Monday, August 3, 2015

How to configure SSL for Admin server when configured multiple authenticators

Symptoms:

We are getting following errors when we enabled SSL port and disabled non-SSL port for Admin server and try to check-in document in WCC:-

<oracle.ods.virtualization.engine.backend.jndi.DefaultAuthenticator.BackendJNDI> <LIBOVD-60143> <[#DefaultAuthenticator]  Unable to create connection to ldap://[localhost]:7002 as null.
javax.naming.CommunicationException: simple bind failed: localhost:7002 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException:
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)

Cause: 

When we configure Admin Server to communicate over SSL then defaultLDAP automatically configure to communicate over SSL protocol (LDAPS). In case of multiple authenticators, and one of them is configure to communicate over SSL, we need to put the corresponding LDAP server's root certificate in an additional keystore used by the virtualisation (LibOVD) functionality otherwise application is unable to establish connection with defaultLDAP (ldaps://localhost:7002).

Solution:
Pre-requisites: Before completing this task, make sure the following configurations:-
  • Configure the custom property called virtualize, and set its value to true.
  • Admin Server SSL port is not enabled. (*) 
  • Managed servers are down 

Steps:


    1. Create the keystore:
    a.      Set environment variables ORACLE_HOME, WL_HOME and JAVA_HOME.
    export ORACLE_HOME=/u01/app/oracle/product/middleware/WC1

    export WL_HOME=/u01/app/oracle/product/middleware/wlserver_10.3

    export JAVA_HOME=/u01/app/jdk1.7.0_65/
    b.      Setup the keystore by running libovdconfig.sh using -createKeystore option.
    Open a shell prompt and change the directory to <MW_HOME>/oracle_common/bin. Then, run the following command:
    ./libovdconfig.sh -host <AdminServerHostName -port 7001 -userName weblogic -domainPath  <DomainPath> –createKeystore
          Enter AdminServer password:[Enter weblogic password]
    Enter OVD Keystore password:[Enter a new password to secure a Keystore file]
    Once this command runs, we see two new credentials in the Credential Store and a new Keystore file called adapters.jks under <DOMAIN_HOME>\config\fmwconfig\ovd\default\keystores.
    1. Export the root certificate from the Admin Server SSL certificate or LDAP directory.
    2. Import the root certificate to the libOVD keystore using the keytool command:
    $JAVA_Home/bin/keytool -import -keystore adapters.jks -storepass <KeyStore password> -alias <alias of your choice> -file <Admin Server Certificate filename>
    1. Enable SSL port and disabled non-SSL port of Admin server. (*)
    2. Restart Admin Server and start all the managed servers.

    * No need for this step if we are just configuring multiple authenticators with non-defaultLDAP (AD/OID) is communicating over SSL

    Reference : Above steps are documented in Oracle BI security Guide: http://docs.oracle.com/cd/E21764_01/bi.1111/e10543/ssl.htm#BIESC6078