If you ever configured AD or some other LDAP authentication provider for you WebCenter, SOA or BPM Suite and decided to follow the best practice on securing the LDAP traffice with SSL you will most propably end up with problems connecting to LDAPS at some point.
You might see these errors in your log file:
Caused By: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
The problem is that even if you imported your LDAP or AD server root and intermediate CAs into either JKS (11G) or KSS (12c) you need to perform one additional step on creating keystore for libOVD and is used with identity provider virtualization (once you set up “virtualize=true” in the domain security provider setup.
To get the problem solved you need to perform two steps:
1. Run libovdconfig.sh that creates the adapters.jks for libOVD
2. Import the needed CA certificates into this adapters.jks
Detailed steps are described below.
For the step 1 (12c installation being here as a sample, the same applies with 11g but a bit different subdirectory names for Oracle Home and WL Home):
cd /u01/app/oracle/product/fmw12c/oracle_common/bin/
export ORACLE_HOME=/u01/app/oracle/product/fmw12c/soa
export WL_HOME=/u01/app/oracle/product/fmw12c/wlserver
export JAVA_HOME=/usr/java/latest
./libovdconfig.sh -host myhost.com -port 7001-userName weblogic -domainPath /u01/app/oracle/admin/BPMDEV_Domain/mserver/BPMDEV_Domain -createKeystore
Once the keystore is created, proceed to step 2:
cd /u01/app/oracle/admin/BPMDEV_Domain/mserver/BPMDEV_Domain/config/fmwconfig/ovd/default/keystores
/usr/java/latest/bin/keytool -import -file mycacertificate.der -keystore adapters.jks -trustcacerts -alias ldap.myhost.com
Enter keystore password: ********
Certificate already exists in system-wide CA keystore under alias <ldap.myhost.com>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore
After these steps restart the managed servers and you are good to go.
No comments:
Post a Comment