Updating Listener Settings Managing Listeners Using WLST

Creating and Managing Oracle Virtual Directory Listeners 11-13 Active Determines whether the Listener is enabled or disabled. Supported values are true and false. If you disable the Admin Listener, you cannot communicate with Oracle Virtual Directory using Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. AuthenticationType Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual. ■ None configures the Listener for SSL No-Authentication Mode ■ Server configures the Listener for SSL Server Authentication Mode ■ Mutual configures the Listener for SSL Mutual Authentication BindAddress The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes. Ciphers Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting: ■ SSL_RSA_WITH_RC4_128_MD5 ■ SSL_RSA_WITH_RC4_128_SHA ■ SSL_RSA_WITH_3DES_EDE_CBC_SHA ■ SSL_RSA_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_RC4_128_MD5 ■ SSL_DH_anon_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ■ TLS_RSA_WITH_AES_128_CBC_SHA ■ TLS_RSA_WITH_AES_256_CBC_SHA GroupURL An LDAP URL that defines a group of users with privileges to use the Admin Listener. These users have near root privileges when accessing the Oracle Virtual Directory server through the Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager interfaces. Host The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting. 11-14 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory KeyStore The name of the JKS keystore containing the SSL artifacts. Name The name of the Listener. Port The port on which Oracle Virtual Directory provides administrative services. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server. Protocol The protocol the Admin Listener uses to provide service. Supported values are HTTP and HTTPS. SSLEnabled Determines whether SSL is enabled on the Listener. Supported values are true and false. SSLVersions The supported protocols for SSL communication. The following is a list of the supported values: ■ TLSv1 ■ SSLv2Hello ■ SSLv3 Threads The number of active worker threads the Listener uses to listen for connections on the port. TrustStore The name of the JKS keystore containing the SSL artifacts.

11.5.1.2 Configuring LDAP Listener Settings Using WLST

The following is a list and description of the LDAP Listener settings you can configure using WLST: Active Determines whether the Listener is enabled or disabled. Supported values are true and false. AllowStartTLS Determines whether LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. Supported values are true and false. The default value is false. Note: The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version. Creating and Managing Oracle Virtual Directory Listeners 11-15 AnonymousBind Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Supported values are listed in Table 11–3 : AuthenticationType Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual. ■ None configures the Listener for SSL No-Authentication Mode ■ Server configures the Listener for SSL Server Authentication Mode ■ Mutual configures the Listener for SSL Mutual Authentication BindAddress The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes. Ciphers Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting: ■ SSL_RSA_WITH_RC4_128_MD5 ■ SSL_RSA_WITH_RC4_128_SHA ■ SSL_RSA_WITH_3DES_EDE_CBC_SHA ■ SSL_RSA_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_RC4_128_MD5 ■ SSL_DH_anon_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ■ TLS_RSA_WITH_AES_128_CBC_SHA Table 11–3 LDAP Anonymous Authentication Options Option Control Allow Allow anonymous authentication. Deny Prevent anonymous operations. DenyDNOnly Prevent empty password authentication. Note : According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard. 11-16 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ TLS_RSA_WITH_AES_256_CBC_SHA ExtendedOpsClass In addition to the normal LDAP operations supported by the LDAP protocol, you can define your own LDAP operation using this setting. This setting is the full java class name that implements your user-defined LDAP operation. ExtendedOpsOid The unique name for your user-defined LDAP operation identified by the ExtendedOpsClass setting. Host The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0. KeyStore The name of the JKS keystore containing the SSL artifacts. Name The name of the Listener. Port The port number on which the LDAP Listener provides service. Only one Listener per server can be active on a port at any given time. Protocol The protocol the LDAP Listener uses to provide service. Supported values are LDAP and LDAPS. SSLEnabled Determines whether SSL is enabled on the Listener. Supported values are true and false. SSLVersions The supported protocols for SSL communication. The following is a list of the supported values: ■ TLSv1 ■ SSLv2Hello ■ SSLv3 SocketOptionsBacklog Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting. Note: The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version. Creating and Managing Oracle Virtual Directory Listeners 11-17 SocketOptionsKeepAlive Determines whether the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. Supported values are true and false. The default value is false. SocketOptionsReadTimeout Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a nonzero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0. SocketOptionsReuseAddress Determines whether the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. Supported values are true and false. The default value is false. SocketOptionsTcpNoDelay Determines whether the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. Supported values are true and false. The default value is true. Threads The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. TrustStore The name of the JKS keystore containing the SSL artifacts. WorkQueueCapacity Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with DSA is busy error. The default value is 1024.

