O Oracle Directory Services Manager Keystore Management

O.1 ODSM's Key Store

ODSM creates a Java Key Store (JKS) file and assigns a random password to the JKS the first time ODSM is used. The JKS file has the name odsm.cer. It resides in a directory with a name of the form:

DOMAIN_HOME/servers/managed_server_name_where_odsm_is_deployed/tmp/_WL_user/odsm_11.1.1.1.0/random_number/war/conf

ODSM stores this random password in CSF. The WebLogic server administrator can retrieve the Java Key Store password stored in CSF. ODSM also generates a self-signed certificate for itself and stores it in the JKS. The only purpose for this keystore is to store backend CA certificates.

O.2 Retrieving ODSM's Java Key Store Password

To manage ODSM's JKS, you must first retrieve ODSM's JKS password. The WebLogic administrator can retrieve it using the wlst command, as follows:

$ java -classpath weblogic.WLST -i listCred.py -map ODSMMap -key "ODSMKey.Wallet"
Initializing WebLogic Scripting Tool (WLST) ...

Type help() for help on available commands

{map=ODSMMap, key=ODSMKey.Wallet}
Please enter your username [weblogic] : weblogic
Please enter your password [weblogic] : password
Please enter your server URL [t3://localhost:7001] : t3://myhost:7001
Connecting to t3://localhost:7001 with userid weblogic ...

Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'.

Password is XDDFDFDD.

O.3 Listing the Contents of the Trusted Certificate

After you retrieve the Key Store password, you can manage it using the keytool command.

To list contents of odsm.cer, proceed as follows:

cd directory_where_odsm.cer_resides
JAVA_HOME/bin/keytool -list -keystore odsm.cer \
   -storepass password_obtained_from_CSF 

For example:

$ cd /serverhome/user projects/domains/mydomain/servers/myserver/tmp/_WL_user/odsm_11.1.1.1.0/29840238030296/war/conf
$ JAVA_HOME/bin/keytool -list -keystore odsm.cer -storepass "&M)S86)/RB" -v


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: serverselfsigned
Creation date: Dec 26, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Serial number: 495586b6
Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009
Certificate fingerprints:
         MD5:  6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93
         SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0
         Signature algorithm name: SHA1withRSA         Version: 3


*******************************************
*******************************************

Alias name: cn=rootca, o=oracle, c=us (0)
Creation date: Dec 31, 2008
Entry type: trustedCertEntry

Owner: CN=RootCA, O=Oracle, C=US
Issuer: CN=RootCA, O=Oracle, C=US
Serial number: 0
Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050
Certificate fingerprints:
         MD5:  72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B
         SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF
         Signature algorithm name: MD5withRSA
         Version: 1


*******************************************
*******************************************

O.4 Deleting the Trusted Certificate

To delete trusted certificates in odsm.cer:

cd directory_where_odsm.cer_is_present
JAVA_HOME/bin/keytool -delete -keystore odsm.cer 
-storepass password_obtained_from_CSF -alias "cn=rootca, o=oracle, c=us (0)"

For example

$> JAVA_HOME/bin/keytool -delete -keystore odsm.cer \
   -storepass  "&M)S86)/RB"  -alias "cn=rootca, o=oracle, c=us (0)"
[Storing odsm.cer]