My Oracle Support Banner

11g - How To Configure OID For SSL Mutual Auth (mode U 3) (Doc ID 1311791.1)

Last updated on AUGUST 30, 2023

Applies to:

Oracle Internet Directory - Version 11.1.1 and later
Information in this document applies to any platform.


The 11g Documentation in the Oracle Internet Directory Admin Guide is incomplete with regards to how to set up OID for mutual auth over SSL.  It only shows:

27.6.3 Testing SSL With Client and Server Authentication

Use this method to test an SSL configuration with SSL client and server authentication configured.

Oracle Internet Directory supports the Certificate Matching Rule. The DN and password passed on the ldapbind command line are ignored. Only the DN from the certificate or the certificate hash is used for authorization.

See Also:
"Direct Authentication".

To use the bind DN (Distinguished Name) from the client certificate, the syntax is:

ldapbind -U 3 -h host -p port -W "file:DIRECTORY_CONTAINING_WALLET" -Q

It only provides how to test it. There is no procedure on how to set it up.

This document provides a detailed step-by-step procedure to acheive Client and Server Authentication over SSL for OID ldap operations.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Step 1. Setup SSL Server Auth Mode
 Step 2. Setup SSL Mutual Auth Mode
 Step 3.  Export and Import the Trusted Certificate for each of the two wallets (oid2-wallet and client-wallet)
 Step 4. Change the oid2 server settings to MUTUAL AUTH
 Step 5. Stop and restart the OID2 Instance:
 Step 6. Test SSL Mutual Auth per Documentation:

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.