Home Learn the Basics View Content Add Content Create Pages Build Portlets Administer Page Groups Administer the Portal Try the Hands-On Exercises
Home
Home
Previous PageGo to page 1 of 6Go to page 2 of 6Go to page 3 of 6Go to page 4 of 6Go to page 5 of 6Current page 6 of 6Go to Administer Page Groups
 

Oracle Certificate Authority: Configure a wallet for mutual (Client and Server) Authentication

In this lesson you will learn how to issue a server certificate with OCA and create a wallet using this certificate for mutual authentication using Oracle Wallet manager.

Our test case scenario will be to create a wallet that will be used to communicate between Oracle Internet Directory and Microsoft Active Directory in SSL mutual authentication mode.

Creating a wallet

Requesting a certificate

Step 1. Start the Oracle Wallet Manager

Example:

# owm

Step 2. From the "Wallet" menu in Oracle Wallet Manager, select "New".

If you get a message indicating your default wallet directory does not exist and asks you if you want to continue select "Yes".

Step 3. Enter a password for the new wallet. Remember this password as you will need it later.

Step 4. When prompted to create a certificate request select "Yes".

Step 5. Fill in the Certificate Request Form.

Step 6. From the "Operations" menu select "Export Certificate Request".

Step 7. Select the file name and location for the Certificate Request.

Watch a viewlet to see how its done.

Processing the certificate request

In this exercise we will move the certificate request from the server to a PC using ftp. Then using the Oracle Certificate Authority, we will process the request and send the new certificate back to the server.

Step 1. Move the certificate request file to your PC.

Step 2. Process the request in OCA.

Step 3. Get your new certificate request approved.

Step 4. Copy your new certificate to a file.

Step 5. Copy the OCA Root certificate to a file.

Step 6. Move both the new certificate and the OCA Root certificate back to the server.

Here is a viewlet to show you how its done.

Exporting your MS AD Root certificate

We will also need to import the AD Root certificate into your wallet. Follow these steps to get your AD Root certificate.

Step 1. Find your AD Root certificate file and open it.

Step 2. Select the "Details" tab.

Step 3. Select the "Copy to File" button.

Step 4. When the Certificate Export Wizard comes up it will ask you what file format you want. Select "Base-64 encoded X509".

Step 5. Give your certificate a name.

Step 6. Move your new file back to the OID server.

Watch a viewlet to see how its done.

Importing your new certificate and Trust Point into your wallet

The next steps will complete the wallet and test it to make sure it is working.

Step 1. The Root Certificate issued by the Oracle Certificate Authority must be imported into the wallet before the user certificate. From the "Operations" menu in Oracle Wallet Manager, select "Import Trusted Certificate".

Step 2. Navigate to the directory where your OCA Root Certificate is located. Select the OCA Root certificate file. After this you should see the new trusted certificate in the "Trusted Certificate" tree.

Step 3. From the "Operations" menu in Oracle Wallet Manager, select "Import User Certificate".

Step 4. Navigate to the directory where your new user certificate is located. Select the user certificate file. After this you should see the certificate status change from "Requested" to "Ready".

Step 5. The Root Certificate from the AD server must also be imported into the wallet as well. From the "Operations" menu select "Import Trusted Certificate".

Step 6. Navigate to the directory where your AD Root Certificate is located. Select the AD Root certificate file. After this you should see another new trusted certificate in the "Trusted Certificate" tree.

Step 7. From the "Wallet" menu select "Auto Login".

Step 8. Save the wallet to a file.

Step 9. Test your new wallet. The following is a sample test command you can use to verify you are able to bind to the AD server's SSL port from the OID server side:

ldapbind -p 636 -h 138.1.145.160 -U 2 -P wallet_password -W file:/u01

In this example the wallet file is called ewallet.p12 and is located in the /u01 directory but in the command you only put the name of the directory where the wallet is located, not the wallet file name itself.

Watch this viewlet to see how its done.
Oracle Logo Go to Adminster Page Groups