11.5.1.3 Configuring HTTP Listener Settings Using WLST

The following is a list and description of the HTTP Listener settings you can configure using WLST: Active Determines whether the Listener is enabled or disabled. Supported values are true and false. AuthenticationType Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual. Note: The DSA is busy error usually appears when a large number of requests are sent to the Oracle Virtual Directory server in a short time period and the LDAP Listener cannot support them. 11-18 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory ■ None configures the Listener for SSL No-Authentication Mode ■ Server configures the Listener for SSL Server Authentication Mode ■ Mutual configures the Listener for SSL Mutual Authentication BindAddress The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes. Ciphers Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting: ■ SSL_RSA_WITH_RC4_128_MD5 ■ SSL_RSA_WITH_RC4_128_SHA ■ SSL_RSA_WITH_3DES_EDE_CBC_SHA ■ SSL_RSA_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_RC4_128_MD5 ■ SSL_DH_anon_WITH_DES_CBC_SHA ■ SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ■ TLS_RSA_WITH_AES_128_CBC_SHA ■ TLS_RSA_WITH_AES_256_CBC_SHA CustomWebappContext Base URL for the location of the customer developed custom web service. CustomWebappSecurityRealm Name of the realm used by Oracle Virtual Directory to protect the custom web service when the custom web service is security enabled. CustomWebappWebapp To use your own web application to handle HTTP connections, instead of using the HTTP Listeners Web Gateway, DSMLv2 Gateway, or both use this setting to specify the path to the your custom web application war file. Dsmlv2SecurityRealm Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user. Host The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting. Creating and Managing Oracle Virtual Directory Listeners 11-19 KeyStore The name of the JKS keystore containing the SSL artifacts. Name The name of the Listener. Port The port number on which the HTTP Listener provides service. Only one Listener per server can be active on a port at any given time. Protocol The protocol the HTTP Listener uses to provide service. Supported values are HTTP and HTTPS. SSLEnabled Determines whether SSL is enabled on the Listener. Supported values are true and false. SSLVersions The supported protocols for SSL communication. The following is a list of the supported values: ■ TLSv1 ■ SSLv2Hello ■ SSLv3 Threads The number of active worker threads the Listener uses to concurrently process incoming requests. The Listener automatically increases the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can preallocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. TrustStore The name of the JKS keystore containing the SSL artifacts. WebgatewayAllowAnon Enables and disables anonymous access to the Web Gateway. Supported values are true and false. WebgatewayCertifiedAttributes Indicates which attributes contain binary PKI certificate information. The default value is usercertificate. WebgatewayHtDocsRoot The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located. Note: The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version. 11-20 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory WebgatewayMatchAttributes The attribute the Web Gateway should attempt to match when searching for a UID. The default value is uid, mail, cn. WebgatewayMatchObjectClasses The objectclasses the Web Gateway should use when searching for users to authenticate. The default value is inetorgperson, user. WebgatewayPhotoAttributes Indicates which attributes contain graphical images. The default value is jpegphoto. WebgatewayPhotoHeight The height the Web Gateway scales photos to. The default value is 100. WebgatewayPhotoWidth The width the Web Gateway scales photos to. The default value is 100. WebgatewaySearchRoot The root distinguished name namespace of the directory tree where the Web Gateway starts its sub-tree search for user identity names UIDs provided after a user authentication challenge. WebgatewaySecurityRealm Name of the realm used by Oracle Virtual Directory to protect the Web Gateway service when the Web Gateway service is security enabled. WebgatewayUserCacheLife Maximum time in seconds that Oracle Virtual Directory waits before re-querying a user credential stored in the directory source.

