Managing Keystores, Wallets, and Certificates 8-5

8.3.1 About Keystores and Certificates

Keys and certificates are used to digitally sign and verify data and achieve authentication, integrity, and privacy in network communications. A Java keystore JKS is a protected database that holds keys and certificates for the organization. Oracle Fusion Middleware utilizes JKS keystores for Oracle Virtual Directory and for applications deployed in Oracle WebLogic Server. Access to a keystore requires a password which is defined at the time the keystore is created, by the person who creates the keystore, and which can only be changed by providing the current password. In addition, each private key in a keystore can be secured by its own password. This section contains these topics: ■ Sharing Keystores Across Instances ■ Keystore Naming Conventions

8.3.1.1 Sharing Keystores Across Instances

Oracle recommends that you do not share keystores between component instances or Oracle instances, since each keystore represents a unique identity. The exception to this is an environment with a cluster of component instances, in which case keystore sharing would be an acceptable practice. Note that no management tools or interfaces are available to facilitate keystore sharing. However, you can export a keystore from one instance and import it into another instance.

8.3.1.2 Keystore Naming Conventions

Follow these naming conventions for your JKS keystores: ■ Do not use a name longer than 256 characters. ■ Do not use any of the following characters in a keystore name: | ; , \ ` ~ { } [ ] = + space tab ■ Do not use non-ascii characters in a keystore name. ■ Additionally, follow the operating system-specific rules for directory and file names.

8.3.2 Managing the Keystore Life Cycle

Typical life cycle events for a JKS keystore are as follows: ■ The keystore is created. Keystores can be created directly, or by importing a keystore file from the file system. ■ The list of available keystores are viewed and specific keystores selected for update. Note: Observe this rule even if your operating system supports the character. 8-6 Oracle Fusion Middleware Administrators Guide ■ Keystores are updated or deleted. Update operations require that the keystore password be entered. ■ The keystore password can be changed. ■ The keystore can be deleted. ■ Keystores can be exported and imported.

8.3.3 Common Keystore Operations

This section explains the following keystore operations: ■ Creating a Keystore Using Fusion Middleware Control ■ Creating a Keystore Using WLST ■ Exporting a Keystore Using Fusion Middleware Control ■ Exporting a Keystore Using WLST ■ Deleting a Keystore Using Fusion Middleware Control ■ Deleting a Keystore Using WLST ■ Importing a Keystore Using Fusion Middleware Control ■ Importing a Keystore Using WLST ■ Changing the Keystore Password Using Fusion Middleware Control ■ Changing the Keystore Password Using WLST

8.3.3.1 Creating a Keystore Using Fusion Middleware Control

Take these steps to create a keystore: 1. Log in to the domain of interest using Fusion Middleware Control. 2. From the navigation pane, locate your component instance. 3. Navigate to component_name, then Security, then Keystores. For example, navigate to Oracle Virtual Directory, then Security, then Keystores. 4. The Java Keystore page appears. On this page you can create, update, and delete keystores, and perform other keystore management tasks. 5. Click Create. The Create Keystore dialog appears. 6. Provide keystore details such as name and password. You can also request a self-signed certificate in this dialog, and fill in the alias name and DN information. Note: The component type is displayed at the top of the page, adjacent to the Topology icon. Managing Keystores, Wallets, and Certificates 8-7 7. Click Submit. The new keystore appears in the list of Java keystores.

8.3.3.2 Creating a Keystore Using WLST

Assuming the instance name is inst1, use this command to create a keystore: createKeyStoreinst1, ovd5, ovd, newKeyStore, password where password is the password for this keystore.

8.3.3.3 Exporting a Keystore Using Fusion Middleware Control

If multiple Oracle Virtual Directory instances want to share the same keystore file, this can be achieved by exporting the keystore from one instance and importing it into the other instances. Take these steps to export a keystore: 1. Navigate to the Java Keystores page for the component instance, as explained in Section 8.3.3.1, Creating a Keystore Using Fusion Middleware Control. 2. Select the desired keystore from the list of stores. 3. Click Export. 4. A dialog box appears in which you must enter the keystore password to continue. 5. Specify a file system location, and click OK. Note: If you want to use this keystore only to store trusted certificates, you can uncheck the Create Self-Signed Certificate checkbox. This will create a keystore with no keypair. See Also: Section 6.9.6, createKeyStore .