Configure OID with SSL

First you need to install OID. Check the Installation Guide, the Doc and download the Software. If you do not need the dbconsole, stop it (emctl stop dbconsole) and remove the oracle_home/hostname_sid directory

Once you have a running OID, test it with ldapsearch. For this workshop, I use two servers and two usernames. Having the client and the server sharing the same wallet is not a good idea. If you have an Oracle Database running as user oracle, prefer using a different user for OID installation. By installing OID, I specified the following staticports.ini (missing from CD, bug 5936042) :

Oracle HTTP Server port  = 44000
Oracle HTTP Server Listen port  = 44001
Oracle HTTP Server SSL port  = 44002
Oracle HTTP Server Listen (SSL) port  = 44003
Oracle HTTP Server Diagnostic port  = 44004
Java Object Cache port  = 44005
DCM Discovery port  = 44006
Oracle Notification Server Request port  = 44007
Oracle Notification Server Local port  = 44008
Oracle Notification Server Remote port  = 44009
Application Server Control port  = 44010
Application Server Control RMI port  = 44011
Oracle Management Agent port  = 44012
Log Loader port  = 44013
ASG port  = 44014
Oracle Internet Directory port  = 44015
Oracle Internet Directory (SSL) port  = 44016
Oracle Certificate Authority SSL Server 
    Authentication port  = 44017
Oracle Certificate Authority SSL Mutual
    Authentication port  = 44018

Ok, let’s do the search from another server

lsc@dbserver01 $ ldapsearch -h oidserver01 -p 44015 -z 1
orclreplicaid=oidserver01_oid1014,cn=replication configuration
ldap_search: Sizelimit exceeded

Now let’s try with SSL. First, with no authentication (-U 1).

lsc@dbserver01 $ ldapsearch -h oidserver01 -p 44016 -z 1 -U 1
orclreplicaid=oidserver01_oid1014,cn=replication configuration
ldap_search: Sizelimit exceeded

Fine. Let’s create the wallets. You need a wallet for your client (lsc@dbserver01), a wallet for your server (ldapusr@oidserver01). Create a certification request for CN=lsc,cn=users,dc=yourdomain,dc=com, export your user certificate from your client wallet (lsc@dbserver01) and import it as a trusted certificate in your oid wallet (ldapusr@oidserver01). It is the same procedure as described in the user identified externally with SSL certificate post

Then, launch oidadmin (you can launch it from a pc client), and configure the OID for ssl.
User for OID is CN=ORCLADMIN
In Oracle Internet Directory Servers –> cn=orcladmin@oidserver01 –> Server Management –> Directory Server. Right click on Configuration Set1 and chose Create Like. In the Configuration Set2, chose the SSL Settings, specify SSL Client and Server Authentication, SSL only, file://etc/ORACLE/WALLETS/lsc, SSL Port 44019. Apply. Quit

Start a second instance with oidctl where oid1014 is your SID

ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd
    instance=2 configset=2 start

Check the status :

ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd
    status
oidctl:Checking Oracle Internet Directory Processes ...

    Process oidmon is alive as PID = 16191 

    Checking OIDLDAPD instance 1  ...
    Process oidldapd (dispatcher) is alive as PID = 16197
        port=44015 sslport=44016
            oidldapd (server)     is alive as PID = 16206

    Checking OIDLDAPD instance 2  ...
    Process oidldapd (dispatcher) is alive as PID = 16422
        sslport=44019
            oidldapd (server)     is alive as PID = 16426

    Checking ODISRV instance 1  ...
    Process odisrv   is alive as PID = 16203

so far not bad!

Let’s pray !

