Oracle® Fusion Middleware Administrator's Guide for Oracle Virtual Directory 11g Release 1 (11.1.1) Part Number E10046-04 |
|
|
View PDF |
This chapter explains how to create Oracle Virtual Directory Listeners and includes the following topics:
Understanding the Default Oracle Virtual Directory Listeners
Configuring Oracle Virtual Directory to Listen on Privileged Ports
Creating and Managing Listeners Using Fusion Middleware Control
Oracle Virtual Directory provides services to clients through connections known as Listeners. Oracle Virtual Directory supports the following two types of Listeners:
LDAP: provides LDAPv2/v3 based services
HTTP: provides one or more services such as DSMLv2, or basic white page functions provided by an XSLT enabled Web Gateway
An Oracle Virtual Directory configuration can have any number of Listeners or it can even have zero Listeners, thus restricting access to only the administrative gateway. Most Oracle Virtual Directory deployments will need no more than two HTTP Listeners and two LDAP Listeners, where one Listener is for SSL and one for non-SSL for each protocols.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load Listener configurations to the Oracle Virtual Directory server. This includes after creating, updating, or deleting a Listener.Oracle Virtual Directory includes two Listeners by default: an HTTP Listener named Admin Gateway and an LDAP Listener named LDAP SSL Endpoint.
Admin Gateway
The HTTP Listener named Admin Gateway is the interface the Oracle Virtual Directory server uses to communicate with the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. You cannot communicate with the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces if you disable the Admin Gateway Listener. Refer to "Editing the Oracle Virtual Directory Administrative Listener Settings" for more information about editing the Oracle Virtual Directory Administrative Listener settings.
LDAP SSL Endpoint
The LDAP Listener named LDAP SSL Endpoint is the interface Oracle Virtual Directory uses to provide performance metrics in Oracle Enterprise Manager Fusion Middleware Control. LDAP SSL Endpoint should always be enabled and secured using SSL Server Authentication. Do not delete or disable LDAP SSL Endpoint. If you need an LDAP Listener that is secured using a different SSL mode, create a new Listener using Oracle Enterprise Manager Fusion Middleware Control.
The communication between Oracle Virtual Directory and Oracle Enterprise Manager Fusion Middleware Control will be disrupted if you edit any of the following settings for the default Listeners (Admin Gateway and LDAP SSL Endpoint):
Listener Host
Listener Port
Enable / Disable SSL
If you edit any of these settings for the default Listeners, you must update the Oracle Enterprise Manager Fusion Middleware Control target discovery information so Oracle Virtual Directory and Oracle Enterprise Manager Fusion Middleware Control can communicate.
To update the Oracle Enterprise Manager Fusion Middleware Control target discovery information, perform the following steps:
Log in to Oracle Enterprise Manager Fusion Middleware Control.
Right-click the Farm entry in the navigation tree and select Agent-Monitored Targets. The Agent-Monitored Targets screen appears.
Click the Configure button for the appropriate Oracle Virtual Directory target in the Targets table. The Configure Target page appears.
Update the following settings according to your current Oracle Virtual Directory environment and click OK at the top of the Configure Target page:
Machine name
Virtual Directory Admin Port
Virtual Directory LDAP Port
See Also:
The Troubleshooting appendix of the Oracle Fusion Middleware Administrator's Guide.Perform the following steps to enable Oracle Virtual Directory 11g Release 1 (11.1.1.2.0) and higher on UNIX/Linux platforms to listen on privileged ports, that is, port numbers less than 1024:
As the same user that installed Oracle Virtual Directory, create the cap.ora file as follows:
echo `id -ng`: bind > /tmp/cap.ora
Using the Oracle Process Manager and Notification Server (OPMN) control command, stop all components:
$ORACLE_INSTANCE/bin/opmnctl stopall
Change to root user permissions:
su root
Update the ORACLE_HOME/bin/hasbind file by performing the following steps:
Change ownership of the file to root:
chown root $ORACLE_HOME/bin/hasbind
Change the permissions on the file as follows:
chmod 4755 $ORACLE_HOME/bin/hasbind
Copy the cap.ora file you created in step 1 to the /etc/ directory:
cp /tmp/cap.ora /etc/cap.ora
Change the permissions on the /etc/cap.ora file as follows:
chmod 644 /etc/cap.ora
As the same user that installed Oracle Virtual Directory, start Oracle Virtual Directory and enable it to listen on privileged ports by using the following command:
$ORACLE_HOME/bin/hasocket $ORACLE_INSTANCE/bin/opmnctl startall
Note:
To enable Oracle Virtual Directory to listen on privileged ports, you must start it using only this command.After performing the steps in this procedure, Oracle Virtual Directory listeners can listen on privileged ports. You can create new listeners and enter privileged port numbers, or edit existing listeners to use privileged port numbers.
