16-6 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management name certsappIdentityKeyStore.jks CustomIdentityKeyStorePassPhrase=Key_Passphrase CustomIdentityAlias=appIdentityIDMHOST1 CustomIdentityPrivateKeyPassPhrase=Key_Passphrase The passphrase entries in the nodemanager.properties file get encrypted when you start Node Manager as described in Section 20.1, Starting and Stopping Oracle Identity Management Components. For security reasons, minimize the time the entries in the nodemanager.properties file are left unencrypted. After you edit the file, start Node Manager as soon as possible so that the entries get encrypted. When you are using a commonshared storage installation for MW_HOME, Node Manager is started from different nodes using the same base configuration in nodemanager.properties. In that case, you must add the certificate for all the nodes that share the binaries to the appIdentityKeyStore.jks Identity Store. To do this, create the certificate for the new node and import it to appIdentityKeyStore.jks as in Section 16.3.2, Creating an Identity Keystore Using the utils.ImportPrivateKey Utility. Once the certificates are available in the store, each Node Manager must point to a different identity alias to send the correct certificate to the Administration Server. To do this, set different environment variables before starting Node Manager in the different nodes: HOST cd WL_HOMEserverbin HOST export JAVA_OPTIONS=-DCustomIdentityAlias=appIdentityX

16.3.5 Starting Node Manager

Run the following commands to start Node Manager. IDMHOST1 cd WL_HOMEserverbin IDMHOST1 .startNodeManager.sh Note: Make sure to specify the custom identity alias specifically assigned to each host, for example appIdentity1 for ...HOST1 and appIdentity2 for ...HOST2. Note: If you have not configured and started Node Manager for the first time yet, run the setNMProps.sh script as specified in section Section 6.4, Starting Node Manager on IDMHOST1. This enables the use of the start script that is required for Identity Management Components. Note: Verify that Node Manager is using the appropriate stores and alias from the Node Manager output. Node Manager should prompt out the following: CustomIdentityKeyStoreFileName=ORACLE_BASEadmindomain_ nameaserverdomain_namecertsappIdentityKeyStore.jks CustomIdentityAlias=appIdentityX Host name verification works if you apply a test configuration change to the servers and it succeeds without Node Manager reporting any SSL errors. Setting Up Node Manager 16-7

16.3.6 Configuring Managed WebLogic Servers to Use the Custom Keystores

Follow these steps to configure the identity and trust keystores for WLS_SERVER:

1. Log in to Oracle WebLogic Server Administration Console.

2. Click Lock and Edit.

3. Expand the Environment node in the Domain Structure window.

4. Click Servers. The Summary of Servers page is displayed.

5. Click the name of the server for which you want to configure the identity and trust

keystores WLS_SERVER. The settings page for the selected server is displayed.

6. Select Configuration, then Keystores.

7. In the Keystores field, select the Custom Identity and Custom Trust method for

storing and managing private keysdigital certificate pairs and trusted CA certificates.

8. In the Identity section, define attributes for the identity keystore:

■ Custom Identity Keystore: The fully qualified path to the identity keystore: ORACLE_BASE admindomain_nameaserverdomain_ name certsappIdentityKeyStore.jks ■ Custom Identity Keystore Type: Leave blank; it defaults to JKS. ■ Custom Identity Keystore Passphrase: The password Keystore_ Password you provided in Section 16.3.3, Creating a Trust Keystore Using the Keytool Utility. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so whether you define this property depends on the requirements of the keystore.

9. In the Trust section, define properties for the trust keystore:

■ Custom Trust Keystore: The fully qualified path to the trust keystore: ORACLE_BASE admindomain_nameaserverdomain_ name certsappTrustKeyStoreIDMHOST1.jks ■ Custom Trust Keystore Type: Leave blank; it defaults to JKS. ■ Custom Trust Keystore Passphrase: The password you provided as New_ Password in Section 16.3.3, Creating a Trust Keystore Using the Keytool Utility. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore, so whether you define this property depends on the requirements of the keystore.

10. Click Save.

11. Click Activate Changes in the Administration Consoles Change Center to make

the changes take effect.

12. Select Configuration, then SSL.

13. Click Lock and Edit.

14. In the Private Key Alias field, enter the alias you used for the host name the

Managed Server listens on, for example: 16-8 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management ■ For wls_ods1, use appIdentityIDMHOST1. ■ For wls_ods2 use appIdentityIDMHOST2. ■ For ADMINSERVER user appIdentityADMVHN. In the Private Key Passphrase and the Confirm Private Key Passphrase fields, enter the password for the keystore that you created in Section 16.3.2, Creating an Identity Keystore Using the utils.ImportPrivateKey Utility.

15. Click Save.

16. Click Activate Changes in the Administration Consoles Change Center to make

the changes take effect. 17. Restart the server for which the changes have been applied, as described in Section 20.1, Starting and Stopping Oracle Identity Management Components.

16.3.7 Changing the Host Name Verification Setting for the Managed Servers