Oct 22, 2009

How to Setup SSL in Oracle Internet Directory

PURPOSE

This article provides the step by step procedure for setting up and testing Oracle Internet Directory for Secure Sockets Layer (SSL).

SCOPE & APPLICATION

This note presupposes a basic knowledge about Secure Sockets Layer Authentication. This procedure is limited to setting up OID SSL in Mode 2 (Server Authentication) and mode 3 (Client and Server Authentication). By default 9.x and 10g versions of OID, the SSL port that is defined in configset 0 is set to Mode 1 (Encryption only) and should NOT be modified under normal circumstances.

************************************************************************************

DO NOT SETUP SSL PORT OF CONFIGSET 0 WITH A WALLET MODE 2 OR MODE 3. OR

YOU WILL BREAK OIDDAS and OTHER APPS THAT EXPECT TO COMMUNICATE WITH OID ON THE ENCRYPTED SSL PORT

************************************************************************************

How To Setup and Test the Oracle Internet Directory for SSL

Step 1.

Run the Oracle Wallet Manager

On Unix set the DISPLAY environment variable and launch by entering command: owm

On Windows use

Start -> Programs -> ORACLE_HOME -> Network Administration -> Wallet Manager

or

Start -> Programs -> ORACLE_HOME -> Integrated Management Tools -> Wallet Manager

Step 2.

Select Wallet from the top menu bar and then New. Choose and confirm password.

Step 3.

A new empty wallet has been created; select YES to create a certificate request.

Step 4.

Fill in the required information.

Please refer to the Oracle Advanced Security Guide for additional information.

Step 5.

Choose OK.

An Oracle Wallet Manager dialog box informs you that a certificate request was successfully created. You can either copy the certificate request text from the body of this dialog panel and paste it into an e-mail message to send to a certificate authority, or you can export the certificate request to a file.

Step 6.

Choose Operations -> Export Certificate Request from the menu bar, the Export Certificate Request dialog box appears.

Step 7.

Enter a file name for the request. For example: oid301-usercert.req

Step 8. Save the wallet.

When setting this up on Windows 2000, don’t store the wallet in the default location.e.g. Documents and Settings\oracle\wallets. There is a known problem with the spaces in the filename. Just choose another directory.

Step 9.

Send the created certificate request to your certificate authority. (See Note 178806 if using a Microsoft Certificate Server)

Step 10.

A Trusted Certificate of your certificate authority (CA) has to be imported, if the CA is not included in the default list of Oracle Wallet Manager. Otherwise the user certificate could not be imported.

You should have received a User Certificate and if needed a Trusted Certificate from your certificate authority.

Import Trusted certificate:

Choose Operations -> Import Trusted Certificate from the menu bar; the Import Trusted Certificate dialog panel appears. You can choose between pasting the certificate in base64 format or just to select a file containing the trusted certificate. You should then see your new CA in the list of Trusted Certificates.

Import User certificate:

Choose Operations -> Import User Certificate from the menu bar; the Import Certificate dialog box appears. You can choose between pasting the certificate in base64 format or just to select a file containing the user certificate.

Step 11.

Select Wallet and Save the Wallet by selecting Wallet -> Save

Enable AUTOLOGIN.

To enable Auto Login:

Choose Wallet from the menu bar.

Choose the check box next to the Auto Login menu item;

A message at the bottom of the window displays Autologin enabled.

A cwallet.sso file is now present in your wallet directory if AUTOLOGIN is enabled.

Important note:

Starting with Oracle Internet Directory 9.0.2/9.2 only wallets in encrypted (cwallet.sso) format are supported. This means Oracle Wallet Manager have to be used to open the wallet and to enable AUTOLOGIN before a SSL instance can be started. OID versions before 9.0.2 don't require this step as a password could be provided to open the wallet.

Step 12.

Open the Oracle Directory Manager and add a new Configuration Set.

NOTE: If this is a 9.0.4 (10g) instance you will ALREADY have additional configsets defined for SSL (Configset1 and Configset2). You can skip steps a. and b.

Do not modify the Default Configuration Set as it is always your fail safe method to connect to OID for administration. See documentation warning at:

http://download.oracle.com/docs/cd/B10464_01/manage.904/b12118/ssl4.htm#1000672

Which reads:

Oracle Corporation recommends that you create separate configuration sets and modify their SSL values, rather than modify SSL values in the default configuration set. The default set may be required by Oracle Support Services in the diagnosis of certain technical issues.