This topic explains how to create and manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections:
Perform the following steps to create an LDAP Listener using Oracle Enterprise Manager Fusion Middleware Control. Typically, when running secure and non-secure LDAP, there are at least two Listeners configured; one for regular LDAP (default port is 6501) and one for secure LDAP using SSL (default port is 7501).
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where you want to create the LDAP Listener.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.
Click the Create button. The Add Listener screen appears.
Select LDAP from the Listener Type list and set values for the LDAP Listener configuration parameters as described in Table 11-1:
Table 11-1 LDAP Listener Configuration Parameters
Type | Parameter | Description |
---|---|---|
Basic |
Listener Name |
Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported. |
Listener Host |
Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting. If you set this parameter to an IP address or host, the Listener will use that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real. |
|
Listener Port |
The port number the Listener will provide service on. Only one Listener per server can be active on a port at any given time. If Oracle Virtual Directory is installed on the same server as an existing server, for example, an Active Directory domain controller, enter a port that will not conflict with the existing service. |
|
Threads |
The number of active worker threads the Listener will use to concurrently process incoming requests. The Listener will automatically increase the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can pre-allocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. |
|
Listener Enabled |
Enables (selected) and disables (not selected) the Listener for service. |
|
LDAP Options |
Anonymous Bind |
Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Allow will allow anonymous authentication; Deny will prevent anonymous operations; and DenyDNOnly will prevent empty password authentication. Note: According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard. |
Work Queue Capacity |
Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with |
|
Allow StartTLS |
Determines whether or not LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. |
|
Socket Options |
Backlog |
Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128. |
Read Timeout |
Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a non-zero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0. |
|
Reuse Address |
Determines whether or not the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. |
|
TCP Keep Alive |
Determines whether or not the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. |
|
TCP No Delay |
Determines whether or not the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. |
Click the OK button on the Add Listener screen to save the LDAP Listener.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.Perform the following steps to create an HTTP Listener using Oracle Enterprise Manager Fusion Middleware Control:
See:
Appendix C, "HTTP Listener's Web Gateway Service" for more information about the HTTP Listener's Web Gateway settings.Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where you want to create the HTTP Listener.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.
Click the Create button. The Add Listener screen appears.
Select HTTP from the Listener Type list and set values for the HTTP Listener configuration parameters as described in Table 11-2:
Table 11-2 HTTP Listener Configuration Parameters
Type | Parameter | Description |
---|---|---|
Basic |
Listener Name |
Name of the Listener. Use only ASCII characters in the value for the Listener Name parameter, as non-ASCII characters are not supported. |
Listener Host |
Specify the IP address the Listener should use to listen for connections from clients. By default, Oracle Virtual Directory listens on all IP addresses if no value or 0.0.0.0 is specified for this parameter. Note: Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting. If you set this parameter to an IP address or host, the Listener will use that IP address or host to listen for connections from clients, regardless of whether the IP address or host is virtual or real. |
|
Listener Port |
The port number the Listener will provide service on. Only one Listener per server can be active on a port at any given time. |
|
Threads |
The number of active worker threads the Listener will use to concurrently process incoming requests. The Listener will automatically increase the number of threads if you enter an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can pre-allocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50. |
|
Listener Enabled |
Enables (selected) and disables (not selected) the Listener for service. |
|
DSML V2 Service |
Realm Name |
Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user. |
Web Gateway Service Section |
Allow Anonymous Access |
Enables and disables anonymous access to the Web Gateway. |
Search Root |
The root distinguished name (namespace) of the directory tree where the Web Gateway will start its sub-tree search for user identity names (UIDs) provided after a user authentication challenge. |
|
Search Attributes |
The attribute the Web Gateway attempts to match when searching for a UID. |
|
User Object Classes |
The objectclasses the Web Gateway uses when searching for users to authenticate. |
|
Result Cache Life (seconds) |
Maximum time that Oracle Virtual Directory will wait before requerying a user credential stored in the directory source. |
|
HTDocs Path |
The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located. |
|
Certificate Attributes |
Indicates which attributes contain binary PKI certificate information. The default value is usercertificate. |
|
Photo/Image Attributes |
Indicates which attributes contain graphical images. The default value is jpegphoto. |
|
Image Display Height |
The height the Web Gateway scales photos to. The default value is 100. |
|
Image Display Width |
The width the Web Gateway scales photos to. The default value is 100. |
Click the OK button on the Add Listener screen to save the HTTP Listener.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.This topic explains how to manage Oracle Virtual Directory Listeners using Oracle Enterprise Manager Fusion Middleware Control and contains the following sections:
Perform the following steps to update settings for an existing Listener (LDAP or HTTP) using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where the Listener you want to edit resides.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.
