This is something that has become more prevalent in integrations that I have been doing recently and it isn’t easily found in the Oracle documentation. A clients LDAP server is SSL protected and they want to leverage their LDAP in the Oracle BI implementation. The steps to configure SSL for LDAP are shown below.
- Configure the LDAP Authentication provider. Make sure you select SSLEnabled on the Configuration > Provider Specific page.
- Obtain the root certificate authority (CA) certificate for the LDAP server.
- Create or import the cert into a trust keystore using the preceding certificate. For example, the following example shows using the keytool command to import into the OBIEE default trust store “cacerts” with the root LDAP cert.
- keytool -import -keystore cacerts -alias <insert alias> -file <insert rootCA>
- To verify the cert has imported correctly use the following keytool command: keytool –list –v –alias <your alias> -keystore <your keystore>
- Copy the keystore to a location from which WebLogic Server has access.
- Start the WebLogic Server Administration Console and navigate to the server-name > Configuration > Keystores page, where server-name is the WebLogic Server instance for which you are configuring this keystore.
- Keep all the other paths as they are. ONLY change Custom Trust Keystore to the path and file name of the trust keystore created in step 3
- In Custom Trust Keystore Type, enter jks.
- In Custom Trust Keystore Passphrase, enter the password used when creating the keystore.
- Reboot the WebLogic Server instance for changes to take effect.
You should now see user from the LDAP server appearing in the weblogic admin console.
The directions above only get the users into the weblogic console. If someone were to attempt to login, they would see some sort of binding error with ssl. To resolve this you will need to put the corresponding LDAP server’s root certificate in an additional keystore used by the virtualization (libOVD) functionality.
- Set environment variables ORACLE_HOME, WL_HOME and JAVA_HOME.
For example (on Windows):
- Set up the keystore by running libovdconfig.sh (on UNIX), or libovdconfig.bat (on Windows), using -createKeystore option.
For example, on UNIX, open a shell prompt and change the directory to <MW_HOME>/oracle_common/bin. Then, run the following command (which prompts for the Oracle Business Intelligence administrator user name and password), for example:
./libovdconfig.bat -host <hostname> -port <Admin_Server_Port> -username <BI Admin User> -domainPath <MW_HOME>/user_projects/domains/bifoundation_domain -createKeystore
- When prompted, enter the Oracle Business Intelligence administrator password, and the OVD Keystore password (a new password that will be used to secure a Keystore file), created by the libovdconfig.bat -createKeystore command.
- Once this command runs, you may see two new credentials in the Credential Store and a new Keystore file called adapters.jks under <MW_HOME>\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores.
- Export the root certificate from the LDAP directory
- Import the root certificate to the libOVD keystore using the keytool command:
<MW_HOME>/Oracle_BI1/jdk/bin/keytool -import -keystore <MW_HOME>\user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores/adapters.jks -storepass <KeyStore password> -alias <alias of your choice> -file <Certificate filename>
- Restart WebLogic and BI System processes.
You should now be able to login with users from the LDAP server.