28 Configuring Secure Sockets Layer (SSL)

This chapter describes how to configure Secure Sockets Layer (SSL) for use with using Oracle Enterprise Manager Fusion Middleware Control, and LDAP command-line utilities. It also describes how to test an SSL connection using Oracle Directory Services Manager (ODSM) and LDAP command-line utilities and how to set the SSL interoperability mode for compatibility with Oracle components developed before 11g Release 1 (11.1.1.0.0).

If you use SSL for Oracle Internet Directory, you might also want to configure strong authentication, data integrity, and data privacy.

This chapter includes the following sections:

See Also:

28.1 Overview of Configuring Secure Sockets Layer (SSL)

Oracle Internet Directory ensures that data has not been modified, deleted, or replayed during transmission by using Secure Sockets Layer (SSL). SSL generates a cryptographically secure message digest—through cryptographic checksums using either the MD5 algorithm or the Secure Hash Algorithm (SHA)—and includes it with each packet sent across the network. SSL provides authentication, encryption, and data integrity using message digest.

This introduction contains the following topics:

Oracle Internet Directory ensures that data is not disclosed during transmission by using public key encryption available with SSL. In public-key encryption, the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the recipient decrypts the message using the recipient's private key.

28.1.1 Supported Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to determine which cipher suite they will use when transmitting messages back and forth.

Table 28-1 lists the SSL cipher suites supported by Oracle Internet Directory and their corresponding authentication, encryption, and data integrity mechanisms. These are stored in the attribute orclsslciphersuite in the instance-specific configuration entry.

Note:

Ensure that you have Java Development Kit (JDK) 1.7.0_131 or higher installed on your system.