Select the Listener you want to edit by clicking on it.
Click the Edit button. The Edit Listener screen appears displaying the Listener's current settings.
Edit the settings as desired.
Refer to Table 11-1, "LDAP Listener Configuration Parameters" for information about each LDAP Listener parameter.
Refer to Table 11-2, "HTTP Listener Configuration Parameters" for information about each HTTP Listener parameter.
Click the OK button on the Add Listener screen to save the HTTP Listener.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.You can edit the settings for the Oracle Virtual Directory Administrative Listener in the same manner that you edit settings for LDAP or HTTP Listeners. However, if you disable the Admin Gateway Listener, you will not be able to communicate to the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. Refer to "Understanding the Default Oracle Virtual Directory Listeners" for more information about the Admin Listener.
Perform the following steps to edit settings for the Admin Gateway Listener using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.
Select the Admin Gateway Listener by clicking on it.
Click the Edit button. The Edit Listener screen appears displaying the Admin Gateway Listener's current settings.
Edit the Administrative Listener settings as desired and click Submit. Each Administrative Listener setting is described below in the "Administrative Listener Settings" section.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.Administrative Listener Settings
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host.
Notes:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Listener Host setting.
If you edit the Host setting, you must immediately perform step 6 or you will not be able to communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.
The port on which Oracle Virtual Directory will provide administrative services on. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server.
Note:
If you edit the Listener Port setting, you must immediately perform step 6 or you will not be able to communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.The number of active worker threads the Listener will use to concurrently process incoming requests.
Select to enable the Listener for service. If you disable the Admin Gateway Listener, you will not be able to communicate to the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces. The default setting is Enabled.
Displays the current SSL setting (Enabled or Disabled) for the Listener and provides a link to change the Listener's SSL settings. To edit the Listener's SSL Settings, click the link and refer to "Configuring SSL for Listeners Using Fusion Middleware Control" for more information.
Note:
If you edit the SSL setting (Enabled or Disabled), you must update the Oracle Virtual Directory component registration by referring to Updating the Component Registration of an Oracle Instance Using OPMNCTL. If you do not update the Oracle Virtual Directory component registration after editing the SSL setting, you will not be able to communicate with Oracle Virtual Directory using the Oracle Enterprise Manager Fusion Middleware Control user interface.Perform the following steps to delete an existing Listener (LDAP or HTTP) using Oracle Enterprise Manager Fusion Middleware Control:
Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target where the Listener you want to delete resides.
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears displaying the exiting Listeners.
Click the Listener you want to delete.
Click the Delete button. A dialog box appears asking you to confirm that you want to delete the Listener.
Click OK on the dialog box to delete the Listener. The Listener is removed from the list of existing Listeners.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.This topic explains how to manage Oracle Virtual Directory Listeners using WLST and contains the following sections:
See Also:
Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command line tool.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information WLST command tool syntax.
You can use WLST to update the settings for an existing Listener as follows:
Launch the WLST command line tool shell.
