Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
Previous |
Next |
This chapter explains how to configure Secure Sockets Layer (SSL) for use with Oracle Internet Directory. If you use Secure Sockets Layer (SSL), you may also configure strong authentication, data integrity, and data privacy.
This chapter contains these topics:
A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
Table 13-1 lists the SSL cipher suites supported by Oracle Internet Directory and their corresponding authentication, encryption, and data integrity mechanisms.
Oracle Internet Directory clients can use SSL 2.0 or SSL 3.0. A client over SSL can connect to a server anonymously or by using either simple or strong authentication.
When both a client and server authenticate themselves to each other, SSL derives the identity information it requires from the X509v3 digital certificates.
In Oracle Internet Directory 10g Release 2 (10.1.2), the Oracle directory replication server cannot communicate directly with an SSL-enabled LDAP server that supports two way (mutual) authentication. The replication server startup will fail and hang if the LDAP server is configured for SSL mutual authentication.
See Also: Chapter 5, " Oracle Directory Server Administration" for instructions on how to configure server instances |
Use Oracle Wallet Manager to configure Oracle Internet Directory for SSL. To test the connection, use either the command line or Oracle Directory Manager.
Note: By default, the SSL port that is defined in configuration set 0 is set to authentication mode 1 (encryption only). Do not configure the SSL port of configset 0 with a authentication mode other than 1. Doing so will break Oracle Delegated Administration Services and other applications that expect to communicate with Oracle Internet Directory on the encrypted SSL port. |
This section contains these topics:
During start-up of a directory server instance, the directory reads a set of configuration parameters, including the parameters for the SSL profile. If you are going to run the directory with SSL enabled, you need to examine—and possibly reconfigure—the SSL parameters in the configuration set entry.
To run a server instance in secure mode, set the SSL Enable parameter in the configuration settings to 1: the default secure port is 3031. To allow the same instance to run non-secure connections concurrently, set SSL Enable to 2: the default non-secure port is 3060.
You can create and modify multiple sets of configuration parameters with differing values, using a different configuration set entry for each instance of Oracle Internet Directory. This is a useful way to accommodate clients with different security needs.
Oracle Corporation recommends that you create separate configuration sets and modify their SSL values, rather than modify SSL values in the default configuration set. The default set may be required by Oracle Support Services in the diagnosis of certain technical issues.
This section contains these topics:
See Also:
|
You can examine and modify the values for the SSL configuration parameters in each configuration set entry that you have created and in each server instance that is currently running.
To view and modify SSL configuration parameters:
In the navigator pane, expand Oracle Internet Directory Servers, then directory server instance, then Server Management.
Expand either Directory Server or Replication Server, as appropriate. The numbered configuration sets are listed beneath your selection.
Select the configuration set that you want to examine. The group of tab pages for that configuration set entry appear in the right pane.
Select the SSL Settings tab page, modify the fields and save the changes. These fields are described in Table A-41.
See Also: "Managing Server Configuration Set Entries by Using Oracle Directory Manager" for information about changing parameters in a configuration set entry |
For information about configuring SSL parameters from the command line, see:
"Managing Server Configuration Set Entries by Using Command-Line Tools"
"Oracle Internet Directory Server Administration Tools" in Oracle Identity Management User Reference for instructions on using the -p
, -U
, and -W
flags to ldapadd
and related commands to configure SSL
Configure the server side LDAP server for SSL as follows:
Start the Oracle Wallet Manager
On Unix, set the DISPLAY environment variable and type:
owm
On Windows, start the program by using either:
Start, then Programs, then ORACLE_HOME, then Network Administration, then Wallet Manager
Start, then Programs, then ORACLE_HOME, then Integrated Management Tools, then Wallet Manager
Select Wallet from the top menu bar and then New.
Choose and confirm the password.
A new empty wallet has been created.
Select YES to create a certificate request.
Enter the required information.
See Also: Oracle Advanced Security Administrator's Guide for information on using Oracle Wallet Manager. |
Choose OK.
An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.
Choose Operations, then Export Certificate Request from the menu bar.
The Export Certificate Request dialog box appears.
Enter a file name for the request, such as usercert.req
.
Save the wallet.
Note: When saving the wallet on Windows 2000, choose a directory path that does not contain spaces. Do not store the wallet in the default location, Documents and Settings\oracle\wallets. |
Send the newly-created certificate request to your certificate authority.