Table 28-1 SSL Cipher Suites Supported in Oracle Internet Directory

Cipher Suite Authentication Encryption Data Integrity

SSL_DH_DSS_WITH_AES_128_CBC_SHA256

DH_DSS

AES

SHA

SSL_DH_DSS_WITH_AES_128_GCM_SHA256

DH_DSS

AES

SHA

SSL_DH_DSS_WITH_AES_256_CBC_SHA256

DH_DSS

AES

SHA

SSL_DH_DSS_WITH_AES_256_GCM_SHA384

DH_DSS

AES

SHA

SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

DHE_DSS

AES

SHA

SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

DHE_DSS

AES

SHA

SSL_DHE_DSS_WITH_AES_256_CBC_SHA256

DHE_DSS

AES

SHA

SSL_DHE_DSS_WITH_AES_256_GCM_SHA384

DHE_DSS

AES

SHA

SSL_DHE_RSA_WITH_AES_128_CBC_SHA256

DHE_RSA

AES

SHA

SSL_DHE_RSA_WITH_AES_128_GCM_SHA256

DHE_RSA

AES

SHA

SSL_DHE_RSA_WITH_AES_256_CBC_SHA256

DHE_RSA

AES

SHA

SSL_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE_RSA

AES

SHA

SSL_DH_RSA_WITH_AES_128_CBC_SHA256

DH_RSA

AES

SHA

SSL_DH_RSA_WITH_AES_128_GCM_SHA256

DH_RSA

AES

SHA

SSL_DH_RSA_WITH_AES_256_CBC_SHA256

DH_RSA

AES

SHA

SSL_DH_RSA_WITH_AES_256_GCM_SHA384

DH_RSA

AES

SHA

SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

ECDH_ECDSA

AES

SHA

SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

ECDH_ECDSA

AES

SHA

SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

ECDH_ECDSA

AES

SHA

SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

ECDH_ECDSA

AES

SHA

SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE_ECDSA

AES

SHA

SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE_ECDSA

AES

SHA

SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE_ECDSA

AES

SHA

SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE_ECDSA

AES

SHA

SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE_RSA

AES

SHA

SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE_RSA

AES

SHA

SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE_RSA

AES

SHA

SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE_RSA

AES

SHA

SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256

ECDH_RSA

AES

SHA

SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256

ECDH_RSA

AES

SHA

SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384

ECDH_RSA

AES

SHA

SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384

ECDH_RSA

AES

SHA

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

3DES

SHA

SSL_RSA_WITH_AES_128_CBC_SHA

RSA

AES

SHA

SSL_RSA_WITH_AES_128_CBC_SHA256

RSA

AES

SHA

SSL_RSA_WITH_AES_128_GCM_SHA256

RSA

AES

SHA

SSL_RSA_WITH_AES_256_CBC_SHA256

RSA

AES

SHA

SSL_RSA_WITH_AES_256_GCM_SHA384

RSA

AES

SHA

Table 28-2 TLS Cipher Suites Supported in Oracle Internet Directory

Cipher Suite Authentication Encryption Data Integrity

TLS_RSA_WITH_AES_256_GCM_SHA384

RSA

AES

SHA

TLS_RSA_WITH_AES_256_CBC_SHA

RSA

AES

SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

RSA

AES

SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

RSA

AES

SHA

TLS_RSA_WITH_AES_128_CBC_SHA

RSA

AES

SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

RSA

AES

SHA

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

ECDH_RSA

AES

SHA

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

ECDH_RSA

AES

SHA

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

ECDH_RSA

3DES

SHA

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384

ECDH_RSA

AES

SHA

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256

ECDH_RSA

AES

SHA

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

ECDH_RSA

AES

SHA

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

ECDH_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE_RSA

AES

SHA

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

ECDHE_RSA

3DES

SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE_ECDSA

AES

SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE_ECDSA

AES

SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE_ECDSA

AES

SHA

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE_ECDSA

AES

SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE_ECDSA

AES

SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE_ECDSA

AES

SHA

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

ECDHE_ECDSA

3DES

SHA

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

ECDH_ECDSA

AES

SHA

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

ECDH_ECDSA

AES

SHA

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

ECDH_ECDSA

AES

SHA

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

ECDH_ECDSA

AES

SHA

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

ECDH_ECDSA

AES

SHA

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

ECDH_ECDSA

AES

SHA

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

ECDH_ECDSA

3DES

SHA

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE_RSA

AES

SHA

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

DHE_RSA

AES

SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

DHE_RSA

AES

SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

DHE_RSA

AES

SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE_RSA

AES

SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

DHE_RSA

AES

SHA

Note:

Anonymous ciphers are not enabled by default. If there is any requirement, you can add the TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256 and SSL_DH_anon_WITH_3DES_EDE_CBC_SHA cipher suites into Oracle Internet Directory configuration using the Oracle Fusion Middleware System MBean Browser.

28.1.2 Supported Protocol Versions

The list of all the enabled protocols along with their attribute values are mapped in this topic. It also describes how to completely disable SSLv3 protocol.

Note:

The out-of-box default SSL configuration of OID server instances has the value of orclcryptoversion set to 24. This means, only TLSv1.2 and TLSv1.1 are enabled.

Oracle Internet Directory supports the following TLS/SSL protocols:

  • SSLv3

  • TLSv1

  • TLSv1.1

  • TLSv1.2

Oracle Internet Directory does not support SSLv2.

From 11g Release 1 (11.1.1.9.0) onward, you can specify the SSL/TLS version using the orclcryptoversion attribute.

The orclcryptoversion attribute allows you to enable more than one protocol by specifying the corresponding value and populating the attribute.

Table 28-3 lists the protocol mapping with its corresponding value.

You can completely disable SSLv3 by updating the value of orclcryptoversion to 24 (value of TLS 1.1 or TLS 1.2 in the Protocol Mapping table).

To modify the value of orclcryptoversion to 24, use ldapmodify as follows:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

where ldifFile contains:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry 
changetype: modify 
replace: orclcryptoversion 
orclcryptoversion: 24 

Table 28-3 Protocol Mapping

Enabled Protocol Attribute Value

All Supported Protocols

0

SSL v3

2

TLS 1.0

4

TLS 1.0 or SSL v3

6

TLS 1.1

8

TLS 1.1 or SSL v3

10

TLS 1.1 or TLS 1.0

12

TLS 1.1 or TLS 1.0 or SSL v3

14

TLS 1.2

16

TLS 1.2 or SSL v3

18

TLS 1.2 or TLS 1.0

20

TLS 1.2 or TLS 1.0 or SSL v3

22

TLS 1.1 or TLS 1.2

24

TLS 1.2 or TLS 1.1 or SSL v3

26

TLS 1.0 or TLS 1.1 or TLS 1.2

28

TLS 1.0 or TLS 1.1 or TLS 1.2 or SSL v3

30

28.1.3 About SSL Authentication Modes

The SSL protocol provides transport layer security with authenticity, integrity, and confidentiality, for a connection between a client and server.

