In this post I would highlight the steps required for enabling SSL for LDAPSync between OIM and OID .
Assume that the LDAPSync is already configured using HTTP . We need to modify the LDAPSync so that it communicates over HTTPS. It is worthwhile to note that LDAPSync uses lib OVD adapters and the configuration files for the same are located at $DOMAIN_HOME/config/fmwconfig/ovd/"ContextOfAdapters" folder in the OIM domain.
The first step would be get the OID server certificate from the OID wallet. For this if the location of the wallet is known then execute the step 2 to get the certificate else look up the name of the wallet from the OID enterprise manager console.
1) Login into OID EM console.From the top, Select OID SSL instance->Oracle Internet Directory -> Administration -> Wallet. Get the OID wallet name and locate it on the server box. It is generally located at $ORACLE_OID_INSTANCE/OID/admin folder.
Assume that the LDAPSync is already configured using HTTP . We need to modify the LDAPSync so that it communicates over HTTPS. It is worthwhile to note that LDAPSync uses lib OVD adapters and the configuration files for the same are located at $DOMAIN_HOME/config/fmwconfig/ovd/"ContextOfAdapters" folder in the OIM domain.
The first step would be get the OID server certificate from the OID wallet. For this if the location of the wallet is known then execute the step 2 to get the certificate else look up the name of the wallet from the OID enterprise manager console.
1) Login into OID EM console.From the top, Select OID SSL instance->Oracle Internet Directory -> Administration -> Wallet. Get the OID wallet name and locate it on the server box. It is generally located at $ORACLE_OID_INSTANCE/OID/admin folder.
2) Navigate to the wallet path on the server and execute the following command to export the certificate.
$MW_HOME/oracle_common/bin/orapki wallet export -wallet [$ORACLE_INSTANCE_OID_LOCATION]/OID/admin/oidwallet -dn 'CN=serverName,OU=XX,O=XXX,L=XX,ST=XX,C=XX' -cert ./b64certificate.txt
The certificate gets exported in the b64certificate.txt file.
3) Copy this file to OIM server and import this certificate in OVD adapter keystore. The OVD adapter keystore is located at $DOMAIN_HOME/config/fmwconfig/ovd/[CONTEXT in my case conext was OIM]/keystores/adapters.jks
keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/oim/keystores/adapters.jks -storepass XXXX -alias XXXXXXX -file /home/oracle/temp/b64certificate.txt
4) Next steps are to modify the OVD configuration using wlst commands to update the host port and the secure flag.
5) Start the WLST .
$MW_HOME/oracle_common/common/bin/wlst.sh
connect(). Enter username,password and adminserver url when prompted.
wls:/offline> connect() Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://localhost:7001
To see the list of adapters we need to modify.
6) To see the list of adapters we need to modify execute
wls:/IamTstDomain/serverConfig> listAdapters(contextName='oim')
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime)
Adapter Name : oid01 Adapter Type : LDAP
Adapter Name : CHANGELOG_oid01 Adapter Type : LDAP
7) Get the details of the Adapter for the existing host name and port.Execute
getAdapterDetails(adapterName='oid01', contextName='oim)
DETAILS OF ADAPTER : oid1
Adapter Type : LDAP
Name : oid1
Virtual NameSpace : dc=XXX,dc=XXX
Remote NameSpace : dc=XXX,dc=XXX
LDAP Host : [servername.domain : portno]
Secure : false
Bind DN : cn=oimLDAP,cn=systemids,dc=XXX,dc=XXX
Pass Credentials : Always
Max size of Connection Pool : 10
8) Execute the following wlst commands for modifying the first adapter.
To remove the existing the ldap host :-
removeLDAPHost('oid1','servername.domain', 'oim')
To add the new host execute the follwing command
addLDAPHost('oid1','servername.domain',portno,'oim')
Modify the secure property :-
modifyLDAPAdapter(adapterName='oid1', attribute='Secure', value=true,contextName='oim')
9) Execute the following wlst commands for modifying the second adapter.
To remove the existing the ldap host :-
removeLDAPHost('CHANGELOG_oid1','servername.domain', 'oim')
addLDAPHost('CHANGELOG_oid1', 'servername.domain',portno, 'oim')
modifyLDAPAdapter(adapterName='CHANGELOG_oid1', attribute='Secure', value=true,contextName='oim')
10)Verify that the proper details are updated in adapters.os_xml located at $DOMAIN_HOME/domains/DOMAIN_HOME/config/fmwconfig/ovd/oim .
Look for the following tags in adapters.os.xml and see that the following values are correct.
<hosts>
<host readonly="false" percentage="100" port="portno">servername.domain</host>
</hosts>
<remoteBase>dc=XXX,dc=XXX</remoteBase>
<secure>true</secure>
11)Restart the OIM managed and Admin servers.
