In this post I will cover the steps that are required to setup SSL connectivity between OIM and its underlying repository i.e. Oracle Database.

ROOT CA WALLET

Navigate to the following path:

/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin

Create a wallet by using the command:

./orapki wallet create -wallet /home/oracle/wallet/root -pwd welcome1

Add a self signed certificate to the CA wallet by using the command:

./orapki wallet add -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -keysize 2048 -self_signed -validity 3650 -pwd welcome1

View the wallet using the command:

./orapki wallet display -wallet /home/oracle/wallet/root -pwd welcome1

Export the self signed certificate from the CA wallet using the command:

./orapki wallet export -wallet /home/oracle/wallet/root -dn 'CN=root_test,C=US' -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

DB SERVER WALLET

Create a server wallet using the command:

./orapki wallet create -wallet /home/oracle/wallet/server -auto_login -pwd welcome1

Add a certificate request to the server wallet using the command:

./orapki wallet add -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -pwd welcome1

Export the certificate request to a file, which will be used later for getting it signed using the root CA signature:

./orapki wallet export -wallet /home/oracle/wallet/server -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request /home/oracle/wallet/server/server_creq.csr -pwd welcome1

Get the server wallet's certificate request signed using the CA signature:

./orapki cert create -wallet /home/oracle/wallet/root -request /home/oracle/wallet/server/server_creq.csr -cert /home/oracle/wallet/server/server_creq_signed.cert -validity 3650 -pwd welcome1

View the signed certificate using the command:

./orapki cert display -cert /home/oracle/wallet/server/server_creq_signed.cert -complete

Import the trusted certificate in to the server wallet using the command:

./orapki wallet add -wallet /home/oracle/wallet/server -trusted_cert -cert /home/oracle/wallet/root/self_signed_CA.cert -pwd welcome1

Import this newly created signed certificate (user certificate) to the server wallet using the command:

./orapki wallet add -wallet /home/oracle/wallet/server -user_cert -cert /home/oracle/wallet/server/server_creq_signed.cert -pwd welcome1

OIM SERVER - CREATING CLIENT SIDE WALLET

1. Create a client keystore using default-keystore.jks keystore which is populated in the following path:

cd /home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig

keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert -storepass xellerate

2. Import the self-signed CA trusted certificate that you have already exported using the server side commands, to the client keystore (default-keystore.jks) by using the command:

keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore default-keystore.jks -file /home/oracle/wallet/root/self_signed_CA.cert

Password - Abcd1234 (same as xelsysadm)

cd /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib

keytool -import -trustcacerts -alias root_ca -noprompt -keystore cacerts -file /home/oracle/wallet/root/self_signed_CA.cert

keytool -import -trustcacerts -alias server_ca -noprompt -keystore cacerts -file /home/oracle/wallet/server/server_creq_signed.cert

Updating Oracle Identity Manager

You need to perform the following steps in Oracle Identity Manager to enable Oracle Identity Manager and Oracle Identity Manager DB in SSL mode for a secure communication:

1. Import the trusted certificate into the default-keystore.jks keystore of Oracle Identity Manager.

2. Log in to Enterprise Manager.

3. Navigate to Identity and Access, OIM.

4. Right click and navigate to System MBean Browser.

5. Under Application Defined MBeans, navigate to oracle.iam, Application:oim, XMLConfig, Config, XMLConfig.DirectDBConfig, and DirectDB.

6. Change the values for attributes "Sslenabled", "Url" and click Apply. If SSL mode is enabled for DB, then "Url" should contain TCPS enables and SSL port in it.

For example:

url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))"

7. Restart the Oracle Identity Manager server.

8. This updated the /db/oim-config.xml in the mds, checked by exporting it out.

Update the Datasources:

For oimJMSStoreDS, oimOperationsDB, mds-oim.

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=localhost.localdomain)(PORT=1522))(CONNECT_DATA=(SERVICE_NAME=orcl.localdomain)))

javax.net.ssl.trustStorePassword=Abcd1234

javax.net.ssl.trustStore=/home/oracle/Oracle/Middleware/user_projects/domains/idmdomain/config/fmwconfig/default-keystore.jks

javax.net.ssl.trustStoreType=JKS

Updating Oracle Identity Manager Authenticators

The existing Oracle Identity Manager authenticators in the WebLogic server are configured against Non-SSL DB details and they do not use datasources for communicating with Oracle Identity Manager DB. In order to use SSL DB details in the authenticators, you must perform the following:

1. Ensure that Datasources are configured to SSL.

2. In WebLogic Administrative console, navigate to Security Realms, myrealm, Providers.

3. Remove OIMAuthenticationProvider.

4. Create an authentication provider of type "OIMAuthenticator" and mark the control flag as SUFFICIENT.

5. Create an authentication provider of type "OIMSignatureAuthenticator" and mark the control flag as SUFFICIENT.

6. Reorder the authenticators as:

DefaultAuthenticator

OIMAuthenticator

OIMSignatureAuthenticator

Other providers if any

7. Restart all servers.

Additional Configuration DB Side Steps if required

DATABASE

open netmgr

>netmgr

go to Profile -> Oracle Advanced Security -> SSL -> Server and type /opt/oracle/oracle/product/11.2.0/db_1/owm/wallets/mywallet as the Wallet Directory

Uncheck the require client authentication box.

Then Go to listeners and change the protocol of Address2 to TCP/IP with SSL

Do the same for Service naming

Open tnsnames.ora and change the local listener to port 1522.

Restart the Database and the listener

>lsnrctl stop

>lsnrctl start

OIM

Import Root.ca and SubRoot.ca in Java, weblogic and OIM keystore. Also create jdbcKeystore with those certificates.

Then in weblogic change each databasesource. Change connection string to:

jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = tcps)(HOST = 172.27.89.21)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl)))

And at the following to the connection parameters:

javax.net.ssl.trustStorePassword=84c80J9f

javax.net.ssl.trustStore=/opt/oracle/Oracle/Middleware/user_projects/domains/oim_domain/config/fmwconfig/jdbcKeystore.jks

javax.net.ssl.trustStoreType=JKS

Also change the connect string of the OIMAuthenticator and the DirectDB config

Deepak Dubey on Cloud, Big Data Analytics, Data Science, Machine Learning, DevOps, Full Stack, Java

Wednesday, May 7, 2014

SSL Connectivity setup between OIM 11g (R1, R2) and Database

DATABASE

OIM