7-2 Oracle Fusion Middleware Administrators Guide The server and client configuration scripts invoke component-specific scripts, depending on the value of an option that you specify on the command line when you invoke the main script. The scripts use the LDAP Policy Store present in a deployment to centrally store the SSL Domain CA wallets. These SSL Domain CA wallets are protected by LDAP access controls, with access granted only to members of the SSL Administrators group. You must be a member of the group to run the scripts. The SSL Automation Tool provides the following benefits: ■ It provides a consistent set of interfaces for consumption by administrators. ■ It removes the propagation of self-signed certificates and reduces the number of relevant trust points, which are now limited to SSL Domain CAs. ■ It ensures that only properly authorized SSL Administrators are allowed to perform SSL related administrative tasks. ■ It allows support for additional components to be added incrementally without the need for fundamental change.

7.2 Prerequisites

Before you attempt to use this tool, ensure that you have performed the tasks described in this section.

7.2.1 Setting up Oracle Fusion Middleware Environment

All the components of your Oracle Fusion Middleware environment must be up and running before you invoke the scripts to configure SSL on those components. If your components are running on Windows platforms, you must obtain and install Cygwin from http:www.cygwin.com before you can use the scripts. Set the ORACLE_HOME environment variable in the Cygwin shell. For example: export ORACLE_HOME=C:rc8fmwhomeOracle_Home

7.2.2 Assembling Required Information

Make sure you have the values of the following variables listed in Table 7–2 and Table 7–3 available before you invoke the SSL scripts. Table 7–1 Main Scripts Script Function SSLGenCA.sh Generates the CA certificate and stores it in an LDAP directory SSLServerConfig.sh Configures the servers SSLClientConfig.sh Configures the clients Table 7–2 Domain-Level Information Variables for SSL Automation Tool Variable HOSTNAME ORACLE_HOME Fusion Middleware ORACLE_COMMON Using the SSL Automation Tool 7-3

7.3 Generating the CA Certificate

You invoke the CA certificate generating script SSLGenCA.sh to initialize and create an SSL Domain and generate the SSL Domain CA. Run the script only once for the whole SSL domain. If you run it again, you must configure all the servers and clients with the newly-generated CA wallet. An SSL domain is the security environment in which all the SSL components will be deployed with the same CA signed certificates. Enter a shell that is set up with the default environment for an Oracle Fusion Middleware installation. To run this script, you need the following information: ■ Connection information host and port for the LDAP directory used by the deployment ■ Administrator credentials that enable you to access that LDAP directory ■ The name of the SSL Domain MIDDLEWARE_HOME DOMAIN_NAME DOMAIN_HOME DOMAIN_ADMINISTRATOR_USERNAME DOMAIN_ADMINISTRATION_PASSWORD DOMAIN_HOST_NAME ADMINSERVER_PORT DOMAIN_ADMINISTRATOR_USERNAME DOMAIN_ADMINISTRATION_PASSWORD INSTANCE_HOME INSTANCE_NAME Table 7–3 Component-Specific Information Variables for SSL Automation Tool Variable OVD_NAME OVD_PORT OID_NAME OID_PORT OID_SSL_PORT OID_ADMIN OID_ADMIN_PASSWORD DB_HOST DB_PORT DB_SERVICE_NAME DB_SID Table 7–2 Cont. Domain-Level Information Variables for SSL Automation Tool Variable 7-4 Oracle Fusion Middleware Administrators Guide Execute this command: ORACLE_COMMON_HOMEoracle_commonbinSSLGenCA.sh Provide information when prompted. This script performs the following tasks: ■ Creates a Demo Signing CA wallet for use in the domain. ■ Extracts the public Demo CA Certificate from the CA wallet. ■ Uploads the wallet and the certificate to LDAP and stores them in the entry: cn=demoCA,Deployment_SSL_Domain. ■ Creates an access group in LDAP: cn=sslAdmins, cn=demoCA,Deployment_ SSL_Domain and grants that group administrative privileges to the parent container. All other entities are denied access. Add users to the group to give access. The Demo CA Certificate is now available for download by an anonymous or authenticated user. ■ The Demo CA Wallet password is stored locally in an obfuscated wallet for future use. Its path is: ORACLE_HOMEcredCAcastore. As administrator, you must secure this wallet so that only SSL administrators can read it.

7.3.1 Example: Generating a Certificate

This example shows a run of SSLGenCA.sh to generate a new CA wallet and store it in the Policy Store LDAP server. SSLGenCA.sh SSL Certificate Authority Generation Script: Release 11.1.1.4.0 - Production Copyright c 2010 Oracle. All rights reserved. This tool will generate a self-signed CA wallet and store it in a central LDAP directory for IDM and FA SSL setup and provisioning Enter the LDAP hostname [adc2100651.example.com]: Enter the LDAP port [3060]: 20040 Enter the admin user [cn=orcladmin] Enter password for cn=orcladmin: Enter the LDAP sslDomain where your CA will be stored [idm]: Enter a password to protect your CA wallet: Enter confirmed password for your CA wallet: Generate a new CA Wallet... Create SSL Domains Container for cn=idm,cn=sslDomains... Storing the newly generated CA to the LDAP... Setup ACL to protect the CA wallet... The newly generated CA is stored in LDAP entry cn=demoCA,cn=idm,cn=sslDomains successfully