This appendix describes how to manage the Oracle Directory Services Manager (ODSM) Java Key Store (JKS), including retrieving the JKS password, listing the contents of the
odsm.cer JKS, and deleting expired certificates.
Oracle Directory Services Manager (ODSM) stores its private key, certificate and trusted certificates in a Java Key Store (JKS). As administrator, you are responsible for managing ODSM's JKS. One important task you must perform is to remove ODSM certificates from the JKS when they have expired. This appendix explains how.
This appendix includes the following sections:
The first time ODSM is invoked, it generates a random password and assigns the password to its JKS. The JKS file has the name
odsm.cer. The file resides in a directory with a name of the form:
ODSM stores the password to its JDK in the Credential Store Framework (CSF), a secure storage framework provided by Oracle. The WebLogic server administrator can retrieve the JDK password stored in the CSF.
ODSM also generates a self-signed certificate for itself and stores it in its JKS. This self-signed certificate is valid for 15000 days from the date of generation. This self-signed certificate is intended for testing purposes only. Oracle recommends replacing this self-signed certificate with a certificate signed by a Certificate Authority (CA) for production purposes.
There is no web-based tool for managing a JKS. To manage ODSM's JKS, you use
keytool, a command-line tool shipped with the Oracle JRE or JDK.
The section about configuring the credential store in the Oracle Fusion Middleware Application Security Guide for more information about the CSF.
For information about Oracle Java, including the JavaTM Cryptography Architecture API Specification & Reference and keytool - Key and Certificate Management Tool, see:
To manage Oracle Directory Services Manager's Java Key Store, you must first retrieve Oracle Directory Services Manager's Java Key Store password. There are two methods for retrieving this password:
To retrieve the Oracle Directory Services Manager's Java Key Store password by using Enterprise Manager, perform the following steps:
Connect to Enterprise Manager as
On left side of the Enterprise Manager navigation panel, expand WebLogic Domain and select the domain in which Oracle Directory Services Manager is deployed.
On right side of the Enterprise Manager navigation panel, click the Weblogic Domain menu and select System MBean Browser.
In the System MBean browser, expand Application Defined MBeans > com.oracle.jps > Domain: NameOfTheDomainWhereODSMisDeployed > JPSCredentialStore > JPSCredential Store.
Click the Operations tab shown on the details pane.
Click the getPortableCredential operation as shown in the following figure.
When the next page displays, you must enter parameters for the getPortableCredential Method.
For P1, enter
For P2, enter
Click the Invoke button.
The Return Value table is displayed below the Parameters table, as shown in the following figure. The Oracle Directory Services Manager Java Key Store password is displayed in the password field.
If you do not have Enterprise Manager, you can retrieve the Oracle Directory Services Manager's Java Key Store password by using a Python script.
To retrieve this password, perform the following steps:
.py file (for example,
odsm.py) with the following contents:
import sys,getopt from oracle.security.jps.mas.mgmt.jmx.credstore import PortableCredential connect(sys.argv, sys.argv, sys.argv) domainRuntime() params= ["ODSMMap", "ODSMKey.Wallet"] sign=["java.lang.String", "java.lang.String"] on=ObjectName("com.oracle.jps:type=JpsCredentialStore") cred = None cred = mbs.invoke(on, "getPortableCredential", params, sign) if cred != None: credObject = PortableCredential.from(cred) print credObject print "ODSM Java Key Store Password: " + String.valueOf(credObject.getPassword())
Execute the following command:
$MW_HOME/oracle_common/common/bin/wlst.sh odsm.py <wls_admin_user> <wls_admin_password> t3://<adminserver_host>:<adminserver_port>
$MW_HOME/oracle_common/common/bin/wlst.sh odsm.py weblogic welcome1 t3://myadminserver:7001
Running this script changes the output location to the
domainRuntime tree, which is a read-only tree with
DomainMBean as the root.
Note:For help, type
help(domainRuntime)at the command line.
[Name : ODSM, Description : ODSM Key store password, expiry Date : null] ODSM Java Key Store Password: XXXXXXXXXX
See Also:For more information, refer to the following publications:
After you retrieve the JKS password, you can manage the JKS by using
To list the contents of
odsm.cer, use the
keytool command, as follows:
cd directory_where_odsm.cer_resides JAVA_HOME/bin/keytool -list -keystore odsm.cer \ -storepass password_obtained_from_CSF
$ cd DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf $ JAVA_HOME/bin/keytool -list -keystore odsm.cer -storepass "&M)S86)/RB" -v Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: serverselfsigned Creation date: Dec 26, 2008 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Serial number: 495586b6 Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009 Certificate fingerprints: MD5: 6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93 SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0 Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* Alias name: cn=rootca, o=oracle, c=us (0) Creation date: Dec 31, 2008 Entry type: trustedCertEntry Owner: CN=RootCA, O=Oracle, C=US Issuer: CN=RootCA, O=Oracle, C=US Serial number: 0 Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050 Certificate fingerprints: MD5: 72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF Signature algorithm name: MD5withRSA Version: 1 ******************************************* *******************************************
There is no automatic mechanism for removing certificates from the JDK when they expire. As administrator, you must determine when a certificate has expired and remove it.
This section contains the following topics:
As explained in Section O.3, "Listing the Contents of odsm.cer Java Key Store", you list all certificates in
odsm.cer by using
keytool. The listing contains the valid dates for each certificate. For example, the following certificate is valid until Sat Oct 31 09:41:23 PDT 2008:
Alias name: cn=ovd, ou=development, o=MyCompany, l=redwood shores, st=california, c=us (1241455283) Creation date: May 5, 2008 Entry type: trustedCertEntry Owner: CN=OVD, OU=Development, O=MyCompany, L=Redwood Shores, ST=California, C=US Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US Serial number: 49ff1ab3 Valid from: Mon May 04 09:41:23 PDT 2008 until: Sat Oct 31 09:41:23 PDT 2008 Certificate fingerprints: MD5: 93:0E:41:5E:95:88:71:BD:8A:49:ED:A9:29:3B:0A:1E SHA1: 84:C6:75:60:D9:BE:7B:CA:D6:8B:B5:4B:97:E4:20:39:44:82:FE:93 Signature algorithm name: SHA1withRSA Version: 3
If certificate's validity period has expired, delete it using
keytool as explained in the next section.
To delete a certificate in
keytool, as follows:
cd directory_where_odsm.cer_is_present JAVA_HOME/bin/keytool -delete -keystore odsm.cer -storepass password_obtained_from_CSF -alias "cn=rootca, o=oracle, c=us (0)"
$> JAVA_HOME/bin/keytool -delete -keystore odsm.cer \ -storepass "&M)S86)/RB" -alias "cn=rootca, o=oracle, c=us (0)" [Storing odsm.cer]