7-8 Oracle Fusion Middleware Administrators Guide Enter the sslDomain for the CA [idm]: Enter a password to protect your SSL walletkeystore: Enter confirmed password for your SSL walletkeystore: Enter password for the CA wallet: Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... Searching the LDAP for the CA userpkcs12 ... Invoking OVD SSL Server Configuration Script... Enter attribute values for your certificate DN Country Name 2 letter code [US]: State or Province Name [California]: Locality Nameeg, city []:redwood Organization Name eg, company [mycompany]: Organizational Unit Name eg, section [ovd-20101118212540]: Common Name eg, hostName.domainName.com [adc2100651.example.com]: The subject DN is cn=adc2100651.example.com,ou=ovd-20101118212540,l=redwood,st=California,c=US Import the existing CA at mw784im7335rootCAcacert.der into keystore... Import the server certificate at mw784im7335rootCAkeystoresovdcert.txt into kstore... Enter your OVD instance name [ovd1] Enter your Oracle instance [asinst_1]: iminst8017 Enter the weblogic admin server host [adc2100658.example.com] adc2100658.example.com Enter weblogic admin port: [7001] 19249 Enter weblogic admin user: [weblogic] Enter password for weblogic: Enter your keystore name [ovdks1.jks]: Checking the existence of ovdks1.jks in the OVD... Configuring ovdks1.jks for ovd1 listener... Do you want to restart your OVD instance?[yn]y Do you want to test your OVD SSL set up?[yn]y Please enter your OVD ssl port:[3131] 24888 Please enter the OVD hostname:[adc2100651] adc2100651.example.com mw784im7335binldapbind -h adc2100651.example.com -p 24888 -U 2 -D =orcladmin ... Bind successfully to OVD SSL port 24888 Your SSL server has been set up successfully 7.4.4 Example: Configuring an Oracle Access Manager 10g Server Component SSLServerConfig.sh -component oam Server SSL Automation Script: Release 11.1.1.4.0 - Production Copyright c 2010 Oracle. All rights reserved. Downloading the CA wallet from the central LDAP location... Enter the LDAP Hostname [adc123.example.com]: Enter the LDAP port [3060]: 16625 Enter an admin user DN [cn=orcladmin] Enter password for cn=orcladmin: Enter the ssl domain name [idm]: Searching the LDAP for the CA usercertificate ... Searching the LDAP for the CA userpkcs12 ... Using the SSL Automation Tool 7-9 Invoking OAM SSL Server Configuration Script... Enter your OAM10 Access Server install location: [e.g. scratchaimeOAM10access] scratchinstallOAM10access CA root cert has been converted from DER to PEM format. This script will first invoke configureAAAServer tool to reconfig AAA server in cert mode, and then generate a certificate request. Please select 3Cert, 1request a certificate, and enter pass phrase for the first 3 prompts. Otherwise, this script is not guaranteed to work properly. Please enter the Mode in which you want the Access Server to run : 1Open 2Simple 3Cert : 3 Do you want to request a certificate 1 or install a certificate 2 ? : 1 Please enter the Pass phrase for this Access Server : Do you want to store the password in the file ? : 1Y 2N : 1 Preparing to generate certificate. This may take up to 60 seconds. Please wait. Generating a 1024 bit RSA private key .++++++ ...................++++++ writing new private key to scratchinstallOAM10accessoblixconfigaaa_ key.pem ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name 2 letter code [US]:US State or Province Name full name [Some-State]:California Locality Name eg, city []:Redwood Shores Organization Name eg, company [Some-Organization Pty Ltd]:Example Organizational Unit Name eg, section []:OAM Common Name eg, hostName.domainName.com []:adc123.example.com Email Address []: writing RSA key Your certificate request is in file : scratchinstallOAM10accessoblixconfigaaa_req.pem Please get your certificate request signed by the Certificate Authority. On obtaining your certificate, please place your certificate in scratchinstallOAM10accessoblixconfigaaa_cert.pem file and the certificate authoritys certificate for the corresponding component for example: WebGate, AXML Server in scratchinstallOAM10accessoblixconfigaaa_chain.pem file. Once you have your certificate placed at the above mentioned location, please follow the instructions on how to start the Access Server. More Information on setting up Access Server in Certificate mode can be obtained 7-10 Oracle Fusion Middleware Administrators Guide from the Setup Installation Guide. Access Server mode has been re-configured successfully. Please note that new security mode will take effect only after the security mode for this Access Server is changed to cert from the Access Manager System Console. Do you want to specify or update the failover information ? : 1Y 2N : Please restart your Access Server by executing the scratchinstallOAM10accessoblixappscommonbinrestart_access_server program from command line once you have placed your certificates at the above mentioned location. Press enter key to continue ... Now we will sign the certificate request using CA cert. Enter the CA wallet password: Certificate request aaa_req.pem has been converted to orapki acceptable format in scratchinstallWTOracle_WT1rootCAOAM The certificate has been signed by the root CA OAM server certificate have been installed into Access Server config directory. Restarting AAA Server ... Do you want to restart your Access Server? [yn] y Access Server has been startedrestarted Your OAM10 Access Server has been setup successfully in cert mode.