See Also:
for information on certificates from a Microsoft Certification Services Certificate Authority. |
You should receive a user certificate and, if needed, a trusted certificate from your certificate authority. If your CA is not in Oracle Wallet Manager's default list, you must import a trusted certificate from your CA before you can import the user certificate.
To import the trusted certificate, choose Operations, then Import Trusted Certificate from the menu bar. The Import Trusted Certificate dialog panel appears. Choose either to paste the certificate in base64 format or to select a file containing the trusted certificate. Your new CA will appear in the list of Trusted Certificates.
To import the user certificate, choose Operations, then Import Trusted Certificate from the menu bar. The Import Certificate dialog box appears. Choose either to paste the certificate in base64 format or to select a file containing the trusted certificate.
Select Wallet and save the wallet by selecting Wallet, then Save. Enable Auto Login by choosing Wallet from the menu bar, then choosing the check box next to the Auto Login menu item. A message at the bottom of the window displays Auto Login Enabled. A file called cwallet.sso is now present in your wallet directory.
Note: As of Oracle Internet Directory Release 9.0.2, only wallets in encrypted format, such as cwallet.sso, are supported. For that reason, you must use Oracle Wallet Manager to open the wallet and to enable Auto Login before you start an SSL instance. |
Open the Oracle Directory Manager and choose to add a new Configuration Set. Do not modify the Default Configuration Set.
Select the SSL Setup tab and enter the location of the wallet. For UNIX, the URL format is:
file://path/directory_of_wallet
For example:
file://etc/ORACLE/WALLET
For Windows, the URL format is:
file:\device:\path\wallet_directory
For example:
file:d:\wallet
Choose the SSL authentication method and configure the SSL port. The authentication methods are:
SSL Authentication Method | Authentication Behavior |
---|---|
No SSL Authentication | Neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged. Only SSL encryption and decryption is used. |
SSL Server Authentication | The directory server authenticates itself to the client. The directory server sends the client a certificate verifying that the server is authentic. |
SSL Client and Server Authentication | The client and server authenticate themselves to each other and send certificates to each other. |
Choose the port for the SSL instance for the release.
You now have three configuration sets: DefaultConfigset
with a default SSL port and a default non-SSL port, default Configset1
and your newConfigset2
with a unique SSL port and unique non-SSL port.
On Windows systems, you must perform an extra configuration step. You must change the login account of the Oracle Directory Service from a local system account to the account of the user who owns the wallet. This user must be member of Administrator Group
. Change the account as follows:
On Windows, choose Start, then Settings, then Control Panel, then Administrative Tools, then Services.
Click PROPERTIES/LOGON.
Change from Local System Account to the account you logged in as when you created the Wallet. Stop and restart the service.
Start the Oracle Internet Directory instances so that Oracle Delegated Administration Services and other applications requiring SSL in encrypted mode can operate normally.
Open a browser to the Oracle Enterprise Manager Web site and drill down into the Oracle Internet Directory processes. This page shows the running processes.
Click the Button Start New Instance. The new configuration set will be listed.
Select the Set Number to be started and click Start.
After the instance is started, click OK and the Oracle Internet Directory instances page will be displayed. The new instance will be shown in the list as started.
From this point on, the standard commands
opmnctl startall opmnctl stopall
will automatically manage the Oracle Internet Directory instances.
You now have Oracle Internet Directory running and listening on four ports.
On a UNIX system, you can run the $ORACLE_HOME/ldap/bin/ldapcheck
command to view the additional oidldapd
dispatcher and server processes. The debugging logs for the SSL instance are oidldapd02.log
and oidldapd02s
XXXXX
.log
, respectively.
You can use the ldapbind
command to test SSL connections. On UNIX, the syntax is:
ldapbind -D cn=orcladmin -w welcome -U authentication_mode -h host -p SSL_port \ -W "file://DIRECTORY_CONTAINING_WALLET" -P wallet_password
and on Windows, the syntax is:
ldapbind -D cn=orcladmin -w welcome -U authentication_mode -h host -p SSL_port \ -W "file:device:\DIRECTORY_CONTAINING_WALLET" -P wallet_password
where authentication_mode is one of:
Number | Authentication |
---|---|
1 | No SSL authentication required. |
2 | One-way (server only) SSL authentication required. |
3 | Two-way (client and server) SSL authentication required. |
Use this method to test an SSL configuration with no SSL authentication required. The syntax is:
ldapbind -D cn=orcladmin -w password -U 1 -h host -p SSL_Port
Use this method to test an SSL configuration with SSL server authentication configured. A client can request either server authentication or no authentication.