$ ldapbind -h novgaasdv01.eu.novartis.net -p 44019  -U 3
    -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc  
    -D cn=orcladmin -w myorcladminpasswd
bind successful

What a satisfaction 😀 I have being failing on this for days. Mostly getting meaningless message like UnKnown Error Encountered. You cannot start anything with that error. It could be a wallet path error, a wallet password error, a non-authorized certificate, a certification authority problem, and many other errors. Really poor error messaging there. One may argue that meaningless error message on unsuccessful login does increase the security, but well, it is a nightmare to debug 😮

Now I need to stop the non-secure part of it :

ldapusr@oidserver01 $ oidctl connect=oid1014 server=oidldapd
    instance=1 stop

Added 29.3.2007
If I want to use a SSL to authentify my user, I must create a user, for example with the Security Console http://oidserver01:44000/oiddas/ui/oideushome, which matches my certificate.

20 thoughts on “Configure OID with SSL

  1. mac

    Hi,

    Thanks for sharing this configuration of OID on SSL. I was able to setup my own OID server and I configured my port 1636 for SSL. Since I only want to test my SSL configuration I simply created a self_signed certification using ” orapki wallet create -wallet ./ -auto_login”. Now my wallet certificate says “READY”.

    I did an LDAP bind using the SSL port and the result was “bind Successful”
    I used my OID server for net service management so I have my client configured with LDAP.ORA and the parameter for DIRECTORY SERVER was set to use the SSL port 1636. Unfortunately using this port fails me to do a TNSPING to my database.

    How should I configure my client to use the SSL to connect to OID? Did I miss something? I am using a Server side Authentication only.

  2. Laurent Schneider Post author

    what it your ldap.ora?

    it must be something like

    macserver:1434:1636

    where the second port is SSL. You cannot have ssl only, you may use macserver:0:1636 maybe, but ssl must be second

    HTH

  3. mac

    Hi,
    Thanks for your reply;
    My LDAP.ora is using
    macserver:1389:1636

    and with this configuration my TNSPING is failing.

    However when I changed the nonssl port to 0 ( macserver:0:1636) or the default (macserver:389:1636) It is working.

    Why is that so? Should this mean that the TNSPING is only using the non-ssl port?

    I want to enable SSL only on my configset1 with the authentication set to Server Authentication and stop the default configset0 with default port (389:636)

    How can I do that?

  4. mac

    Hi Laurent,

    One more thing, whenever I use the the Directory Manager I was usually asked first to which OID server to connect.
    So I type in my server name: macserver and the port as 1636 but the status of the server is unavailable. (Even if I change the port to 0 it is unavailable)

    This scenario restricts me to do the management of Directory manager remotely using the SSL port.

    Any Idea?

  5. mac

    So it always check on the first port listed which happens to be a non SSL port.
    And you said i cannot use the SSL port alone making my configuration macserver:0:1636

    What if I like to use the SSL port (1636 only) since I already have a certificate Ready? and I disallow the use of NON-SSL port? Is there any way to do this?

  6. mac

    I got it.
    I simply used my certificate (used for Server Side Authentication) and on my clients LDAP.ora i configured macserver::1636. Leaving the non-SSL port empty worked for me.
    Then I just stopped my Non SSL port using oidctl command leaving the SSL port alone running.

    Thanks a lot!

  7. pkshr

    Hi Laurent,

    Sorry for asking stupid question. From your phrase –

    In Oracle Internet Directory Servers –> cn=orcladmin@oidserver01 –> Server Management –> Directory Server. Right click on Configuration Set1 and chose Create Like. In the Configuration Set2, chose the SSL Settings, specify SSL Client and Server Authentication, SSL only, file://etc/ORACLE/WALLETS/lsc, SSL Port 44019. Apply. Quit”..

    You are using the location of wallet from user end (i.e file://etc/ORACLE/WALLETS/lsc) but should not it be that of the ldap-server???

  8. pkshr

    @Laurent Schneider

    Hi Laurent,

    I am trying to build up a system where my oracle database is authenticated using OID. I have oracle in a server called “helena” and oid in “castello”. I have created a user “dbuser” in “castello” and setup the enterprise security for oracle database. Now from “helena” i can do: sqlplus helena/oracle and it gets connected (i assume authentication is handled by “castello” as i dont have user “dbuser” in the oracle database of “helena” itself). However when i try to connect to “helena” using “dbuser” from a different workstation it gives “ERROR:
    ORA-28030: Server encountered problems accessing LDAP directory service”. Could you please suggest what do I have to do?