Connect to the WebLogic Admin Server. For example:
connect('username', 'password','t3://host_name:Admin_Server_Port')
Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:
custom() cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Move to the MBean node for the Listener you want to update, for example, the Listener named LDAP SSL Endpoint:
cd('../..') cd('oracle.as.ovd') cd('oracle.as.ovd:type=component.Listenersconfig.sslconfig,name=LDAP SSL Endpoint,instance=asinst_1,component=ovd1')
Using the WLST set()
command, update the appropriate setting. The following example updates the Threads setting:
set('Threads', 20)
Notes:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.
If you edit the Host, Port, or SSL setting for the Admin Listener, you must update the Oracle Virtual Directory component registration by referring to Updating the Component Registration of an Oracle Instance Using OPMNCTL. If you do not update the Oracle Virtual Directory component registration after editing any of these settings for the Admin Listener, you will not be able to communicate with Oracle Virtual Directory using WLST.
See Also:
The following sections to learn more about the Listener settings you can configure using WLST:Save the changes and then refresh the MBean. For example:
cd('../..') cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g)) invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.The following is a list and description of the Admin Listener settings you can configure using WLST:
See Also:
"Understanding the Default Oracle Virtual Directory Listeners" for more information about the Admin Listener.Determines whether or not the Listener is enabled or disabled. Supported values are true and false. If you disable the Admin Listener, you will not be able to communicate to the Oracle Virtual Directory using the Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces.
Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.
None configures the Listener for SSL No-Authentication Mode
Server configures the Listener for SSL Server Authentication Mode
Mutual configures the Listener for SSL Mutual Authentication
The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.
Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
An LDAP URL which defines a group of users with privileges to use the Admin Listener. These users will have near root privileges when accessing the Oracle Virtual Directory server through the Oracle Enterprise Manager Fusion Middleware Control and Oracle Directory Services Manager interfaces.
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0, which sets the Admin Listener to listen on all IP Addresses configured for the host.
Note:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.The name of the JKS keystore containing the SSL artifacts.
The name of the Listener.
The port on which Oracle Virtual Directory will provide administrative services on. This is the port is used by Oracle Directory Services Manager and Oracle Enterprise Manager Fusion Middleware Control user interfaces to communicate with the Oracle Virtual Directory server.
The protocol the Admin Listener uses to provide service. Supported values are HTTP and HTTPS.
Determines whether or not SSL is enabled on the Listener. Supported values are true and false.
The supported protocols for SSL communication. The following is a list of the supported values:
TLSv1
SSLv2Hello
Note:
The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.SSLv3
The number of active worker threads the Listener will use to listen for connections on the port.
The name of the JKS keystore containing the SSL artifacts.
The following is a list and description of the LDAP Listener settings you can configure using WLST:
Determines whether or not the Listener is enabled or disabled. Supported values are true and false.
Determines whether or not LDAP clients can use StartTLS. If enabled, the LDAP Listener allows clients to use the StartTLS extended operation to initiate secure communication over an insecure channel. Supported values are true and false. The default value is false.
Controls how Oracle Virtual Directory handles LDAP anonymous authentication. Supported values are listed in Table 11-3:
Table 11-3 LDAP Anonymous Authentication Options
Option | Control |
---|---|
Allow |
Allow anonymous authentication. |
Deny |
Prevent anonymous operations. |
DenyDNOnly |
Prevent empty password authentication. Note: According to the LDAP protocol specification, if an LDAP client connects to an LDAP server with a non-empty DN and an empty password, the LDAP server is expected to provide a successful anonymous bind. For applications that are using LDAP for authentication, this could allow end-users to log in to their applications without entering a password. Most LDAP-enabled applications prevent against this use case. However, as added security, you can configure Oracle Virtual Directory to prevent this from happening as an extra-safeguard. |
Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.
None configures the Listener for SSL No-Authentication Mode
Server configures the Listener for SSL Server Authentication Mode
Mutual configures the Listener for SSL Mutual Authentication
The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.
Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
In addition to the normal LDAP operations supported by the LDAP protocol, you can define your own LDAP operation using this setting. This setting is the full java class name that implements your user-defined LDAP operation.
The unique name for your user-defined LDAP operation identified by the ExtendedOpsClass setting.
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0.
Note:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.The name of the JKS keystore containing the SSL artifacts.
The name of the Listener.
The port number the LDAP Listener will provide service on. Only one Listener per server can be active on a port at any given time.
