Configure OID with SSL
First you need to install OID. Check the Installation Guide, the Doc and download the Software. If you do not need the dbconsole, stop it (emctl stop dbconsole) and remove the oracle_home/hostname_sid directory
Once you have a running OID, test it with ldapsearch. For this workshop, I use two servers and two usernames. Having the client and the server sharing the same wallet is not a good idea. If you have an Oracle Database running as user oracle, prefer using a different user for OID installation. By installing OID, I specified the following staticports.ini (missing from CD, bug 5936042) :
Oracle HTTP Server port = 44000 Oracle HTTP Server Listen port = 44001 Oracle HTTP Server SSL port = 44002 Oracle HTTP Server Listen (SSL) port = 44003 Oracle HTTP Server Diagnostic port = 44004 Java Object Cache port = 44005 DCM Discovery port = 44006 Oracle Notification Server Request port = 44007 Oracle Notification Server Local port = 44008 Oracle Notification Server Remote port = 44009 Application Server Control port = 44010 Application Server Control RMI port = 44011 Oracle Management Agent port = 44012 Log Loader port = 44013 ASG port = 44014 Oracle Internet Directory port = 44015 Oracle Internet Directory (SSL) port = 44016 Oracle Certificate Authority SSL Server Authentication port = 44017 Oracle Certificate Authority SSL Mutual Authentication port = 44018
Ok, let’s do the search from another server
lsc@dbserver01 $ ldapsearch -h oidserver01 -p 44015 -z 1 orclreplicaid=oidserver01_oid1014,cn=replication configuration ldap_search: Sizelimit exceeded
Now let’s try with SSL. First, with no authentication (-U 1).
lsc@dbserver01 $ ldapsearch -h oidserver01 -p 44016 -z 1 -U 1 orclreplicaid=oidserver01_oid1014,cn=replication configuration ldap_search: Sizelimit exceeded
Fine. Let’s create the wallets. You need a wallet for your client (lsc@dbserver01), a wallet for your server (ldapusr@oidserver01). Create a certification request for CN=lsc,cn=users,dc=yourdomain,dc=com, export your user certificate from your client wallet (lsc@dbserver01) and import it as a trusted certificate in your oid wallet (ldapusr@oidserver01). It is the same procedure as described in the user identified externally with SSL certificate post
Then, launch oidadmin (you can launch it from a pc client), and configure the OID for ssl.
User for OID is CN=ORCLADMIN
In Oracle Internet Directory Servers –> cn=orcladmin@oidserver01 –> Server Management –> Directory Server. Right click on Configuration Set1 and chose Create Like. In the Configuration Set2, chose the SSL Settings, specify SSL Client and Server Authentication, SSL only, file://etc/ORACLE/WALLETS/lsc, SSL Port 44019. Apply. Quit
Start a second instance with oidctl where oid1014 is your SID
ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd instance=2 configset=2 start
Check the status :
ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd status oidctl:Checking Oracle Internet Directory Processes ... Process oidmon is alive as PID = 16191 Checking OIDLDAPD instance 1 ... Process oidldapd (dispatcher) is alive as PID = 16197 port=44015 sslport=44016 oidldapd (server) is alive as PID = 16206 Checking OIDLDAPD instance 2 ... Process oidldapd (dispatcher) is alive as PID = 16422 sslport=44019 oidldapd (server) is alive as PID = 16426 Checking ODISRV instance 1 ... Process odisrv is alive as PID = 16203
so far not bad!
Let’s pray !
$ ldapbind -h novgaasdv01.eu.novartis.net -p 44019 -U 3 -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc -D cn=orcladmin -w myorcladminpasswd bind successful
What a satisfaction 
I have being failing on this for days. Mostly getting meaningless message like UnKnown Error Encountered. You cannot start anything with that error. It could be a wallet path error, a wallet password error, a non-authorized certificate, a certification authority problem, and many other errors. Really poor error messaging there. One may argue that meaningless error message on unsuccessful login does increase the security, but well, it is a nightmare to debug 
Now I need to stop the non-secure part of it :
ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd instance=1 stop
Added 29.3.2007
If I want to use a SSL to authentify my user, I must create a user, for example with the Security Console http://oidserver01:44000/oiddas/ui/oideushome, which matches my certificate.
Hi,
Thanks for sharing this configuration of OID on SSL. I was able to setup my own OID server and I configured my port 1636 for SSL. Since I only want to test my SSL configuration I simply created a self_signed certification using ” orapki wallet create -wallet ./ -auto_login”. Now my wallet certificate says “READY”.
I did an LDAP bind using the SSL port and the result was “bind Successful”
I used my OID server for net service management so I have my client configured with LDAP.ORA and the parameter for DIRECTORY SERVER was set to use the SSL port 1636. Unfortunately using this port fails me to do a TNSPING to my database.
How should I configure my client to use the SSL to connect to OID? Did I miss something? I am using a Server side Authentication only.
what it your ldap.ora?
it must be something like
macserver:1434:1636where the second port is SSL. You cannot have ssl only, you may use macserver:0:1636 maybe, but ssl must be second
HTH
Hi,
Thanks for your reply;
My LDAP.ora is using
macserver:1389:1636
and with this configuration my TNSPING is failing.
However when I changed the nonssl port to 0 ( macserver:0:1636) or the default (macserver:389:1636) It is working.
Why is that so? Should this mean that the TNSPING is only using the non-ssl port?
I want to enable SSL only on my configset1 with the authentication set to Server Authentication and stop the default configset0 with default port (389:636)
How can I do that?
Hi Laurent,
One more thing, whenever I use the the Directory Manager I was usually asked first to which OID server to connect.
So I type in my server name: macserver and the port as 1636 but the status of the server is unavailable. (Even if I change the port to 0 it is unavailable)
This scenario restricts me to do the management of Directory manager remotely using the SSL port.
Any Idea?
yes, it always try the first port, and if there is a service listening on this port it will not try port 2… a bit unlucky I admin
So it always check on the first port listed which happens to be a non SSL port.
And you said i cannot use the SSL port alone making my configuration macserver:0:1636
What if I like to use the SSL port (1636 only) since I already have a certificate Ready? and I disallow the use of NON-SSL port? Is there any way to do this?
I got it.
I simply used my certificate (used for Server Side Authentication) and on my clients LDAP.ora i configured macserver::1636. Leaving the non-SSL port empty worked for me.
Then I just stopped my Non SSL port using oidctl command leaving the SSL port alone running.
Thanks a lot!
well done!