Configure an Oracle Internet Directory Server as a Key Store

Contents
casso126
Contents
2
You can configure Oracle Internet Directory Server as a separate key store.
Key Store Prerequisites
  1. Create a directory server instance that is to function as the key store. Be sure to create a root suffix and root object to store the
    CA Single Sign-On
    keys.
  2. Create an LDAP user with privileges to create the schema, and read, modify, and delete objects in the LDAP tree underneath the key store root object
Gather Directory Server Information
casso126
Specific information is required to configure a separate key store. Gather the following information:
  • Host
    The fully qualified name or the IP Address of the directory server host system.
  • Port
    The port on which the directory server instance is listening. This value is only required if the instance is listening on a non–standard port.
    Default values:
    636 (SSL) and 389 (non-SSL)
  • Administrative DN
    Specifies the LDAP user name of a user that has privileges to:
    • create schema
    This permission is only required to import the key store schema. After you deploy the key store, you can configure the Policy Server with a user that does not have the permission.
    • read
    • write
    • modify
    • delete
  • Administrative password
    Specifies the password for the Administrative DN.
  • Key store root DN
    Specifies the distinguished name of the node in the LDAP tree where the key store objects must be imported.
  • SSL client certificate
    Specifies the pathname of the directory where the SSL client certificate database file resides.
    Limit:
    SSL only
Register the Key Store
casso126
Registering the key store configures a connection between the key store and the Policy Server. The Policy Server uses the credentials that you supply to manage the key store.
Important!
Registration does not configure the Policy Server to use the separate key store. The settings do not take effect until the Policy Server is restarted. Do not restart the Policy Server until the key store is configured and you are ready to deploy it.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Run the following command to configure the connection:
    smldapsetup reg -hhost -pport -dadmin_user -wadmin_password -rroot -k1
    casso126
    If User Account Control (UAC) is enabled in Windows Server, open the command-line window with administrator permissions. Open the command-line window this way even if your account has administrator privileges.
    Example:
    smldapsetup reg -host172.16.0.0 -p389 -d"cn=directory manager" -wpassword -r"dc=test" -k1
  3. Start the Policy Server Management Console and open the Data tab.
  4. Complete one of the following procedures:
    • If the Policy Server is configured to use a data relational database:
      1. Select Keystore from the Database list.
      2. Select LDAP from the Storage list to display the connection settings and administrative credentials.
      3. Verify that the connection settings and administrative user setting appear.
      4. Click test LDAP Connection to verify that the Policy Server can communicate with the key store instance.
    • If the Policy Server is configured to use a directory server:
      a. Select Keystore from the Database list.
      b. Verify that the connection settings and the administrative user settings appear.
      c. Click test LDAP Connection to verify that the Policy Server can communicate with the key store instance.
    The Use Policy Store database setting is cleared. The cleared setting is expected normal behavior. The Policy Server continues to use the key store that is collocated with the policy store.
  5. Exit the Policy Server Management Console.
    The separate key is registered with the Policy Server.
Create the Key Store Schema
casso126
The key store instance requires the schema to store and retrieve
CA Single Sign-On
web agent keys. Use the smldapsetup utility to create the key store schema file.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Run the following command to create the key store schema file:
    smldapsetup ldgen -ffile_name -k1
    casso126
    If User Account Control (UAC) is enabled in Windows Server, open the command-line window with administrator permissions. Open the command-line window this way even if your account has administrator privileges.
    Example:
    smldapsetup ldgen -fkeystoreschema -k1
    The key store schema file is created.
Import the Key Store Schema
casso126
The key store instance requires the schema to store and retrieve
CA Single Sign-On
web agent keys. Use the smldapsetup utility to import the key store schema file.
Follow these steps:
  1. Log in to the Policy Server host system.
  2. Run the following command to import the key store schema:
    smldapsetup ldmod -ffile_name -k1
    casso126
    If User Account Control (UAC) is enabled in Windows Server, open the command-line window with administrator permissions. Open the command-line window this way even if your account has administrator privileges.
: Standard out displays all policy store schema being imported. The behavior is normal and expected. The utility only imports the key–store specific schema.
Example:
smldapsetup ldmod -fkeystoreschema -k1
The key store–specific schema is imported.
Restart the Policy Server
casso126
The Policy Server continues to use the collocated key store until you restart the Policy Server. Restart the Policy Server to begin using the separate key store.