OID 11g - How To Create New OID Instance And Configure For SSL Server Auth (mode 2) (Self-Signed Wallet Example)

(Doc ID 1203271.1)

Last updated on NOVEMBER 20, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.

Goal

The out-of-box configuration for OID has a non-ssl port, and an ssl port configured for mode 1 which is encryption only.  If you need to configure DIP synchronization to a remote source over SSL or if you need to install the ADPassword Filter then they will each require SSL mode 2, server authentication.  

To setup OID to run in mode 2 (server authentication) then is it suggested that you create a new/second OID instance and configure it accordingly. 

For background on OID modes see the following documentation:

Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-02 Chapter/Topic 25.1.3 SSL Authentication Modes


Note that it states the following:

" By default, the SSL authentication mode is set to authentication mode 1 (encryption only, no authentication). Be sure at least one Oracle Internet Directory server instance has this default authentication mode. Otherwise, you break Oracle Delegated Administration Services and other applications that expect to communicate with Oracle Internet Directory on the encrypted SSL port."


Additionally, the Oracle Directory Services Manager (ODSM) and Directory Integration Platform (DIP) are also configured to run in mode 1.  While they can be reconfigured for mode 2 it is easier to:

  1. Continue running ODSM in mode 1
  2. Don't run DIP in the default instance
  3. Reconfigure DIP to run in new OID instance ( this is covered in note 1203927.1)

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms