My Oracle Support Banner

How to Setup a CA Signed Wallet (non self signed) with a New OID 11g SSL Server Authentication (Mode2) Instance (Doc ID 1560010.1)

Last updated on APRIL 03, 2023

Applies to:

Oracle Internet Directory - Version 11.1.1 to 11.1.1.9.180709 [Release 11g]
Oracle Database - Enterprise Edition - Version 19.9.0.0.0 to 19.9.0.0.0 [Release 19]
Information in this document applies to any platform.

Goal

In <Document 1203271.1> was a detailed a procedure using a self-signed certificate with the new oid instance configured in mode 2.
The goal now is can use a non self-signed certificate with a new OID instance which has been configured for SSL Server Auth (mode2) 

 


 

Notice.-

The out-of-box configuration for OID has a non-ssl port, and an ssl port configured for mode 1 which is encryption only. 

Configurations such as DIP synchronization to a remote source over SSL or the 'AD Password Filter' will each require SSL mode 2, server authentication.  

To setup OID to run in mode 2 (server authentication) then it is suggested that you create a new/second OID instance and configure it accordingly. 

For background on OID modes see the following documentation:

Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-02 Chapter/Topic 25.1.3 SSL Authentication Modes

Note that it states the following:

" By default, the SSL authentication mode is set to authentication mode 1 (encryption only, no authentication). Be sure at least one Oracle Internet Directory server instance has this default authentication mode. Otherwise, you break Oracle Delegated Administration Services and other applications that expect to communicate with Oracle Internet Directory on the encrypted SSL port."


Additionally, the Oracle Directory Services Manager (ODSM) and Directory Integration Platform (DIP) are also configured to run in mode 1.  While they can be reconfigured for mode 2 it is easier to:

  1. Continue running ODSM in mode 1
  2. Don't run DIP in the default instance
  3. Reconfigure DIP to run in new OID instance ( this is covered in <Document 1203927.1>.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.