The protocol the LDAP Listener uses to provide service. Supported values are LDAP and LDAPS.
Determines whether or not SSL is enabled on the Listener. Supported values are true and false.
The supported protocols for SSL communication. The following is a list of the supported values:
TLSv1
SSLv2Hello
Note:
The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.SSLv3
Determines the maximum number of pending connection requests that can accumulate before the server starts rejecting new connection attempts. Default setting is 128.
Determines whether or not the LDAP connection should use TCP keep-alive. If enabled, TCP keep-alive messages are periodically sent to the client to verify that the associated connection is still valid. Supported values are true and false. The default value is false.
Enables and disables tolerance for idle client connections with the specified timeout period in milliseconds. If set to a non-zero time, client connections to the Oracle Virtual Directory server can remain idle only for the set amount of time. If the connection is idle for a period longer than the specified time, the client connection is terminated. A value of zero is considered an infinite timeout. The default value is 0.
Determines whether or not the LDAP Listener should reuse socket descriptors. If enabled, socket descriptors for clients in TIME_WAIT state can be reused. Supported values are true and false. The default value is false.
Determines whether or not the LDAP connection should use TCP no-delay. If enabled, response messages to the client are sent immediately, rather than potentially waiting to determine whether additional response messages can be sent in the same packet. Supported values are true and false. The default value is true.
The number of active worker threads the Listener will use to concurrently process incoming requests. The Listener will automatically increase the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can pre-allocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.
The name of the JKS keystore containing the SSL artifacts.
Specifies the maximum number of pending LDAP requests that can accumulate when all worker threads associated with LDAP Listener are busy processing requests. Once the specified capacity is reached, the LDAP Listener rejects new requests with DSA is busy
error. The default value is 1024.
Note:
TheDSA is busy
error usually appears when a large number of requests are sent to the Oracle Virtual Directory server in a short period of time and the LDAP Listener is unable to support them.The following is a list and description of the HTTP Listener settings you can configure using WLST:
Determines whether or not the Listener is enabled or disabled. Supported values are true and false.
Determines the authentication mode for the Listener. Supported values are None, Server, and Mutual.
None configures the Listener for SSL No-Authentication Mode
Server configures the Listener for SSL Server Authentication Mode
Mutual configures the Listener for SSL Mutual Authentication
The InetAddress representation of value for the Host setting. If you edit the BindAddress setting, the Host setting also changes. Conversely, if you edit the Host setting, the BindAddress setting also changes.
Configures cipher suite negotiation, which is part of the SSL handshaking used to initiate or verify secure communications. A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. The default value is null. The following is a list of the supported values for the Ciphers setting:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Base URL for the location of the customer developed custom web service.
Name of the realm used by Oracle Virtual Directory to protect the custom web service when the custom web service is security enabled.
If you want to use your own web application to handle HTTP connections, instead of using the HTTP Listener's Web Gateway and/or DSMLv2 Gateway, use this setting to specify the path to the your custom web application war file.
Name of the realm used by Oracle Virtual Directory to protect the DSMLv2 service when the DSMLv2 service is security enabled. This realm name would appear in a HTTP browser challenge to the user.
The name or IP address of the host where the Oracle Virtual Directory server is running. The default value is 0.0.0.0.
Note:
Do not use a a loopback IP address, including 127.0.0.1, :0:0:1, localhost, and so on, for the Host setting.The name of the JKS keystore containing the SSL artifacts.
The name of the Listener.
The port number the HTTP Listener will provide service on. Only one Listener per server can be active on a port at any given time.
The protocol the HTTP Listener uses to provide service. Supported values are HTTP and HTTPS.
Determines whether or not SSL is enabled on the Listener. Supported values are true and false.
The supported protocols for SSL communication. The following is a list of the supported values:
TLSv1
SSLv2Hello
Note:
The SSLv2Hello value cannot be specified alone. If you specify SSLv2Hello, you must also specify at least one other supported version.SSLv3
The number of active worker threads the Listener will use to concurrently process incoming requests. The Listener will automatically increase the number of threads if you indicate an insufficient amount. This initial setting serves only to indicate to Oracle Virtual Directory the expected amount of simultaneous clients so that it can pre-allocate resources. The default setting is 10, which should be sufficient for testing purposes. For production environments, Oracle recommends to increase this setting to 50.
