Thursday, June 18, 2015

OIM 11G R2 PS2 : How to generate self signed certificates and use it to for OIM to DB SSL Connectivity

ROOT CA WALLET

Navigate to the following path:
/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin

Create a wallet by using the command:
./orapki wallet create -wallet /home/oracle/wallet/root -pwd welcome1

Add a self signed certificate to the CA wallet by using the command:
./orapki wallet add -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1

View the wallet using the command:
./orapki wallet display -wallet /home/oracle/wallet/root -pwd welcome1

Export the self signed certificate from the CA wallet using the command:
./orapki wallet export -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

DB Server Side Wallet

Create a server wallet using the command:
./orapki wallet create -wallet /home/oracle/wallet/server -auto_login -pwd welcome1

Add a certificate request to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1

Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:
./orapki wallet export -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request /home/oracle/wallet/server/server_creq.csr -pwd welcome1

Get the server wallet's certificate request signed using the CA signature:
./orapki cert create -wallet /home/oracle/wallet/root -request /home/oracle/wallet/server/server_creq.csr -cert /home/oracle/wallet/server/server_creq_signed.cert -validity 3650 -pwd welcome1

View the signed certificate using the command:
./orapki cert display -cert /home/oracle/wallet/server/server_creq_signed.cert -complete

Import the trusted certificate in to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -trusted_cert -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

Import this newly created signed certificate (user certificate) to the server wallet using the command:
./orapki wallet add -wallet /home/oracle/wallet/server -user_cert -cert /home/oracle/wallet/server/server_creq_signed.cert -pwd welcome1

OIM - Creating Client Side Wallet

1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

cd /home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert -storepass xellerate

2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:
keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert
Password - Abcd1234  (same as xelsysadm)


cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib
keytool -import -trustcacerts -alias root_ca -noprompt -keystore cacerts -file /home/oracle/wallet/root/self_signed_CA.cert
keytool -import -trustcacerts -alias server_ca -noprompt -keystore cacerts -file /home/oracle/wallet/server/server_creq_signed.cert


Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

    Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

    Log in to Enterprise Manager.

    Navigate to Identity and Access, OIM.

    Right click and navigate to System MBean Browser.

    Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.

    Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

    For example:

    url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=my.domain.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=proddb)))"

    Restart the Oracle Identity Manager server.

This updated the /db/oim-config.xml in the mds, checked by exporting it out.

Update the Datasources:

For oimJMSStoreDS, oimOperationsDB, mds-oim.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))
javax.net.ssl.trustStorePassword=Abcd1234
javax.net.ssl.trustStore=/home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig/default-keystore.jks
javax.net.ssl.trustStoreType=JKS

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

    Ensure that Datasources are configured to SSL.

    In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

    Remove OIMAuthenticationProvider.

    Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

    Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

    Reorder the authenticators as:

        DefaultAuthenticator

        OIMAuthenticator

        OIMSignatureAuthenticator

        Other providers if any

    Restart all servers.