Three authentication modes are supported, as described in Table 28-4. The SSL authentication mode is controlled by the attribute orclsslauthentication in the instance-specific configuration entry.

By default, Oracle Internet Directory uses SSL No Authentication Mode (orclsslauthentication=1).

When both a client and server authenticate themselves with each other, SSL derives the identity information it requires from the X509v3 digital certificates.

Note:

By default, the SSL authentication mode is set to 1 (encryption only, no authentication).

If you are using Oracle Delegated Administration Services 10g or other client applications such as legacy versions of Oracle Forms and Oracle Reports that expect to communicate with Oracle Internet Directory on an encrypted SSL port configured for anonymous SSL ciphers, then at least one Oracle Internet Directory server instance must be configured for this default authentication mode.

Otherwise, authentication mode 1 and anonymous SSL ciphers are not required for Oracle Internet Directory to function. The type of SSL ports that are made available and the ciphers that the SSL port will accept depend on your specific deployment requirements.

During start-up of a directory server instance, the directory reads a set of configuration parameters, including the parameters for the SSL profile.

To run a server instance in secure mode, configure a single listening endpoint to communicate using LDAPS. To allow the same instance to run non-secure connections concurrently, configure a second listening endpoint to communicate using LDAP.

During installation of Oracle Internet Directory, Oracle Identity Management 11g Installer follows specific steps in assigning the SSL and non-SSL port. First, it attempts to use 3060 as the non-SSL port. If that port is unavailable, it tries ports in the range 3061 to 3070, then 13060 to 13070. Similarly, it attempts to use 3131 as its SSL port, then ports in the range 3132 to 3141, then 13131 to 13141.

Note:

If you perform an upgrade from an earlier version of Oracle Internet Directory to the current release, your port numbers from the earlier version are retained.

You can create and modify multiple Oracle Internet Directory instances with differing values, using a different SSL parameters. This is a useful way to accommodate clients with different security needs.

See Also:

Managing Oracle Internet Directory Instances for information about creating a new server instance.

28.1.4 SSL Authentication Modes

There are three modes of SSL authentication supported: SSL No Authentication Mode, SSL Server Authentication Only Mode and SSL Client and Server Authentication Mode.

Table 28-4 lists the authentication methods, its values and behavior.

Table 28-4 SSL Authentication Modes

SSL Authentication Method Value of orclsslauthentication Authentication Behavior

SSL No Authentication Mode, Confidentiality mode

1

Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. Only SSL encryption and decryption is used.

Note:

If Oracle Internet Directory SSL is configured in SSL No Authentication Mode then you must enable the anonymous ciphers for Java clients to communicate with Oracle Internet Directory.

SSL Server Authentication Only Mode

32

The directory server authenticates itself to the client. The directory server sends the client a certificate asserting the server's identity.

SSL Client and Server Authentication Mode

64

The client and server authenticate themselves with each other and send certificates to each other.

Note:

If Java Development Kit (JDK) 1.8.0_201 or higher is installed on your system then the anonymous ciphers are disabled by default.

If Oracle Internet Directory SSL is configured in SSL No Authentication Mode then you must enable the anonymous ciphers in the JDK by editing the java.security file (JAVA_HOME/lib/security) and removing anon and NULL from the jdk.tls.disabledAlgorithms security property.

28.1.5 Oracle Wallets

Oracle Wallet is a secure software container that is used to store X509 certificates, Private key, and trusted CA certificates A self-signed certificate can be stored in Oracle Wallet that can be within an enterprise.

Before removing the reference to the wallet from the instance-specific configuration, you must disable SSL by setting orclsslenable to 0.

See Also:

Keystores and Oracle Wallets in Administering Oracle Fusion Middleware for information on using Oracle wallets with middleware components.

