{"id":3237,"date":"2018-06-27T10:59:26","date_gmt":"2018-06-27T15:59:26","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=3237"},"modified":"2018-06-27T10:59:26","modified_gmt":"2018-06-27T15:59:26","slug":"updating-oracle-unified-directory-oud-ssl-certificate","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=3237","title":{"rendered":"Updating Oracle Unified Directory (OUD) SSL Certificate"},"content":{"rendered":"<p># PRE-CHANGE VERIFICATION<br \/>\n# There are two environment variables set to allow this to work:<br \/>\n#\u00a0WLSTOREPASS=Wh@t3v3rY0uU53d # WLSTOREPASS is set to whatever is used for the keystore and truststore password<br \/>\n# OUDINST=\/path\/to\/OUD\/installation (root into which both java and OUD were installed &#8212; if you are using an OS package<br \/>\n# for java, your paths will be different)<br \/>\n# Log into OUD web management GUI (https:\/\/hostname.domain.gTLD:7002\/odsm) and verify for each server:<br \/>\n# Configuration=&gt;General Configuration=&gt;Connection Handlers=&gt;LDAPS Connection handler: &#8220;Secure access properties&#8221; section, Key Manager Provider &amp; Trust Manager Provider are JKS. Certificate name is short hostname<br \/>\n# Configuration=&gt;General Configuration=&gt;Kery Managers=&gt;JKS: Path is \/$OUDINST\/Oracle\/Middleware\/&lt;short hostname&gt;.jks<\/p>\n<p># During Change, server can be online<br \/>\n# Use the web GUI to issue certificates from WIN-WEB-CA. Export each cert as a PFX with keystore password $WLSTOREPASS<br \/>\n# On each server, place the approprate PFX file named with the hostname (i.e. the cert for LDAPFrontEndAlias.domain.gTLD will be stored to HOST1 as host1.pfx but stored on HOST2 as host2.pfx) in \/tmp\/ssl<br \/>\n# Alternatively, issue one certificate with each hostname and the front end alias as SAN values and use a static filename for the PFX file<br \/>\n# Put the root &amp; web CA base-64 public key in \/tmp\/ssl\/ as well (named Win-Root-CA.b64.cer and Win-Web-CA.b64.cer)<\/p>\n<p>### Import the chain for the private key certificate<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -import -v -trustcacerts -alias WIN-ROOT -file \/tmp\/ssl\/Win-Root-CA.b64.cer -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -keypass $WLSTOREPASS -storepass $WLSTOREPASS<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -import -v -trustcacerts -alias WIN-WEB -file \/tmp\/ssl\/Win-Web-CA.b64.cer -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -keypass $WLSTOREPASS -storepass $WLSTOREPASS<\/p>\n<p># get GUID for the private key in the PFX file<br \/>\nHOSTCERTALIAS=&#8221;$($OUDINST\/java\/jdk\/bin\/keytool -v -list -storetype pkcs12 -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.pfx &#8211;storepass $WLSTOREPASS | grep Alias | cut -d: -f2-)&#8221;<\/p>\n<p># Change the cert alias to be the short hostname<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -importkeystore -srckeystore \/tmp\/ssl\/${HOSTNAME%%.*}.pfx -destkeystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -srcstoretype pkcs12 -deststoretype JKS -alias $HOSTCERTALIAS -storepass $WLSTOREPASS -srcstorepass $WLSTOREPASS<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -changealias -alias $HOSTCERTALIAS -destalias ${HOSTNAME%%.*} -keypass $WLSTOREPASS -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks -storepass $WLSTOREPASS<\/p>\n<p># Verify you have a WIN-ROOT, WIN-WEB, and hostname record<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -v -list -keystore \/tmp\/ssl\/${HOSTNAME%%.*}.jks &#8211;storepass $WLSTOREPASS | grep Alias<\/p>\n<p># STOP THE LDAP SERVER AT THIS POINT<br \/>\n# Back up the current Java keystore file and move the new one into place<br \/>\nCURRENTDATE=&#8221;$(date +%Y%m%d)&#8221;<br \/>\nmv $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks $OUDINST\/Oracle\/Middleware\/$CURRENTDATE.jks<\/p>\n<p>cp $OUDINST\/Oracle\/Middleware\/asinst_1\/OUD\/config\/truststore $OUDINST\/Oracle\/Middleware\/asinst_1\/OUD\/config\/truststore-$CURRENTDATE<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -import -v -trustcacerts -alias WIN-ROOT -file \/tmp\/ssl\/Win-Root-CA.b64.cer -keystore $OUDINST\/Oracle\/Middleware\/asinst_1\/OUD\/config\/truststore -keypass $WLSTOREPASS -storepass $WLSTOREPASS<br \/>\n$OUDINST\/java\/jdk\/bin\/keytool -import -v -trustcacerts -alias WIN-WEB -file \/tmp\/ssl\/Win-Web-CA.b64.cer -keystore $OUDINST\/Oracle\/Middleware\/asinst_1\/OUD\/config\/truststore -keypass $WLSTOREPASS -storepass $WLSTOREPASS<\/p>\n<p>mv \/tmp\/ssl\/${HOSTNAME%%.*}.jks $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks<\/p>\n<p># START THE LDAP SERVER AND check for errors \/ test<\/p>\n<p># Backout:<br \/>\n# Stop the LDAP server<br \/>\n# mv $OUDINST\/Oracle\/Middleware\/$CURRENTDATE.jks $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks<br \/>\n# mv $OUDINST\/Oracle\/Middleware\/${HOSTNAME%%.*}.jks \/tmp\/ssl\/${HOSTNAME%%.*}.jks<br \/>\n# Start the LDAP server<\/p>\n","protected":false},"excerpt":{"rendered":"<p># PRE-CHANGE VERIFICATION # There are two environment variables set to allow this to work: #\u00a0WLSTOREPASS=Wh@t3v3rY0uU53d # WLSTOREPASS is set to whatever is used for the keystore and truststore password # OUDINST=\/path\/to\/OUD\/installation (root into which both java and OUD were installed &#8212; if you are using an OS package # for java, your paths will &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[550,591,236],"class_list":["post-3237","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-oracle-unified-directory","tag-oud","tag-ssl"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3237"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3237\/revisions"}],"predecessor-version":[{"id":3239,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3237\/revisions\/3239"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}