7.5 Configuring a Client

You configure a client by invoking the script SSLClientConfig.sh. The script retrieves the SSL Domain CA then passes control to a component-specific script to import it and perform any additional configuration steps required. To run this script, you need the following information: ■ Connection information host and port for the LDAP directory used by the deployment ■ Administrator credentials that enable you to access that LDAP directory ■ The name of the SSL deployment, for example: idm, fmw Using the SSL Automation Tool 7-11 Before invoking the script, enter a shell that is set up with the default environment for an Oracle Fusion Middleware installation. The location of the script is: ORACLE_ COMMON_HOMEoracle_commonbinSSLClientConfig.sh The syntax for the script is: SSLClientConfig.sh -component [cacert|wls|webgate] [-v] Depending on the -component option specified, SSLClientConfig.sh may invoke a component script listed in Table 7–5 . The component-specific client scripts have names of the form COMPONENT_NAME_SSL_Client_Config.sh. Provide information when prompted. The client script performs the following tasks: ■ Downloads the CA certificate or wallet from the LDAP server in the SSL Domain. ■ Creates the related Java Trust Store, Oracle Wallet, or Java Keystore for the Oracle Identity Manager or Oracle Access Manager client. ■ Imports the Signing CA certificate as a trusted certificate into the relevant trust stores, wallet, or keystore. For WebGate clients, it creates a full Java KeyStore with a private certificate, a client certificate, and the CA signing certificate. For other client components, which only need a common trust store or wallet, the script imports the CA certificate into the newly generated trust store.

7.5.1 Example: Downloading the CA Certificate for SSL Clients

.SSLClientConfig.sh -component cacert SSL Automation Script: Release 11.1.1.4.0 - Production Copyright c 2010 Oracle. All rights reserved. Downloading the CA certificate from a central LDAP location Creating a common trust store in JKS and Oracle Wallet formats ... Configuring SSL clients with the common trust store... Make sure that your LDAP server is currently up and running. Downloading the CA certificate from the LDAP server... Enter the LDAP hostname [adc2100651.example.com]: Enter the LDAP port: [3060]? 16468 Enter your LDAP user [cn=orcladmin]: Enter password for cn=orcladmin: Enter the sslDomain for the CA [idm]: Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... The common trust store in JKS format is located at mw784im7335rootCAkeystorestmptrust.jks Table 7–5 Component Options to SSLClientConfig.sh Component Option Script Invoked Component Configured cacert None Other SSL Clients wls WLS_SSL_Client_Config.sh Oracle WebLogic clients and Java EE components. webgate OAMWG_SSL_Client_Config.sh Oracle Access Manager WebGate 7-12 Oracle Fusion Middleware Administrators Guide The common trust store in Oracle wallet format is located at mw784im7335rootCAkeystorestmpewallet.p12 Generate trust store for the CA cert at cn=idm,cn=sslDomains Enter a password to protect your truststore: Enter confirmed password for your truststore: Updating the existing mw784im7335rootCAkeystorescommontrust.jks... Importing the CA certifcate into trust stores... The common trust store in JKS format is located at mw784im7335rootCAkeystorescommontrust.jks The common trust store in Oracle wallet format is located at mw784im7335rootCAkeystorescommonewallet.p12 7.5.2 Example: Downloading the Certificate and Configuring a WebLogic Client .SSLClientConfig.sh -component wls SSL Automation Script: Release 11.1.1.4.0 - Production Copyright c 2010 Oracle. All rights reserved. Downloading the CA certificate from a central LDAP location Creating a common trust store in JKS and Oracle Wallet formats ... Configuring SSL clients with the common trust store... Make sure that your LDAP server is currently up and running. Downloading the CA certificate from the LDAP server... Enter the LDAP hostname [adc2100651.example.com]: Enter the LDAP port: [3060]? 16468 Enter your LDAP user [cn=orcladmin]: Enter password for cn=orcladmin: Enter the sslDomain for the CA [idm]: Searching the LDAP for the CA usercertificate ... Importing the CA certifcate into trust stores... The common trust store in JKS format is located at mw784im7335rootCAkeystorestmptrust.jks The common trust store in Oracle wallet format is located at mw784im7335rootCAkeystorestmpewallet.p12 Invoking Weblogic SSL Client Configuration Script... Enter a password to protect your truststore: Enter confirmed password for your truststore: Updating the existing mw784im7335rootCAkeystoreswlstrust.jks... Importing the CA certifcate into trust stores... The common trust store in JKS format is located at mw784im7335rootCAkeystoreswlstrust.jks The common trust store in Oracle wallet format is located at mw784im7335rootCAkeystoreswlsewallet.p12 cat: mw784im7335rootCAcacert_tmp.txt: No such file or directory Configuring SSL Trust for your WLS server instance... Enter your trust store name: [trust.jks]mytrust.jkds Enter your WLS domain home directory: mw784user_ projectsdomainsimdomain8017 Enter your WLS server instance name [AdminServer] Enter weblogic admin port: [7001] 19249 Enter weblogic admin user: [weblogic] Enter password for weblogic: Copy mw784im7335rootCAkeystoreswlstrust.jks to mw784user_ projectsdomainsimdomain8017serversAdminServerkeystoresmytrust.jkds... Configuring WLS AdminServer ... Running mw784im7335commonbinwlst.sh Using the SSL Automation Tool 7-13 mw784im7335rootCAkeystoreswlswlscln.py... Your WLS server has been set up successfully 7.5.3 Example: Downloading the Certificate and Configuring a WebGate Client