Never delete a wallet currently in use, as defined in the attribute orclsslwalleturl, from the file system. Doing so prevents the server from starting successfully. Remove the reference to the wallet from the instance-specific configuration entry attribute orclsslwalleturl before you delete the file.

In 11g, you do not need to directly manipulate orclsslwalleturl because the SSL configuration service abstracts this out, both in WLST and Oracle Enterprise Manager Fusion Middleware Control. The SSL configuration service traps any attempts to delete a wallet that is currently in use, provided you do so by using the SSL configuration service.

28.1.6 Other Components and SSL

At installation, Oracle Internet Directory starts up in dual mode. That is, some components can access Oracle Internet Directory using non-SSL connections, while others use SSL when connecting to the directory.

By default, Oracle Application Server components are configured to run in this dual mode environment when communicating with Oracle Internet Directory. If you want, you can remove the non-SSL mode and change all middleware instances to use SSL.

Enterprise User Security or a customer application might need an SSL channel with a different configuration from the default. For example, it might need SSL server authentication mode or SSL mutual authentication mode. In this case, you must create another Oracle Internet Directory component instance listening on a different SSL mode and port.

See Also:

Managing Oracle Internet Directory Instances for instructions on how to configure server instances

For more information about Enterprise User Security SSL configuration, please see the section on enterprise user security configuration in Oracle Database Enterprise User Administrator's Guide.

28.1.7 SSL Interoperability Mode

In no-auth mode, Oracle legacy components developed before 11g Release 1 (11.1.1.0.0) such as legacy LDAP C clients can connect with Oracle Internet Directory only by using an instance that has interoperability mode enabled (orclsslinteropmode = 1).

Starting with Oracle Internet Directory 11g Release 1 (11.1.1.7.0), the default value for SSL interoperability mode is disabled (orclsslinteropmode = 0), in order to be fully compliant with the JDK SSL.

New clients using JSSE (Java Secure Socket Extensions) and non-Oracle clients need an SSL instance with the interoperability mode disabled. Oracle Internet Directory is fully compliant with the Sun JDK's SSL, provided SSL interoperability mode is disabled (orclsslinteropmode = 0).

If Oracle Internet Directory is set to the wrong mode for a client, you might observe rare and non-deterministic failures of client SSL connections to the server.

28.1.8 StartTLS

Beginning with 11g Release 1 (11.1.1.0.0), Oracle Internet Directory supports startTLS. This feature enables the on-demand negotiation of an SSL session on a non-SSL port. No special configuration is required for the non-SSL port.

If Oracle Internet Directory has an SSL endpoint configured, a client can use startTLS on the non-SSL port to negotiate an SSL connection on the non-SSL port with the same configuration that is on the SSL port. That is, if the SSL port uses mutual authentication, startTLS tries to negotiate mutual authentication on the non-SSL port.

28.2 Overview of Configuring SSL by Using Fusion Middleware Control

You can configure SSL using Fusion Middleware Control by creating a wallet, configuring SSL parameters, and by setting the SSL parameters.

This section includes the following topics:

28.2.1 Configuring SSL by Using Fusion Middleware Control

Configuring SSL by using Fusion Middleware Control consists of three basic tasks:

Follow the below given steps:
  1. Creating a Wallet by Using Fusion Middleware Control
  2. Configuring SSL Parameters by Using Fusion Middleware Control
  3. Restarting Oracle Internet Directory.

See Also:

28.2.2 Creating a Wallet by Using Fusion Middleware Control

You can create a self-signed wallet to use when configuring SSL.

Perform the following steps:

  1. From the Oracle Internet Directory menu, select Security, then Wallets. If any wallets exist, you see a list.
  2. To create a new wallet, click Create Self-signed Wallet. The Create Self-Signed Wallet page appears.
    Create Self-Signed Wallet Page
  3. On the Create Self-Signed Wallet page, enter a name for the new wallet, using lower-case letters only.
  4. Select Auto Login for an auto login wallet. Wallets configured for Oracle Internet Directory must have auto login enabled.
  5. If you have deselected Auto Login, enter the password in the two fields.
  6. For Common Name, enter the hostname of the instance.
  7. Select a Key Size from the list.
  8. Click Submit.
  9. A confirmation message is displayed and the new wallet appears in the list of wallets.
    Confirmation Page

See Also:

Managing Keystores, Wallets, and Certificates in Administering Oracle Fusion Middleware for more information about Oracle wallets.

