O Oracle Directory Services Manager Keystore Management

O.1 ODSM's Key Store

ODSM creates a Java Key Store (JKS) file and assigns a random password to the JKS the first time ODSM is used. The JKS file has the name odsm.cer. It resides in a directory with a name of the form:

DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf

ODSM stores this random password in CSF. The WebLogic server administrator can retrieve the Java Key Store password stored in CSF. ODSM also generates a self-signed certificate for itself and stores it in the JKS.

O.2 Retrieving ODSM's Java Key Store Password

To manage ODSM's JKS, you must first retrieve ODSM's JKS password. The WebLogic administrator can retrieve it using the wlst command, as follows:

$ORACLE_COMMON_HOME/common/bin/wlst.sh
connect()
listCred( map="ODSMMap", key="ODSMKey.Wallet" )

After the connect() command, you will be prompted for your WebLogic username and password, and for the server URL. An example server URL is t3://hostname:7001.

O.3 Listing the Contents of odsm.cer Java Key Store

After you retrieve the Key Store password, you can manage it using the keytool command.

To list contents of odsm.cer, proceed as follows:

cd directory_where_odsm.cer_resides
JAVA_HOME/bin/keytool -list -keystore odsm.cer \
   -storepass password_obtained_from_CSF 

For example:

$ cd DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/odsm/conf
$ JAVA_HOME/bin/keytool -list -keystore odsm.cer -storepass "&M)S86)/RB" -v


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: serverselfsigned
Creation date: Dec 26, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Issuer: CN=OVD, OU=Development, O=Oracle, L=Redwood Shores, ST=California, C=US
Serial number: 495586b6
Valid from: Fri Dec 26 17:36:54 PST 2008 until: Wed Jun 24 18:36:54 PDT 2009
Certificate fingerprints:
         MD5:  6C:11:16:F3:88:8D:18:67:35:1E:16:5B:3E:03:8A:93
         SHA1: F4:91:39:AE:8B:AC:46:B8:5D:CB:D9:A4:65:BE:D2:75:08:17:DF:D0
         Signature algorithm name: SHA1withRSA         Version: 3


*******************************************
*******************************************

Alias name: cn=rootca, o=oracle, c=us (0)
Creation date: Dec 31, 2008
Entry type: trustedCertEntry

Owner: CN=RootCA, O=Oracle, C=US
Issuer: CN=RootCA, O=Oracle, C=US
Serial number: 0
Valid from: Tue Dec 30 02:33:11 PST 2008 until: Mon Jan 24 02:33:11 PST 2050
Certificate fingerprints:
         MD5:  72:31:7B:24:C9:72:E3:90:37:38:68:40:79:D1:0B:4B
         SHA1: D2:17:84:1E:19:23:02:05:61:42:A9:F4:16:C8:93:84:E8:20:02:FF
         Signature algorithm name: MD5withRSA
         Version: 1


*******************************************
*******************************************

O.4 Deleting the Trusted Certificate

To delete trusted certificates in odsm.cer:

cd directory_where_odsm.cer_is_present
JAVA_HOME/bin/keytool -delete -keystore odsm.cer 
-storepass password_obtained_from_CSF -alias "cn=rootca, o=oracle, c=us (0)"

For example

$> JAVA_HOME/bin/keytool -delete -keystore odsm.cer \
   -storepass  "&M)S86)/RB"  -alias "cn=rootca, o=oracle, c=us (0)"
[Storing odsm.cer]

O.5 Expired Certificates Management

ODSM does not provide a web-based user interface for managing expired certificates. You must use keytool to find expired certificates and delete them. To find expired certificates, you must list the content of odsm.cer as described in "Listing the Contents of odsm.cer Java Key Store". The keytool lists the validity of certificates, enabling you to find all expired certificates. Delete the expired certificates as described in "Deleting the Trusted Certificate".