    TIA

  9. Laurent Schneider

    I have faced a lot of those issue. Depending on your setting, there is no solution, I had spent many months and escalated this by Oracle.

    The best is to open a SR, if you are using the latest releases of OID and Oracle Database

  10. pkshr

    Hi Laurent,

    In your example of ldapbind you have used:
    ldapbind -h novgaasdv01.eu.novartis.net -p 44019 -U 3
    -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc
    -D cn=orcladmin -w myorcladminpasswd

    Have you tried using with the -D and -w parameters i.e
    ldapbind -h novgaasdv01.eu.novartis.net -p 44019 -U 3
    -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc

    I think you have to test without using -D and -w parameters.

    After a week of trials and errors, I was able to successfully set wallets and set ssl connection but I am stuck with binding through wallets. If I try your example (i.e using -D and -w parameters) it works but it fails if I dont give -D and -w parameters. Upon checking oid logs I get following errors: “gslfblsafsSetAuthFromSSL: The certificate DN cn=orcladmin does not exist” and “gslfbldsaDoSSLAuthentication: Error Reading SASL Credentials”. Have you come across these errors?

    TIA

  11. pkshr

    Hi Laurent,

    My last comment was not correct. Sorry. Please check this one:

    In your example of ldapbind you have used:
    ldapbind -h novgaasdv01.eu.novartis.net -p 44019 -U 3
    -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc
    -D cn=orcladmin -w myorcladminpasswd

    Have you tried “without” the -D and -w parameters i.e
    ldapbind -h novgaasdv01.eu.novartis.net -p 44019 -U 3
    -P mywalletpasswd -W file://etc/ORACLE/WALLETS/lsc

    I think you have to test without using -D and -w parameters.

    After a week of trials and errors, I was able to successfully set wallets and set ssl connection but I am stuck with binding through wallets. If I try your example (i.e using -D and -w parameters) it works but it fails if I dont give -D and -w parameters. Upon checking oid logs I get following errors: “gslfblsafsSetAuthFromSSL: The certificate DN cn=orcladmin does not exist” and “gslfbldsaDoSSLAuthentication: Error Reading SASL Credentials”. Have you come across these errors?

    TIA

  12. Laurent Schneider

    I spent a long time trying a lot of different configuration, it would be hard afterwards to tell what I did tried or not.
    Not sure if I got those errors, it is a long time ago I used ldap, but maybe metalink will be willing to help you :mrgreen:

    good luck…

  13. pkshr

    Hi Laurent,

    Thanks for taking a time to answer. I found the reason why it was not working. I am using OpenSSL to create certificate but one funny thing the OpenSSL does is that it changes the DN string I have supplied. For a given DN string “cn=orcladmin,cn=Users,dc=test,dc=net” it did not include anything related to “dc” i.e it used only “cn=orcladmin,cn=Users”.. If you dont mind would you please tell how do you generate the SSL certificates.

    Thanks again.

  14. pkshr

    Hi Laurent,

    I have found that the OpenSSL does not include domain components by default.

    I hope now my issues will get resolved.

    Thanks a lot.

  15. pkshr

    Laurent,

    I also checked with Oracle Certification Authority. While I could generate the private/public key pairs and install in wallets, but the ldap wont bind with the pair giving the error “Unknown Error Encountered”. I am again trying with OpenSSL with the domain components enabled.

    Thank you very much

  16. pkshr

    Hi Laurent,

    Finally I am able to authenticate database user through OID. I used OpenSSL for SSL keys – somehow the keys from OCA did not work with OID.

    Thanks for your examples. They were a lot of help.

Comments are closed.