The name of the JKS keystore containing the SSL artifacts.
Enables and disables anonymous access to the Web Gateway. Supported values are true and false.
Indicates which attributes contain binary PKI certificate information. The default value is usercertificate.
The directory path, relative to the Oracle Virtual Directory root installation, where the XSLT and HTML files are located.
The attribute the Web Gateway should attempt to match when searching for a UID. The default value is uid, mail, cn.
The objectclasses the Web Gateway should use when searching for users to authenticate. The default value is inetorgperson, user.
Indicates which attributes contain graphical images. The default value is jpegphoto.
The height the Web Gateway scales photos to. The default value is 100.
The width the Web Gateway scales photos to. The default value is 100.
The root distinguished name (namespace) of the directory tree where the Web Gateway will start its sub-tree search for user identity names (UIDs) provided after a user authentication challenge.
Name of the realm used by Oracle Virtual Directory to protect the Web Gateway service when the Web Gateway service is security enabled.
Maximum time (in seconds) that Oracle Virtual Directory will wait before requerying a user credential stored in the directory source.
You can use WLST to delete an existing Listener as follows:
Launch the WLST command line tool shell.
Connect to the WebLogic Admin Server. For example:
connect('username', 'password','t3://host_name:Admin_Server_Port')
Move to the Oracle Virtual Directory Root Proxy MBean node and initialize the MBean. For example:
custom() cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Move to the Oracle Virtual Directory Listeners configuration MBean. For example:
cd('../..') cd('oracle.as.ovd/oracle.as.ovd:type=component.Listenersconfig,name=Listenersco nfig,instance=asinst1,component=ovd1')
Delete the appropriate Listener, for example, the Listener named test1, as follows:
invoke('deleteListener',jarray.array([java.lang.String('test1')],java.lang.Obje ct),jarray.array(['java.lang.String'],java.lang.String))
Save the changes and then refresh the MBean. For example:
cd('../..') cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=ovd1,instance=asin st1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g)) invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.Strin g))
Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.This topic explains how to secure Oracle Virtual Directory Listeners using SSL and contains the following sections:
Perform the following steps to secure Oracle Virtual Directory Listeners with SSL using Oracle Enterprise Manager Fusion Middleware Control:
Note:
If you are configuring the Listener for SSL No-Auth mode, do not perform step 2 and steps 3e through 3h in the following procedure.See Also:
The information about enabling SSL for Oracle Virtual Directory Listeners in the Oracle Fusion Middleware Administrator's Guide.Log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to the Oracle Virtual Directory target of the Listener you want to secure with SSL.
Create a keystore if one does not already exist by selecting Security and then Keystores from the Oracle Virtual Directory menu. The Java Keystore screen appears. Refer to the information about creating a keystore using Oracle Enterprise Manager in the Oracle Fusion Middleware Administrator's Guide for additional information.
Configure the Listener by performing the following steps:
Select Administration and then Listeners from the Oracle Virtual Directory menu. The Listeners screen appears.
Select the Listener you want to secure with SSL by clicking on it and then click the Edit button. The Edit Listener: Listener Name screen appears.
Click the Change SSL Settings link.
Click the Enable SSL option to enable SSL on the Listener. If you are configuring the Listener for SSL No-Auth mode, skip to step i now.
Select the keystore you want to use from the Server Keystore Name field.
Note:
If you select a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics.To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet:
Export the Oracle Virtual Directory server certificate by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -exportcert \ -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \ -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent's Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet \ $ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Enter the password for the keystore in the Server Keystore Password field.
Note:
The password for the keystore that is created during the Oracle Virtual Directory installation is the same as the password set for the Oracle Virtual Directory administrator during installation.Select the truststore you want to use from the Server Truststore Name field.
Enter the password for the truststore in the Server Truststore Name field.
Click and expand the Advanced SSL Setting option.
Select one of the following authentication modes for the Listener from the Client Authentication field.
To configure the Listener for SSL No-Authentication Mode, select No Authentication.
To configure the Listener for SSL Server Authentication Mode, select Server Authentication.
To configure the Listener for SSL Mutual Authentication mode between the Oracle Virtual Directory server and the client, select Mutual Authentication.