28.2.3 Configuring SSL Parameters by Using Fusion Middleware Control

You can use Fusion Middleware control to configure SSL parameters.

After you have a wallet to use for configuring SSL, perform the following steps:

  1. From the Oracle Internet Directory menu, select Administration, then Server Properties.
  2. Click Change SSL Settings.
  3. On the SSL Settings dialog:
    • Select Enable SSL.

    • Select a wallet.

    • If this is a non auto login wallet, supply the wallet password in the Server Wallet Password field.

    • If necessary, expand Advanced SSL Settings.

    • Set SSL Authentication to Server.

    • Set Cipher Suite to All.

    • Set SSL protocol version to the appropriate version, usually v3.

    • Click OK.

    Note:

    Currently, there is no way to configure TLS v1.1 and TLS v1.2 protocols and their corresponding ciphers from the OID Enterprise Manager Fusion Middleware Control. As a workaround, you can use the ldapmodify command to change the orclcryptoversion attribute. See Supported Protocol Versions.

  4. Restart the Oracle Internet Directory instance by navigating to Oracle Internet Directory, then Availability, then Restart.

The steps for SSL-enabling in mutual-auth mode are the same, except that in the SSL Settings dialog, you would set SSL Authentication to Mutual instead of Server.

Note:

You cannot directly change the parameters for an active instance.

28.2.4 SSL Parameters with Fusion Middleware Control

This section lists the SSL parameters in Oracle Enterprise Manager Fusion Middleware Control that are applicable to Oracle Internet Directory.

Table 28-5 lists the SSL parameters in Oracle Enterprise Manager Fusion Middleware Control that are applicable to Oracle Internet Directory. All of them are in the instance-specific configuration entry, which has a DN of the form:

"cn=componentname,cn=osdldapd,cn=subconfigsubentry." 

Note:

While setting up TLS in Oracle Internet Directory, Do not change the value for orclsslversion and retain its default value of 3.

Table 28-5 SSL-Related Attributes in Fusion Middleware Control

Field or Heading Configuration Attribute

Server SSL Protocol Version

orclsslversion

SSL Wallet URL

orclsslwalleturl

Enable SSL

orclsslenable

SSL Authentication Mode

orclsslauthentication

Server Cipher Suite

orclsslciphersuite

You must restart the server for SSL configuration changes to take effect.

28.3 Overview of Configuring SSL by Using LDAP Commands

You can configure SSL using LDAP commands by creating an Oracle Wallet, configuring SSL parameters and restarting Oracle Internet Directory.

This section includes the following topics:

28.3.1 Configuring SSL Parameters by Using LDAP Commands

You can configure SSL using LDAP commands.

You must perform the following steps to configure SSL:

  1. Create an Oracle wallet.
  2. Configure SSL parameters.
  3. Restart Oracle Internet Directory.

See Also:

If you already have created a wallet, you can use the ldapmodify command to change SSL parameters. However, you can also create a wallet by using orapki. See orapki in Administering Oracle Fusion Middleware (which includes Command Line steps to create a Signed Certificate for Testing Purposes).

For example, to change the value of orclsslinteropmode to 1 for the instance oid1, you would type:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

where ldifFile contains:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclsslinteropmode
orclsslinteropmode: 1

SSL parameters are attributes of an instance-specific configuration entry. These configuration entries have DNs of the form:

cn=componentname,cn=osdldapd,cn=subconfigsubentry

for example:

cn=oid1,cn=osdldapd,cn=subconfigsubentry

The SSL attributes are shown in Table 28-6.

You can use the ldapsearch command to list the SSL attributes and their values. For example, to list attributes containing the string orclssl in the instance oid1, you would type:

ldapsearch -p 3060 -D cn=orcladmin -q \
     -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" \
     -s base "objectclass=*" | grep -i orclssl

After you have configured SSL Parameters, restart Oracle Internet Directory, as described in Managing Oracle Internet Directory Instances.

Note:

Set orclsslenable to 1 (SSL only) or 2 (Non-SSL & SSL mode) if you use Oracle Enterprise Manager Fusion Middleware Control or WLST to manage Oracle Internet Directory.

28.3.2 SSL Attributes

The SSL attributes are listed in the table with its corresponding meaning.

Table 28-6 lists the SSL Attributes and its meaning:

Table 28-6 SSL Attributes

Attribute Meaning

orclsslversion

SSL Version

orclsslwalleturl

SSL Wallet URL

orclsslenable

SSL Enable

orclsslauthentication

SSL Authentication

orclsslinteropmode

SSL Interoperability Mode

orclsslciphersuite

SSL Cipher Suite

28.4 Configuring SSL in Oracle Internet Directory

You need to create a SSL connection for Oracle Internet Directory.

To create a SSL connection, complete the following steps:
  1. Run the following command to create a wallet with auto_login enabled:

    orapki wallet create -wallet <WALLET_PATH> -auto_login

  2. Run the following command to add a self-signed root certificate inside the created wallet:

    orapki wallet add -wallet <WALLET_PATH> -dn cn=<OID_HOSTNAME> -keysize 2048 -self_signed -validity 3650 -pwd <WALLET_PASSWORD> -sign_alg sha256

    Note:

    To add certificates generated by trusted third party CA, see orapki Utility Commands Summary.
  3. Modify the OID configuration cn=oid1,cn=osdldapd,cn=subconfigsubentry to enable SSL, add cipher suites, and so on.
  4. Restart Oracle Internet Directory.
  5. Run the following command to test the SSL configuration:

    ldapbind -h <OID_HOSTNAME> -p <OID_SLL_PORT> -D cn=orcladmin -w <OID_ADMIN_PASSWORD> -U 2 -W 'file:<WALLET_PATH>' -P <WALLET_PASSWORD>

  6. In ODSM, create an OID connection by providing the hostname as provided in Step 2.

28.5 Configuring ODSM Connection with SSL Enabled

You can configure ODSM connection to use one-way SSL or two-way SSL for Oracle Internet Directory.

Note:

If Java Development Kit (JDK) 1.8.0_201 or higher is installed on your system then the anonymous ciphers are disabled by default.

If Oracle Internet Directory SSL is configured in SSL No Authentication Mode then you must enable the anonymous ciphers in the JDK by editing the java.security file (JAVA_HOME/lib/security) and removing anon and NULL from the jdk.tls.disabledAlgorithms security property.

Configure the ODSM wallet by completing the following steps:

Note:

Ensure that the SSL connection for Oracle Internet Directory is created. See Configuring SSL in Oracle Internet Directory.
  1. Export the trusted certificate from the Oracle Internet Directory wallet using the orapki utility:

    orapki wallet export -wallet <OID_WALLET_PATH> -dn cn=<OID_HOSTNAME> -cert <CERTIFICATE_FILE_NAME>

    See orapki wallet export in Administering Oracle Fusion Middleware.

  2. Run the following command to create an ODSM wallet with auto-login enabled:
    orapki wallet create -wallet <WALLET_PATH> -auto_login

    See orapki wallet create in Administering Oracle Fusion Middleware.

    Note:

  3. Add the trusted certificate that you have exported earlier into the OSDM wallet:
    
    orapki wallet add -wallet <WALLET_PATH> -trusted_cert -cert <CERTIFICATE_FILE_NAME>

    See orapki wallet add in Administering Oracle Fusion Middleware.

28.6 Testing SSL Connections by Using Oracle Directory Services Manager

You can test the SSL connection by using Oracle Directory Services Manager:

Perform the following procedure:

  1. Invoke ODSM as described in Invoking Oracle Directory Services Manager.
  2. Connect to the Oracle Internet Directory server. On the login screen, enable SSL and specify the SSL port.

If you can connect, the SSL connection is working correctly.

28.7 Overview of Testing SSL Connections From the Command Line

You can use the ldapbind command to test SSL connections.

On UNIX, the syntax is:

ldapbind -D cn=orcladmin -q -U authentication_mode -h host -p SSL_port \ 
-W "file://DIRECTORY_CONTAINING_WALLET" -Q

and on Windows, the syntax is:

ldapbind -D cn=orcladmin -q -U authentication_mode -h host -p SSL_port \ 
-W "file:device:\DIRECTORY_CONTAINING_WALLET" -Q

where authentication_mode is one of:

Number Authentication

1

SSL No authentication required.

