Connecting to an LDAP Server over SSL

8-8 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation When you need to replace a signing or encryption wallet and a new one is uploaded, Oracle Identity Federation saves the old wallet. The server then continues to use the old wallet in all transactions until it is removed. However, generated metadata will contain the new wallet information and the old information. This allows time to notify remote providers about the change. Once new metadata has been created and distributed to all remote providers, the old wallet can be deleted and Oracle Identity Federation will use the newly uploaded wallet for all subsequent transactions. This section contains these topics: ■ Signing and Encryption Passwords ■ Replacing a Signing or Encryption Wallet

8.2.1 Signing and Encryption Passwords

As of 11g Release 1 11.1.1 Patch Set 3, the keystore signing key password and the encryption key password do not need to be the same. The treatment of passwords is as follows: ■ You can configure distinct store password and key password. ■ If not configured, the key password is assumed to be the same as the store password.

8.2.2 Replacing a Signing or Encryption Wallet

Follow these steps when replacing a signing or encryption wallet: 1. Upload the new wallet. a. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

b. Navigate to Administration, then Security and Trust.

c. In the Wallets tab, click Update.

d. Check the Update checkbox for the wallet you want to update.

e. Select the keystore type, wallet location, password, and alias.

f. Click OK.

2. Generate and distribute new metadata. a. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

b. Navigate to Administration, then Security and Trust.

c. In the Provider Metadata tab, under the Generate Metadata section, select the

provider type and the protocol of the metadata to be generated, and click Generate . d. Save the generated metadata. e. Distribute the generated metadata to all remote peer providers. 3. Delete the old wallet. See Also: Managing Keystores, Wallets, and Certificates in the Oracle Fusion Middleware Administrators Guide for details about keystore management. Security 8-9 a. Log in to Fusion Middleware Control and navigate to the Oracle Identity Federation instance.

b. Navigate to Administration, then Security and Trust.

c. In the Wallets tab, click Update.

d. In the wallet that you have updated, click Delete old Wallet.

8.3 Setting up JCE Policy Files for Oracle WebLogic Server

By default, Oracle Identity Federation supports low-strength cryptographic key sizes for encryptiondecryption operations such as XML encryption. In order to use strong symmetric encryption algorithms, such as AES-256, you need to modify the JVM to include the Java Cryptography Extension JCE Unlimited Strength Jurisdiction policy. Take these steps: 1. Download Java Cryptography Extension JCE Unlimited Strength Jurisdiction policy files from this URL: http:www.oracle.comtechnetworkjavajavasedownloadsindex.html 2. Unzip the files in all the JAVA_HOMEjrelibsecurity directories located under the BEA_HOME folder to find those directories, look for US_export_ policy.jar files. For every JAVA_HOMEjrelibsecurity directory, overwrite the default low strength local_policy.jar and US_export_ policy.jar files with the ones provided by Oracle. 3. Restart the administration server and the managed server where Oracle Identity Federation is running.