While creating a Self-Signed Certificate for OID v11.1.1.5 (using WLST) I realized that many commands contained in Oracle’s documentation were either outdated or incorrect.
The below is a quick run through of the commands necessary to create the necessary certificate and then update OID to make use it. Feel free to independently examine the original commands in the OID Administration Guide but I’ve found that the modifications below are required to successfully configure SSL in OID.
These steps originate from Fusion Middleware Administration Guide for OID – 26.3 “Configuring SSL by Using WLST”
see guide.
The same three steps as listed in the guide are necessary:
1. Create the Wallet
2. Configure SSL Parameters
3. Restart OID and Update Registration
1. Create the Wallet
· To create the wallet, connect to WLST
MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh
· At the WLST prompt:
connect(‘weblogic_user’,’weblogic_pw’,’adminserver_host:weblogic_port’)
i.e. connect(‘weblogic’,’password1′,’localhost:7001′)
· Next, we have to go to the custom mbean tree where the wallet and cert will be created
custom()
cd(‘oracle.as.oid’)
Assumption – Oracle_Instance=MW_HOME/asinst_1 and the OID instance is oid1
Current OID wallets can be seen using the following:
listWallets(‘asinst_1′,’oid1′,’oid’)
· Create a new Wallet:
createWallet(‘asinst_1′,’oid1′,’oid’,’WALLET_NAME’,’WALLET_PASSWORD’)
i.e. createWallet(‘asinst_1′,’oid1′,’oid’,’NewWallet’,’abracadabra’)
· Add a Self-Signed Certificate to the newly created wallet:
addSelfSignedCertificate(‘asinst_1′,’oid1′,’oid’,’WALLET_NAME’,’WALLET_PASSWORD’,’cn=INSTANCE_HOST_NAME’,’key_size’)
i.e. AddSelfSignedCertificate(‘asinst_1′,’oid1′,’oid’,’NewWallet’,’abracadabra’,’cn=www.test.com’,’1024′)
2. Configure SSL Parameters
The next step in WLST is to set-up SSL for oid1. We need to create an SSL settings file first though.
· In another window, create a file somewhere within your install. Creating it in the “config” folder on the OID server instance you’re setting up will keep it handy.
i.e. /path/to/Middleware/asinst_1/config/OID/oid1/
· I generally recommend naming it something meaningful like:
“ssl_settings.prop”
Using my examples, you could create the following:
/path/to/Middleware/asinst_1/config/OID/oid1/ssl_settings.prop
Containing the following variables:
§ KeyStore=WALLET_NAME
§ AuthenticationType=auth-type
§ SSLVersions=version
§ Ciphers=cipher
§ SSLEnabled=true
NOTE – All of the possible variable values are located here:
The “actual” values I would use:
§ KeyStore=NewWallet
§ AuthenticationType=Server
§ SSLVersions=nzos_Version_3_0
§ Ciphers=SSL_RSA_WITH_RC4_128_MD5
§ SSLEnabled=true
· Now that the file is created, I can go back to the WLST window and configure the SSL setting
configureSSL(‘asinst_1′,’oid1′,’oid’,’sslport1′,’/path/to/Middleware/asinst_1/config/OID/oid1/ssl_settings.prop’)
At this point, Weblogic has the SSL settings loaded. We still need to load those settings into the actual OID server using opmnctl.
3. Restart OID
· First, restart the oid1 server:
opmnctl stopproc ‘ias-component=oid1’
opmnctl startproc ‘ias-component=oid1’
· Update the component registration for OID:
opmnctl updatecomponentregistration componenttype=OID componentname=oid1 -Sport 3131 -Port 3060
o componenttype and componentname should be self-explanatory
o Sport is the SSL port
o Port is the non-SSL port
I have found that both “-Sport” and “-Port” are required for the command to run properly.
Everything should be setup correctly and you should be able to login to your OID server over LDAPS.