2

One-way (server only) SSL authentication required.

3

Two-way (client and server) SSL authentication required.

See Also:

The ldapbind command-line tool reference in Reference for Oracle Identity Management.

This section includes the following topics:

28.7.1 Testing SSL With Encryption Only

Use this method to test an SSL configuration with SSL no authentication required.

The syntax is:

ldapbind -D cn=orcladmin -q -U 1 -h host -p SSL_Port 

28.7.2 Testing SSL With Server Authentication

Use this method to test an SSL configuration with SSL server authentication configured. A client can request either server authentication or no authentication.

For an anonymous bind with server authentication, the syntax is:

ldapbind -U 2 -h host -p SSL_Port -W "file:DIRECTORY_CONTAINING_WALLET" -Q 

For a bind with user cn=orcladmin, wallet file $DOMAIN_HOME/config/fmwconfig/components/OID/admin/mywallet, and server authentication, the syntax is:

ldapbind -D cn=orcladmin -q -U 2 -h SSL_Port -p port \
-W "file:$DOMAIN_HOME/config/fmwconfig/components/OID/admin/mywallet" -Q 

For a bind without SSL authentication, the syntax is:

ldapbind -D cn=orcladmin -q -U 1 -h host -p SSL_Port 

28.7.3 Testing SSL With Client and Server Authentication

Use this method to test an SSL configuration with SSL client and server authentication configured.

Oracle Internet Directory supports the Certificate Matching Rule. The DN and password passed on the ldapbind command line are ignored. Only the DN from the certificate or the certificate hash is used for authorization.

To use the bind DN (Distinguished Name) from the client certificate, the syntax is:

ldapbind -U 3 -h host -p SSL_Port -W "file:DIRECTORY_CONTAINING_WALLET" -Q

28.8 Configuring SSL between Database and Oracle Internet Directory

Use the instructions below to enable SSL connection between Oracle Database and Oracle Internet Directory.

Perform the steps in the following order:

  1. Stopping an Instance of Oracle Internet Directory

  2. Stopping Node Manager

  3. Stopping Administration Server

  4. Modifying the sqlnet.ora and listener.ora Files on the Database Server

  5. Modifying the tnsnames.ora and sqlnet.ora configuration files on the OID Server

  6. Setting the JAVA_OPTIONS Environment Variable on the Administration Server

  7. Setting the JAVA_OPTIONS Environment Variable on the Node Manager

  8. Restarting an Instance of Oracle Internet Directory

28.8.1 Stopping an Instance of Oracle Internet Directory

You can stop an Oracle Internet Directory (OID) instance using a script.

To stop an OID instance, use the following script:

$DOMAIN_HOME/bin/stopComponent.sh <instance_name>

28.8.2 Stopping Node Manager

You can stop Node Manager using a script.

To stop Node Manager, use the following script:

$DOMAIN_HOME/bin/stopNodeManager.sh

28.8.3 Stopping Administration Server

You can stop the Oracle WebLogic Server Administration Server using a script.

To stop an Administration Server, use the following script:

$DOMAIN_HOME/bin/stopWebLogic.sh

28.8.4 Modifying the sqlnet.ora and listener.ora Files on the Database Server

You must edit the listener.ora and sqlnet.ora configuration files on the database server to enable SSL communication.

To enable SSL on the database server, perform the following steps:

  1. In a terminal, navigate to the following directory:

    $ cd $DB_HOME/network/admin
  2. Modify the listener.ora file and make sure to add TCPS entry and assign a specific port under the LISTENER section to enable SSL.

    LISTENER=
     (DESCRIPTION=
        (ADDRESS_LIST=
          (ADDRESS=(PROTOCOL=tcp)(HOST=sales-server)(PORT=1521))
          (ADDRESS=(PROTOCOL=ipc)(KEY=extproc))
          (ADDRESS=(PROTOCOL=tcps)(HOST=sales-server)(PORT=1522))))
  3. Set the database wallet location in the sqlnet.ora file of the database Oracle home.

    wallet_location = (SOURCE= (METHOD=File) (METHOD_DATA= (DIRECTORY=wallet_location)))
  4. Restart the listener process on the database server for the changes to take effect.

    lsnrctl stop
    lsnrctl start

28.8.5 Modifying the tnsnames.ora and sqlnet.ora configuration files on the OID Server

You must edit the tnsnames.ora and sqlnet.ora configuration files on the OID server to enable SSL communication.

