7-4 Oracle Fusion Middleware Administrators Guide Execute this command: ORACLE_COMMON_HOMEoracle_commonbinSSLGenCA.sh Provide information when prompted. This script performs the following tasks: ■ Creates a Demo Signing CA wallet for use in the domain. ■ Extracts the public Demo CA Certificate from the CA wallet. ■ Uploads the wallet and the certificate to LDAP and stores them in the entry: cn=demoCA,Deployment_SSL_Domain. ■ Creates an access group in LDAP: cn=sslAdmins, cn=demoCA,Deployment_ SSL_Domain and grants that group administrative privileges to the parent container. All other entities are denied access. Add users to the group to give access. The Demo CA Certificate is now available for download by an anonymous or authenticated user. ■ The Demo CA Wallet password is stored locally in an obfuscated wallet for future use. Its path is: ORACLE_HOMEcredCAcastore. As administrator, you must secure this wallet so that only SSL administrators can read it.

7.3.1 Example: Generating a Certificate

This example shows a run of SSLGenCA.sh to generate a new CA wallet and store it in the Policy Store LDAP server. SSLGenCA.sh SSL Certificate Authority Generation Script: Release 11.1.1.4.0 - Production Copyright c 2010 Oracle. All rights reserved. This tool will generate a self-signed CA wallet and store it in a central LDAP directory for IDM and FA SSL setup and provisioning Enter the LDAP hostname [adc2100651.example.com]: Enter the LDAP port [3060]: 20040 Enter the admin user [cn=orcladmin] Enter password for cn=orcladmin: Enter the LDAP sslDomain where your CA will be stored [idm]: Enter a password to protect your CA wallet: Enter confirmed password for your CA wallet: Generate a new CA Wallet... Create SSL Domains Container for cn=idm,cn=sslDomains... Storing the newly generated CA to the LDAP... Setup ACL to protect the CA wallet... The newly generated CA is stored in LDAP entry cn=demoCA,cn=idm,cn=sslDomains successfully Using the SSL Automation Tool 7-5

7.4 Configuring a Component Server

You configure a server by invoking the SSLServerConfig.sh script. This script uses the SSL Domain CA to generate a Server Certificate. Then the script passes control to a component specific configuration script, which picks up the generated Server Certificate and configures the component to accept SSL connections. To run this script, you need the following information: ■ Connection information host and port for the LDAP directory used by the deployment. ■ Administrator credentials that enable you to access that LDAP directory. ■ Server name. This can be either the WebLogic Administration Server or a Managed Server. Before invoking the script, enter a shell that is set up with the default environment for an Oracle Fusion Middleware installation. The location of the script is: ORACLE_ COMMON_HOMEoracle_commonbinSSLServerConfig.sh The syntax for the script is: SSLServerConfig.sh -component [oid|ovd|oam|wls] [-v] Specify one and only one component. Depending on the component you specify, SSLServerConfig.sh invokes a component-specific script. Component-specific server scripts have names of the form COMPONENT_NAME_SSL_Server_Config.sh. If you specify the component option wls, the script configures all Java EE components on the named server. Java EE components include Oracle Identity Navigator, Oracle Access Manager 11g, Oracle Identity Manager, and Oracle Identity Federation. To configure Oracle Internet Directory, Oracle Virtual Directory, or Oracle Access Manager 10g, use the appropriate component option, as shown in Table 7–4 . Provide information when prompted. If you are using the oid or ovd option, and your Oracle Internet Directory or Oracle Virtual Directory host is not the same as your WebLogic Server host in a high availability environment, for example, you must run the server script on the Oracle Internet Directory or Oracle Virtual Directory host. This script performs the following tasks: ■ Downloads the Demo Signing CA generated in Section 7.3 and stores it in ORACLE_HOMErootCA. ■ Executes the component-specific script COMPONENT_NAME_SSL_Server_ Config.sh, if appropriate. The component-specific script performs the following tasks: Table 7–4 Component Options to SSLServerConfig.sh Component Option Script Invoked Component Configured wls WLS_SSL_Server_Config.sh Oracle WebLogic Server and Java EE components oid OID_SSL_Server_Config.sh Oracle Internet Directory server ovd OVD_SSL_Server_Config.sh Oracle Virtual Directory server oam OAM_SSL_Server_Config.sh Oracle Access Manager 10g server