First you need to install OID. Check the Installation Guide, the Doc and download the Software. If you do not need the dbconsole, stop it (emctl stop dbconsole) and remove the oracle_home/hostname_sid directory
Once you have a running OID, test it with ldapsearch. For this workshop, I use two servers and two usernames. Having the client and the server sharing the same wallet is not a good idea. If you have an Oracle Database running as user oracle, prefer using a different user for OID installation. By installing OID, I specified the following staticports.ini (missing from CD, bug 5936042) :
Oracle HTTP Server port = 44000 Oracle HTTP Server Listen port = 44001 Oracle HTTP Server SSL port = 44002 Oracle HTTP Server Listen (SSL) port = 44003 Oracle HTTP Server Diagnostic port = 44004 Java Object Cache port = 44005 DCM Discovery port = 44006 Oracle Notification Server Request port = 44007 Oracle Notification Server Local port = 44008 Oracle Notification Server Remote port = 44009 Application Server Control port = 44010 Application Server Control RMI port = 44011 Oracle Management Agent port = 44012 Log Loader port = 44013 ASG port = 44014 Oracle Internet Directory port = 44015 Oracle Internet Directory (SSL) port = 44016 Oracle Certificate Authority SSL Server Authentication port = 44017 Oracle Certificate Authority SSL Mutual Authentication port = 44018
Ok, let’s do the search from another server
lsc@dbserver01 $ ldapsearch -h oidserver01 -p 44015 -z 1 orclreplicaid=oidserver01_oid1014,cn=replication configuration ldap_search: Sizelimit exceeded
Now let’s try with SSL. First, with no authentication (-U 1).
lsc@dbserver01 $ ldapsearch -h oidserver01 -p 44016 -z 1 -U 1 orclreplicaid=oidserver01_oid1014,cn=replication configuration ldap_search: Sizelimit exceeded
Fine. Let’s create the wallets. You need a wallet for your client (lsc@dbserver01), a wallet for your server (ldapusr@oidserver01). Create a certification request for CN=lsc,cn=users,dc=yourdomain,dc=com, export your user certificate from your client wallet (lsc@dbserver01) and import it as a trusted certificate in your oid wallet (ldapusr@oidserver01). It is the same procedure as described in the user identified externally with SSL certificate post
Then, launch oidadmin (you can launch it from a pc client), and configure the OID for ssl.
User for OID is CN=ORCLADMIN
In Oracle Internet Directory Servers –> cn=orcladmin@oidserver01 –> Server Management –> Directory Server. Right click on Configuration Set1 and chose Create Like. In the Configuration Set2, chose the SSL Settings, specify SSL Client and Server Authentication, SSL only, file://etc/ORACLE/WALLETS/lsc, SSL Port 44019. Apply. Quit
Start a second instance with oidctl where oid1014 is your SID
ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd instance=2 configset=2 start
Check the status :
ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd status oidctl:Checking Oracle Internet Directory Processes ... Process oidmon is alive as PID = 16191 Checking OIDLDAPD instance 1 ... Process oidldapd (dispatcher) is alive as PID = 16197 port=44015 sslport=44016 oidldapd (server) is alive as PID = 16206 Checking OIDLDAPD instance 2 ... Process oidldapd (dispatcher) is alive as PID = 16422 sslport=44019 oidldapd (server) is alive as PID = 16426 Checking ODISRV instance 1 ... Process odisrv is alive as PID = 16203
so far not bad!
Let’s pray !
$ ldapbind -h novgaasdv01.eu.novartis.net -p 44019 -U 3 -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc -D cn=orcladmin -w myorcladminpasswd bind successful
What a satisfaction I have being failing on this for days. Mostly getting meaningless message like UnKnown Error Encountered. You cannot start anything with that error. It could be a wallet path error, a wallet password error, a non-authorized certificate, a certification authority problem, and many other errors. Really poor error messaging there. One may argue that meaningless error message on unsuccessful login does increase the security, but well, it is a nightmare to debug
Now I need to stop the non-secure part of it :
ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd instance=1 stop
If I want to use a SSL to authentify my user, I must create a user, for example with the Security Console http://oidserver01:44000/oiddas/ui/oideushome, which matches my certificate.