If you cannot comply with this due to other requirements, it is advisable to at least build a configset on a non-ssl port, test it, and leave it available as a backdoor, in case something happens to configset0 preventing you from accessing oid.

a. Select SERVER MANAGEMENT, then DIRECTORY SERVER, and highlight

DEFAULT CONFIGURATION SET.

b. Click on CREATE LIKE. The Configuration Sets dialog box displays the General tab. Change this default value for the NON SSL port to something other than the default for the release (389 or 4032) for example 4034.

c. Select the SSL Setup Tab and fill in the location of the wallet.

For UNIX:

SSL WALLET URL: file://path/directory_of_wallet

Example:

SSL WALLET URL: file://etc/ORACLE/WALLET

For Windows:

SSL WALLET URL: file:\device:\path\wallet_directory

Example:

SSL WALLET URL: file:d:\wallet

Choose the SSL authentication method and configure the SSL port.

No SSL Authentication:

Neither the client nor the server authenticates itself to the other.

No certificates are sent or exchanged.

In this case, SSL encryption/decryption only is used.

SSL Client and Server Authentication:

Both client and server authenticate themselves to each other and

send certificates to each other.

SSL Server Authentication:

Only the directory server authenticates itself to the client.

The directory server sends the client a certificate verifying

that the server is authentic.

SSL PORT: Choose the TCP Port for the SSL instance for the release

(636 or 4031), for example 4033.

Note:

At OID version prior to 9.2 and 9.0.2 you must also provide the WALLET password.

Step 13.

At this step you now should minimally have two configsets configured as follows:

DefaultConfigset

NON-SSL Port as installed (389, 4032, 3060)

SSL Port as installed (636,4031, 3160

Configset1

NON-SSL Port that behaves identical to the NON-SSL Port on configset0

SSL Port Configured for either CLIENT AUTHENTICATION or CLIENT/SERVER

AUTHENTICATION

Important Note For WINDOWS ONLY

For Windows systems an extra configuration step is required.

Change the Log on Account of the OracleProcessManager (Oracle Directory Service  for older releases of Oracle) from Local System Account to the user who owns  the wallet. This user should be member of the Administrator Group to avoid any  privilege problems.

To change the services use on Windows 2000:

Start -> Settings -> Control Panel -> Administrative Tools -> Services

on Windows NT:

Start -> Settings -> Control Panel -> Services

Click on PROPERTIES/LOGON.

Change from Local System Account to the account you logged in as when  you created the Wallet.

Stop and Restart the service.

-------------------------------------------------------------------------

Step 14. Starting Oracle Internet Directory Instances

In order for OIDDAS and other applications requiring SSL / ENCRYPED MODE to operate normally, you STILL need to start the default OID instance.

Startup the OID Default instance.

oidctl connect=<SID> server=oidldapd instance=1 start

Startup the OID SSL defined in new Configset.

oidctl connect=<SID> server=oidldapd instance=2 configset=1 start

Step 15. You now have OID running and listening on 4 Ports as follows:

For example:

configset0 (DefaultConfigset)is controlling two unique ports

389 = Non-SSL Port

636 = SSL Port using ENCRYPTION ONLY Mode

configset1 is controlling two unique ports

1389 = Non-SSL Port

1636 = SSL Port using AUTHENTICATION (SERVER ONLY or CLIENT/SERVER)

Step 16. If Unix, running the $ORACLE_HOME/ldap/bin/ldapcheck command should now show

additional oidldapd dispatcher and server processes. The debugging logs for the SSL instance will be shown in oidldapd02.log and oidldapd02sXXXXX.log.

This completes the SERVER SIDE configuration of SSL for the LDAP server.

For creating client wallets for other operating system users or for other  nodes just follow steps 1-11 again.

Oracle Wallet Manager needs to be started by the operating system user who  should use the wallet.

NOTE: If the credentials and/or wallet password have special characters, in unix the ssl bind can also return error: unknown error encountered

The solution is to escape the special char or enclose the pwd in single quotes, as  per Note 357196.1 and Note 297392.1.