Note:
The Optional Client Authentication mode is not supported for Oracle Virtual Directory Listeners.Select the appropriate option from the Cipher Suite field. You can select All, or a combination of individual options.
Note:
If you are configuring the Listener for SSL No-Auth mode, you must select at least one DH_anon cipher. For all other SSL modes, you must select at least one RSA cipher.Select the appropriate option from the SSL Protocol Version field.
Note:
The v2Hello option is not supported by itself. That is, you cannot select the v2Hello option alone—you must select it in combination with at least one additional SSL Protocol Versions from the list.Click the OK button.
Stop Oracle Virtual Directory if it is running by referring to Stopping the Oracle Virtual Directory Server Using Fusion Middleware Control. After it stops, start Oracle Virtual Directory by referring to Starting the Oracle Virtual Directory Server Using Fusion Middleware Control.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.To configure SSL for Oracle Virtual Directory using the WLST command line tool:
See Also:
The WLST Reference for SSL information in the Oracle Fusion Middleware Administrator's Guide.
Oracle Fusion Middleware Oracle WebLogic Scripting Tool for information on how to use the WLST command line tool.
Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for information WLST command tool syntax.
Launch the WLST command line tool shell.
Go to the custom tree using the following command:
custom()
Navigate to the root Oracle Virtual Directory mBean using the following commands:
cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=COMPONENT_ NAME,instance=INSTANCE_NAME')
Initialize the Oracle Virtual Directory configuration from the remote Oracle Virtual Directory server into the WebLogic server using the following command:
invoke('load',jarray.array([],java.lang.Object),jarray.array([], java.lang.String))
Identify the Listeners for this Oracle Virtual Directory component by executing the following command:
listListeners('instName', 'compName')
For example:
listListeners('instance1','ovd1')
The command lists all the Listeners for the component named ovd1. In the list of Listeners returned, identify the Listener you want to secure using SSL. For example, imagine you want to secure the Listener named LDAP SSL Endpoint.
Display the existing SSL configuration for the Listener you want secure (LDAP SSL Endpoint in this example) using the following command:
getSSL('instance1','ovd1','ovd','LDAP SSL Endpoint')
Display the existing keystores using the following command:
listKeyStores('instance1','ovd1','ovd')
If you need to, create a new keystore and a self-signed certificate using the following commands.
To create the new keystore, execute the following command:
createKeyStore('instance1','ovd1','ovd','NEW_KEYSTORE_NAME','PASSWORD_FOR_NEW_KEYSTORE')
To create a self-signed certificate in the new keystore, execute the following command:
generateKey ('instance1','ovd1','ovd','NEW_KEYSTORE_NAME','PASSWORD_FOR_NEW_KEYSTORE', 'DN', 'keySize', 'alias')
Identify the name of the SSL MBean for the Oracle Virtual Directory Listener by executing the following command:
getSSLMBeanName('instance1','ovd1','ovd','LDAP SSL Endpoint')
Set the passwords for the keystore and truststore in the MBean by executing the following commands:
cd ('SSL_MBEAN_NAME') set('KeyStorePassword',java.lang.String('PASSWORD').toCharArray()) set('TrustStorePassword',java.lang.String('PASSWORD').toCharArray())
Configure the SSL settings for the Listener using the following command and file.prop. An sample file.prop file is given for reference:
configureSSL ('instance1', 'ovd1', 'ovd', 'LDAP SSL Endpoint', 'PATH_TO_file.prop')
Note:
If you configure a different keystore or change the certificate in the keystore for the Admin Gateway Listener or the LDAP SSL Endpoint Listener, you must import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet. If you do not import the certificate, Oracle Enterprise Manager Fusion Middleware Control cannot connect to Oracle Virtual Directory to retrieve performance metrics.To import the certificate into the Oracle Enterprise Manager Fusion Middleware Control Agent's wallet:
Export the Oracle Virtual Directory server certificate by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -exportcert \ -keystore OVD_KEYSTORE_FILE -storepass PASSWORD \ -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Enterprise Manager Fusion Middleware Control Agent's Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet \ $ORACLE_INSTANCE/EMAGENT/EMAGENT/sysman/config/monwallet \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Example 11-1 Sample file.prop File
SSLEnabled=true AuthenticationType=auth_type SSLVersions=version Ciphers=cipher KeyStore=name_of_your_keystore TrustStore=name_of_your_keystore
Important Notes Regarding the file.prop File:
Replace the variable values in the Example 11-1 with the values for your environment.