To enable SSL on the OID server, perform the following steps:

  1. In a terminal, navigate to the following directory:

    $ cd $DOMAIN_HOME/config/fmwconfig/components/OID/config
  2. Edit the tnsnames.ora file to specify the database’s DN and the TCP/IP with SSL protocol.

    finance= (DESCRIPTION=(ADDRESS_LIST=(ADDRESS= (PROTOCOL = tcps) (HOST = finance_server) (PORT = 1575)))(CONNECT_DATA=(SERVICE_NAME= Finance.us.acme.com))
    (SECURITY=(SSL_SERVER_CERT_DN="cn=finance,cn=OracleContext,c=us,o=acme"))
  3. Edit the sqlnet.ora file to specify the wallet location.

    SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS)
    SSL_CLIENT_AUTHENTICATION = FALSE
    SSL_VERSION = 1.2 or 1.1 or 1.0 or 3.0
    WALLET_LOCATION =
    (SOURCE=
    (METHOD=File)
    (METHOD_DATA=
    (DIRECTORY=wallet_location)))
    
    SSL_SERVER_DN_MATCH=OFF

28.8.6 Setting the JAVA_OPTIONS Environment Variable on the Administration Server

You must set the JAVA_OPTIONS environment variable to include the wallet information before starting Administration Server from the same terminal.

To set the JAVA_OPTIONS environment variable on the Administration Server, perform the following steps:

  1. In a terminal, navigate to the following directory:

    $ cd $DOMAIN_HOME/bin
  2. Set the JAVA_OPTIONS environment variable to include the wallet information.

    • For SSL No Authentication and SSL Server Authentication modes:

      export JAVA_OPTIONS="-Djavax.net.ssl.trustStore=<wallet_location>/cwallet.sso -Djavax.net.ssl.trustStoreType=SSO"
    • For SSL Mutual Authentication mode:

      export JAVA_OPTIONS="-Djavax.net.ssl.trustStore=<wallet_location>/cwallet.sso -Djavax.net.ssl.trustStoreType=SSO -Djavax.net.ssl.keyStore=<wallet_location>/cwallet.sso -Djavax.net.ssl.keyStoreType=SSO"

    Note:

    Truststore verifies the server-side certificates, while keystore contains client certificates that are sent to the server.
  3. Start the Administration Server.

    $ ./startWeblogic.sh

28.8.7 Setting the JAVA_OPTIONS Environment Variable on the Node Manager

You must set the JAVA_OPTIONS environment variable to include the wallet information before starting Node Manager from the same terminal.

To set the JAVA_OPTIONS environment variable on the Node Manager, perform the following steps:

  1. In a terminal, navigate to the following directory:

    $ cd $DOMAIN_HOME/bin
  2. Set the JAVA_OPTIONS environment variable to include the wallet information.

    • For SSL No Authentication and SSL Server Authentication modes:

      export JAVA_OPTIONS="-Djavax.net.ssl.trustStore=<wallet_location>/cwallet.sso -Djavax.net.ssl.trustStoreType=SSO"
    • For SSL Mutual Authentication mode:

      export JAVA_OPTIONS="-Djavax.net.ssl.trustStore=<wallet_location>/cwallet.sso -Djavax.net.ssl.trustStoreType=SSO -Djavax.net.ssl.keyStore=<wallet_location>/cwallet.sso -Djavax.net.ssl.keyStoreType=SSO"

    Note:

    Truststore verifies server side certificates, while keystore contains client certificates that are sent to the server.
  3. Start the Node Manager.

    $ ./startNodeManager.sh

28.8.8 Restarting an Instance of Oracle Internet Directory

You can start an instance of Oracle Internet Directory using a script.

To restart Oracle Internet Directory, use the following script:

$DOMAIN_HOME/bin/startComponent.sh <instance-name>