP Cert file
    

    For example:

    /da7/dsee7/bin/dsadm add-cert /var/ds7ins1/ servercert ./server.pem
    
  5. Import the CA certificate to the ODSEE:

    dsadm add-cert --ca ldap instance CA alias name CA cert file
    

    For example:

    dsadm add-cert --ca /var/ds7ins1/ CA ./ca.pem
    
  6. Set the certificate to ODSEE:

    /da7/dsee7/bin/dsconf set-server-prop -e -h FQDN -p ldap non ssl port ssl-rsa-cert-name:ldap alias name
    

    For example:

    /da7/dsee7/bin/dsconf set-server-prop -e -h blr2262372.idc.example.com -p 389 ssl-rsa-cert-name:servercert
    
  7. Restart LDAP

  8. Copy security database to DA-BASE/lib

    cp ldap instance/alias/sladp-cert8.db DA-BASE/lib/cert8.db
    
    cp ldap instance/alias/sladp-key3.db DA-BASE/lib/key3.db
    
    cp ldap instance/alias/secmod.db DA-BASE/lib/secmod.db
    

    For example:

    cp /var/ds7ins1/alias/sladp-cert8.db /opt/sun/comms/da/lib/cert8.db
    
    cp /var/ds7ins1/alias/sladp-key3.db /opt/sun/comms/da/lib/key3.db
    
    cp /var/ds7ins1/alias/secmod.db /opt/sun/comms/da/lib/secmod.db
    

Configuring Delegated Administrator for LDAPS

  1. Import the Directory Server certificate into an NSS truststore file.

  2. Put the certificate and key files, cert8.db, key3.db, into the DelegatedAdmin_home/lib directory.

  3. Run the config-commda initial configuration command.

    DelegatedAdmin_home/da/sbin/config-commda
    
  4. Step through the program by reentering the same values for your existing configuration.

  5. When prompted for the Directory Server URL, type an entry similar to the following, to use LDAPS:

    LDAPS://host:SSLport
    

    For example:

    LDAPS://ds1.example.com:636
    

    This sets the ldaphost-usessl configuration parameter in the serverconfig.properties file to true (that is, enabled for LDAPS).

  6. Complete the configuration by accepting Configure Now.