If you are configuring the Listener for SSL No-Auth mode, you must select at least one DH_anon cipher. For all other SSL modes, you must select at least one RSA cipher.
You must specify the value of the KeyStore parameter when configuring SSL for server-auth and mutual-auth modes.
If you specify only AES ciphers, the SSLVersions parameter must contain TLSv1.
The text in the file.prop file is case sensitive.
Do not use spaces after cipher entries in the file.prop file.
Refer to the "Properties Files for SSL" section in the Oracle Fusion Middleware Administrator's Guide for more information about the contents of the file.prop file.
See Also:
The following sections for information about the AuthenticationType, SSLVersions, and Ciphers you can configure in File.prop:Stop Oracle Virtual Directory if it is running. After it stops, start Oracle Virtual Directory.
Note:
You must explicitly stop and start Oracle Virtual Directory—not Restart—to load the Listener configuration to the Oracle Virtual Directory server.This topic explains how to validate SSL connections for each SSL mode and contains the following sections:
Note:
If you are using default settings after installing 11g Release 1 (11.1.1), you can use the following values for the following variables described in this section:For OVD_KEY_STORE_FILE, use:
ORACLE_INSTANCE/config/OVD/ovd1/keystores/keys.jks
For OVD_SERVER_CERT_ALIAS, use serverselfsigned
For PASSWORD used for the -storepass
and -jkspwd
options, use the same password as orcladmin
To validate a connection secured by SSL No-Authentication mode, execute the following command:
ORACLE_HOME/bin/ldapbind -D cn=orcladmin -q -U 1 -h HOST -p SSL_PORT
To validate a connection secured by SSL Server Authentication mode, perform the following steps:
Create an Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet create -wallet DIRECTORY_FOR_SSL_WALLET \ -pwd WALLET_PASSWORD
Export the Oracle Virtual Directory server certificate by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -exportcert -keystore OVD_KEYSTORE_FILE \ -storepass PASSWORD -alias OVD_SERVER_CERT_ALIAS -rfc \ -file OVD_SERVER_CERT_FILE
Add the Oracle Virtual Directory server certificate to the Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet add -wallet DIRECTORY_FOR_SSL_WALLET \ -trusted_cert -cert OVD_SERVER_CERT_FILE -pwd WALLET_PASSWORD
Use the Oracle Wallet from step 3 while executing the following command:
ORACLE_HOME/bin/ldapbind -D cn=orcladmin -q -U 2 -h HOST -p SSL_PORT \ -W "file://DIRECTORY_FOR_SSL_WALLET" -Q
To validate a connection secured by SSL Mutual Authentication mode, perform the following steps:
Create an Oracle wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet create -wallet DIRECTORY_FOR_SSL_WALLET \ -pwd WALLET_PASSWORD
Transform the Oracle Virtual Directory keystore file to an Oracle Wallet by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet jks_to_pkcs12 \ -wallet DIRECTORY_FOR_SSL_WALLET -pwd WALLET_PASSWORD \ -keystore ORACLE_INSTANCE/config/OVD/OVD_COMPONENT/keystores/keys.jks \ -jkspwd PASSWORD
Export the client certificate in Base64 format by executing the following command:
ORACLE_COMMON_HOME/bin/orapki wallet export -wallet . -dn CLIENT_DN \ -cert ./b64certificate.txt
Import the client certificate you created in step 2 into the Oracle Virtual Directory keystore as a trusted entry by executing the following command:
ORACLE_HOME/jdk/jre/bin/keytool -importcert \ -keystore ORACLE_INSTANCE/config/OVD/OVD_COMPONENT/keystores/keys.jks -storepass JKS_PASSWORD -alias ALIAS -file b64certificate.txt -noprompt
Verify the SSL connection using the bind DN of the client certificate by executing the following command:
ORACLE_HOME/bin/ldapbind -U 3 -h HOST -p SSL_PORT -W "file://DIRECTORY_FOR_SSL_WALLET" -Q