11.5.2 Deleting Listeners

You can use WLST to delete an existing Listener as follows:

1. Launch the WLST command line tool shell.

2. Connect to the WebLogic Admin Server. For example:

connectusername, password,t3:host_name:Admin_Server_Port 3. Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example: custom cdoracle.as.management.mbeans.register cdoracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1 invokeload,jarray.array[],java.lang.Object,jarray.array[],java.lang.Strin g 4. Move to the Oracle Virtual Directory Listeners configuration MBean. For example: cd.... cdoracle.as.ovdoracle.as.ovd:type=component.Listenersconfig,name=Listenersco nfig,instance=asinst1,component=ovd1 5. Delete the appropriate Listener, for example, the Listener named test1, as follows: invokedeleteListener,jarray.array[java.lang.Stringtest1],java.lang.Obje ct,jarray.array[java.lang.String],java.lang.String Creating and Managing Oracle Virtual Directory Listeners 11-21 6. Save the changes and then refresh the MBean. For example: cd.... cdoracle.as.management.mbeans.register cdoracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1 invokesave,jarray.array[],java.lang.Object,jarray.array[],java.lang.Strin g invokeload,jarray.array[],java.lang.Object,jarray.array[],java.lang.Strin g 7. Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.

11.6 Securing Listeners with SSL

This topic explains how to secure Oracle Virtual Directory Listeners using SSL and contains the following sections: ■ Configuring SSL for Listeners Using Fusion Middleware Control ■ Configuring SSL for Listeners Using WLST ■ Validating the SSL Connection

11.6.1 Configuring SSL for Listeners Using Fusion Middleware Control

Perform the following steps to secure Oracle Virtual Directory Listeners with SSL using Oracle Enterprise Manager Fusion Middleware Control: 1. Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target of the Listener you want to secure with SSL.

2. Create a keystore if one does not already exist by selecting Security and then

Keystores from the Oracle Virtual Directory menu. The Java Keystore screen appears. Refer to the information about creating a keystore using Oracle Note: You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server. Note: The following information describes SSL configuration for a single component. If you are configuring SSL for multiple components, you can use the Oracle SSL Automation Tool, which enables you to configure SSL for multiple components using a domain-specific CA. Refer to the Oracle Fusion Middleware Administrators Guide for complete information about the Oracle SSL Automation Tool. Note: If you are configuring the Listener for SSL No-Auth mode, do not perform step 2 and steps 3e through 3h in the following procedure. See Also: The information about enabling SSL for Oracle Virtual Directory Listeners in the Oracle Fusion Middleware Administrators Guide. 11-22 Oracle Fusion Middleware Administrators Guide for Oracle Virtual Directory Enterprise Manager in the Oracle Fusion Middleware Administrators Guide for additional information. 3. Configure the Listener by performing the following steps:

a. Select Administration and then Listeners from the Oracle Virtual Directory

menu. The Listeners screen appears. b. Select the Listener you want to secure with SSL by clicking on it and then click the Edit button. The Edit Listener: Listener Name screen appears.

c. Click the Change SSL Settings link.

d. Click the Enable SSL option to enable SSL on the Listener. If you are

configuring the Listener for SSL No-Auth mode, skip to step i now. e. Select the keystore you want to use from the Server Keystore Name field. f. Enter the password for the keystore in the Server Keystore Password field. g. Select the truststore you want to use from the Server Truststore Name field. h. Enter the password for the truststore in the Server Truststore Name field.

i. Click and expand the Advanced SSL Setting option.

j. Select one of the following authentication modes for the Listener from the Client Authentication field. Note: If you select a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent’s wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics. To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent’s wallet: 1. Export the Oracle Virtual Directory server certificate by executing the following command: ORACLE_HOME jdkjrebinkeytool -exportcert \ -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \ -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE 2. Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent’s Wallet by executing the following command: ORACLE_COMMON_HOME binorapki wallet add -wallet \ ORACLE_INSTANCEEMAGENTEMAGENTsysmanconfigmonwallet \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD Note: The password for the keystore that is created during the Oracle Virtual Directory installation is the same as the password set for the Oracle Virtual Directory administrator during installation.