Creating Self-Signed SSL Cert for Oracle Internet Directory using WLST

While creating a Self-Signed Certificate for OID v11.1.1.5 (using WLST) I realized that many commands contained in Oracle’s documentation were either outdated or incorrect.

The below is a quick run through of the commands necessary to create the necessary certificate and then update OID to make use it. Feel free to independently examine the original commands in the OID Administration Guide but I’ve found that the modifications below are required to successfully configure SSL in OID.

These steps originate from Fusion Middleware Administration Guide for OID – 26.3 “Configuring SSL by Using WLST”

see guide.

The same three steps as listed in the guide are necessary:

1. Create the Wallet

2. Configure SSL Parameters

3. Restart OID and Update Registration

 

1. Create the Wallet

·     To create the wallet, connect to WLST

MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh

·     At the WLST prompt:

connect(‘weblogic_user’,’weblogic_pw’,’adminserver_host:weblogic_port’)

i.e. connect(‘weblogic’,’password1′,’localhost:7001′)

·     Next, we have to go to the custom mbean tree where the wallet and cert will be created

custom()

cd(‘oracle.as.oid’)

Assumption – Oracle_Instance=MW_HOME/asinst_1 and the OID instance is oid1

Current OID wallets can be seen using the following:

listWallets(‘asinst_1′,’oid1′,’oid’)

·     Create a new Wallet:

createWallet(‘asinst_1′,’oid1′,’oid’,’WALLET_NAME’,’WALLET_PASSWORD’)

i.e. createWallet(‘asinst_1′,’oid1′,’oid’,’NewWallet’,’abracadabra’)

·     Add a Self-Signed Certificate to the newly created wallet:

addSelfSignedCertificate(‘asinst_1′,’oid1′,’oid’,’WALLET_NAME’,’WALLET_PASSWORD’,’cn=INSTANCE_HOST_NAME’,’key_size’)

i.e. AddSelfSignedCertificate(‘asinst_1′,’oid1′,’oid’,’NewWallet’,’abracadabra’,’cn=www.test.com’,’1024′) 

 

2. Configure SSL Parameters

The next step in WLST is to set-up SSL for oid1. We need to create an SSL settings file first though.

·     In another window, create a file somewhere within your install. Creating it in the “config” folder on the OID server instance you’re setting up will keep it handy.

i.e. /path/to/Middleware/asinst_1/config/OID/oid1/

·     I generally recommend naming it something meaningful like:

“ssl_settings.prop”

 

Using my examples, you could create the following:

/path/to/Middleware/asinst_1/config/OID/oid1/ssl_settings.prop

Containing the following variables:

§  KeyStore=WALLET_NAME

§  AuthenticationType=auth-type

§  SSLVersions=version

§  Ciphers=cipher

§  SSLEnabled=true

NOTE – All of the possible variable values are located here

 

The “actual” values I would use:

§  KeyStore=NewWallet

§  AuthenticationType=Server

§  SSLVersions=nzos_Version_3_0

§  Ciphers=SSL_RSA_WITH_RC4_128_MD5

§  SSLEnabled=true

·     Now that the file is created, I can go back to the WLST window and configure the SSL setting

configureSSL(‘asinst_1′,’oid1′,’oid’,’sslport1′,’/path/to/Middleware/asinst_1/config/OID/oid1/ssl_settings.prop’) 

 

At this point, Weblogic has the SSL settings loaded. We still need to load those settings into the actual OID server using opmnctl.

 

 

3. Restart OID

·     First, restart the oid1 server:

opmnctl stopproc ‘ias-component=oid1’

opmnctl startproc ‘ias-component=oid1’

·     Update the component registration for OID:

opmnctl updatecomponentregistration componenttype=OID componentname=oid1 -Sport 3131 -Port 3060

o  componenttype and componentname should be self-explanatory

o  Sport is the SSL port

o  Port is the non-SSL port

I have found that both “-Sport” and “-Port” are required for the command to run properly. 

Everything should be setup correctly and you should be able to login to your OID server over LDAPS.