For an anonymous bind with server authentication, the syntax is:
ldapbind -U 2 -h host -p port -W "file:DIRECTORY_CONTAINING_WALLET" \ -P wallet_password
For a bind with user "cn=orcladmin"
and server authentication, the syntax is:
ldapbind -D cn=orcladmin -w password -U 2 -h host -p port \ -W "file:DIRECTORY_CONTAINING_WALLET" -P wallet_password
For a bind without SSL authentication, the syntax is:
ldapbind -D cn=orcladmin -w password -U 1 -h host -p SSL_Port
Use this method to test an SSL configuration with SSL client and server authentication configured.
As of Oracle Internet Directory 10g Release 2 (10.1.2), Oracle Internet Directory supports the Certificate Matching Rule. The DN and password passed on the ldapbind
command line are ignored. Only the DN from the certificate or the certificate hash is used for authorization.
To bind with user "cn=orcladmin"
, the syntax is:
ldapbind -D cn=orcladmin -w password> -U 3 -p port \ -W "file:DIRECTORY_CONTAINING_WALLET" -P wallet_password
or
ldapbind -D cn=orcladmin -w password -U 2 -h host -p port \ -W "file:DIRECTORY_CONTAINING_WALLET" -P wallet_password
To use the bind DN (Distinguished Name) from the client certificate, the syntax is:
ldapbind -U 3 -h host -p port -W "file:DIRECTORY_CONTAINING_WALLET" \ -P wallet_password
or
ldapbind -U 2 -h host -p port -W "file:DIRECTORY_CONTAINING_WALLET" \ -P wallet_password
To test the SSL connection with the Oracle Directory Manager, perform the following steps:
Start Oracle Directory Manager.
At the login screen, click the Network Icon and add the new SSL instance.
Choose the hostname and the port number of your configured SSL instance.
It should show AVAILABLE. Highlight it and click SELECT.
Click the SSL tab and fill in the wallet location of the user and password. For Windows, specify the SSL location as
file:device:\wallet_directory_path
For UNIX, specify the SSL Location as
file://wallet_directory_path
For SSL Password, specify your wallet password.
For SSL Authentication Level, specify your configured authentication level.
Click the Credentials tab. Make sure the SSL check box is checked. If you omit this step, Oracle Directory Manager might hang.
Specify values for User and Password.
At installation, Oracle Internet Directory starts up with configset0, which specifies dual mode. That is, some components can access Oracle Internet Directory using non-SSL connections, while others use SSL when connecting to the directory. By default, Oracle Application Server components are configured to run in this dual mode environment when communicating with Oracle Internet Directory. If you wish, you can remove the non-SSL mode and change all middle-tier instances to use SSL. For more information, please refer to the section on changing Oracle Internet Directory from dual mode to SSL mode in Oracle Application Server Administrator's Guide.
Enterprise User Security or a customer application might need an SSL channel with a different configuration from configset0. For example, it might need SSL server authentication mode or SSL mutual authentication mode. In this case, you must configure an additional SSL mode port another configuration set so that an additional Oracle Internet Directory LDAP instance listens at that port.
Note: You should never modify the SSL mode of configset0. The modification might conflict with the default configuration of some Oracle Application Server components. You should use a different configuration set for a new SSL setup. |
For more information about Enterprise User Security SSL configuration, please see the section on enterprise user security configuration in Oracle Database Enterprise User Administrator's Guide.
Examples:
A configuration set for SSL server authentication mode:
cn=configset2, cn=osdldapd, cn=subconfigsubentry cn=configset2 objectclass=top objectclass=orclConfigSet objectclass=orclLDAPSubConfig orclsslauthentication=32 orclsslenable=2 orclsslwalleturl=file:/ade/qdinh_newld/oracle/work/ldap/lrgsrg orclsslport=6060 orclnonsslport=8019 orclserverprocs=1
A configuration set for SSL mutual authentication mode:
cn=configset3, cn=osdldapd, cn=subconfigsubentry cn=configset3 objectclass=top objectclass=orclConfigSet objectclass=orclLDAPSubConfig orclsslauthentication=64 orclsslenable=2 orclsslwalleturl=file:/ade/qdinh_newld/oracle/work/ldap/lrgsrg orclsslport=7001orclnonsslport=8029 orclserverprocs=1