Testing SSL connections with ldapbind command line utility:

On Unix:

ldapbind -D cn=orcladmin -w welcome -U <number> -h <host> -p <SSL Port number>

-W file://<DIRECTORY CONTAINING WALLET> -P <wallet password>

On Windows:

ldapbind -D cn=orcladmin -w welcome -U <number> -h <host> -p <SSL Port number>

-W file:device:\<DIRECTORY CONTAINING WALLET> -P <wallet password>

ldapbind syntax:

-U SSLAuth Specifies SSL authentication mode:

1 for no authentication required

2 for one way authentication required

3 for two way authentication required

Test for SSL with Encryption only:

Requires No SSL Authentication is configured for the SSL instance.

ldapbind -D cn=orcladmin -w <password> -U 1 -h <host> -p <SSL Port>

In this case only SSL encryption/decryption is used.

Certificates are not used.

SSL with Server authentication:

Requires SSL Server Authentication is configured for SSL instance.

This means a client connection can request Server Authentication or  just using No SSL authentication.

ldapbind -U 2 -h <host> -p <port> -W file:<DIRECTORY CONTAINING WALLET> -P <wallet password>

Anonymous bind with server authentication.

ldapbind -D cn=orcladmin -w <password> -U 2 -h <host> -p <port>

-W file:<DIRECTORY CONTAINING WALLET> -P <wallet password>

Bind with user cn=orcladmin and server authentication.

ldapbind -D cn=orcladmin -w <password> -U 1 -h <host> -p <SSL Port>

Bind without SSL authentication.

SSL with Client and Server authentication:

Requires SSL Client and Server Authentication is configured  for the SSL instance.

Authentication of both client and server is required.

Both client and server are sending certificates.

ldapbind -D cn=orcladmin -w <password> -U 3 -p <port>

-W file:<DIRECTORY CONTAINING WALLET> -P <wallet password>

or

ldapbind -D cn=orcladmin -w <password> -U 2 -h <host> -p <port>

-W "file:<DIRECTORY CONTAINING WALLET>" -P <wallet password>

Bind with user cn=orcladmin.

Client and server authenticate themselves to each other.

ldapbind -U 3 -h <host> -p <port> -W file:<DIRECTORY CONTAINING WALLET>

-P <wallet password>

or

ldapbind -U 2 -h <host> -p <port> -W file:<DIRECTORY CONTAINING WALLET>

-P <wallet password>

Client and server authenticate themselves to each other.

The bind DN (Distinguished Name) is used from the client certificate.

This is not an anonymous bind.

****** 10.1.2 ONLY ******

For SSL Client and Server Authentication, In 10.1.2, OID introduces certificate hash matching rule; Check 10.1.2 OID

Administration guide for detailed information.

- case orclpkimatchingrule == 0 - the DN in the certificate will be used to find an exact matching entry DN for authentication and authorization.

- case orclpkimatchingrule == 1 - An MD5 hash of the client certificate will be  used to search for a matched DN in OID for

authentication and authorization.

- case orclpkimatchingrule == 2 - The DN from the certificate will be used to

search for an exact match; if no entry found, the certifiate hash will be applied for a search.

Note: The DN and password passed through ldapbind will be ignored. Only the  DN from the certificate or the certifiate hash will be used for authorization.

SSL with authentication using the Oracle Directory Manager:

To test the SSL connection with the Oracle Directory Manager do the following:

1. Start Oracle Directory Manager

At the login screen, click the Network Icon and add the new SSL instance. Choose the hostname and the port number of your configured SSL instance.

2. It should show AVAILABLE, highlight it and click on SELECT.

3. Click on the SSL tab and fill in the wallet location of the user and password.

For Windows:

SSL Location: file:device:\<wallet directory path>

For Unix:

SSL Location: file://<wallet directory path>

SSL Password: Wallet Password

SSL Authentication Level: Set according to your configured authentication level.

4. Click on the Credentials tab.

Make sure the SSL checkbox is checked.

Otherwise Oracle Directory Manager just hangs!

5. Login as for example

User: cn=orcladmin

Password: orcladmin password.

TESTING WITH REMOTE HOST RUNNING SSL

Note: fails with Unknown Error Encountered if a local wallet is not created on

the remote host:

SOLUTION / ACTION PLAN

Create a wallet on the remote host, and store in it the rootCA certificate from the

Certificate Authority.

Retry the ldapbind command.

Related Articles for your References

Note 178806.1 - How to get SSL certificates from a Microsoft Certification

Oracle Internet Directory Administrator's Guide

Oracle Advanced Security Administrator's Guide

0 comments:

Text Widget

Copyright © Vinay's Blog | Powered by Blogger

Design by | Blogger Theme by