5-8 Securing Oracle WebLogic Server ■ Section 5.4.4, Enabling an LDAP Authentication Provider for SSL ■ Section 5.4.5, Dynamic Groups and WebLogic Server ■ Section 5.4.6, Use of GUID and LDAP DN Data in WebLogic Principals ■ Section 5.4.7, Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers ■ Section 5.4.8, Configuring Failover for LDAP Authentication Providers ■ Section 5.4.9, Following Referrals in the Active Directory Authentication Provider ■ Section 5.4.10, Improving the Performance of WebLogic and LDAP Authentication Providers

5.4.3 Accessing Other LDAP Servers

The LDAP Authentication providers in this release of WebLogic Server are configured to work readily with the Oracle Internet Directory, Oracle Virtual Directory, SunONE iPlanet, Active Directory, Open LDAP, and Novell NDS LDAP servers. You can use an LDAP Authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider LDAPAuthenticator or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server. If you are using Active Directory, see Section 5.4.9, Following Referrals in the Active Directory Authentication Provider.

5.4.4 Enabling an LDAP Authentication Provider for SSL

If you want to secure the connection between WebLogic Server and the LDAP server — for example, because the LDAP server requires it — you must do the following: ■ Create and configure a custom trust keystore for use with the LDAP server ■ Specify that the SSL protocol should be used by the LDAP Authentication provider when connecting to the LDAP server To do this, complete the following steps:

1. Configure the LDAP Authentication provider. Make sure you select SSLEnabled

on the Configuration Provider Specific page. 2. Obtain the root certificate authority CA certificate for the LDAP server. 3. Create a trust keystore using the preceding certificate. For example, the following example shows using the keytool command to create the keystore ldapTrustKS with the root CA certificate rootca.pem.: keytool -import -keystore .ldapTrustKS -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt For more information about creating a trust keystore, see Chapter 11, Configuring Identity and Trust. 4. Copy the keystore to a location from which WebLogic Server has access. 5. Start the WebLogic Server Administration Console and navigate to the server-name Configuration Keystores page, where server-name is the WebLogic Server instance for which you are configuring this keystore. Configuring Authentication Providers 5-9

6. If necessary, in the Keystores field, click Change to select the Custom Identity

and Custom Trust configuration rules. 7. If the communication with the LDAP server uses 2-way SSL, configure the custom identity keystore, keystore type, and passphrase.

8. In Custom Trust Keystore, enter the path and file name of the trust keystore

created in step 2.

9. In Custom Trust Keystore Type, enter jks.

10. In Custom Trust Keystore Passphrase, enter the password used when creating the

keystore. 11. Reboot the WebLogic Server instance for changes to take effect. For more information, see Chapter 12, Configuring SSL. For more information about using the WebLogic Server Administration Console to configure keystores and enable SSL, see the following topics in the Oracle WebLogic Server Administration Console Help: ■ Configure identity and trust ■ Set up SSL ■ Configure two-way SSL

5.4.5 Dynamic Groups and WebLogic Server