Previous Topic: How to Configure an LDAP User Directory Connection over SSLNext Topic: LDAP Load Balancing and Failover

Policy Server GuidesPolicy Server Configuration GuideUser DirectoriesConfigure an Oracle User Directory Connection Over SSL

Configure an Oracle User Directory Connection Over SSL

You can configure a connection between the Policy Server and Oracle database to communicate over SSL. Be sure that the Oracle database is enabled for SSL before you configure the connection.

How the Policy Server connects to an Oracle Database over SSL

The following process describes how the connection is established between the Policy Server and the Oracle database over SSL:

  1. When the Policy Server makes a connection request, the Oracle database server presents its public certificate. The Policy Server can be configured to validate the authenticity of the certificate that the Oracle database server presents.

    Optionally, you can configure the Policy Server to communicate with an Oracle database over SSL without configuring the Policy Server to validate the certificate.

    Note: The Policy Server uses a trust store to validate the certificate authenticity. The trust store is a single public certificate of the Certificate Authority (CA). Alternatively, the trust store is a PKCS12 trust store that contains a list of public certificates from trusted CAs. The public certificate is not password-protected, whereas, the PKCS12 trust store is encrypted and password-protected.

  2. When the Oracle certificate matches a certificate in the trust store, an encrypted connection is established between the Policy Server and Oracle database. If the certificate that does not match a certificate in the trust store, the connection fails and the Policy Server generates an error.
Configure SSL on Windows

You can configure the Policy Server to communicate with Oracle over SSL using the ODBC Data Source Administrator Console.

Follow these steps:

  1. Open the ODBC Data Source Administrator console.
  2. In the System DSN tab, select a DSN for your CA SiteMinder® Oracle database.
  3. Click Configure.

    The ODBC Oracle Wire Protocol Driver Setup dialog appears.

  4. Click the Security tab.
  5. Specify the following encryption parameters:
    Encryption Method

    Specifies the encryption method the Policy Server uses to encrypt data that is sent between the Policy Server and the Oracle database server.

    Default: 0 – No Encryption

    Required Value: 1 – SSL Auto

    Validate Server Certificate

    (Optional) Specifies that the Policy Server validates the authenticity of the certificate that the Oracle database server presents.

    Default: Selected

    To configure SSL without requiring the Policy Server to validate the authenticity of the certificate that the Oracle database presents, clear the selection.

    Trust Store

    Defines the path name of the trust store file. To validate the authenticity of the certificate that the Oracle database presents, specify this value when yu require the Policy Store.

    Required Value: The trust store can either be the public certificate of the CA or a PKCS12 trust store that contains one or more certificates. The public certificate is a single certificate which is not password-protected. The PKCS12 trust store is password-protected.

    Trust Store Password

    Defines the password that is required to access the trust store.

    Host Name In Certificate

    Defines the hostname in the certificate. The hostname in the certificate must match the hostname that is used to connect to the Oracle database server. If the hostname does not match, the connection fails.

    Note: The Key Store, Key Store Password, and Key Password parameters are not applicable for this connection.

  6. Click OK.
Configure SSL on UNIX

Configure SSL for the Policy Server on UNIX to enable the Policy Server to communicate with Oracle over SSL.

Follow these steps:

  1. Edit the system_odbc.ini file using an editor. The system_odbc.ini file is located in the /nete_ps_root/db directory.
  2. Add the following parameters to the Oracle DSN that you want to connect over SSL: 
    ValidateServerCertificate=0 or 1

    When you want to validate the Server Certificate, specify 1. When you do not want to validate the Server Certificate, specify 0.

    TrustStore=Path to the CA certificate or PKCS12 trust store
TrustStorePassword=TrustStorePassword
HostNameInCertificate=hostname.domain.com

    Example:

    ValidateServerCertificate=1
TrustStore=\nete_ps_root\db\MyCAcert.cer or 
            \nete_ps_root\db\MyCertTrustStore.p12
TrustStorePassword=abcd
HostNameInCertificate=mydbhost.abc.com
  3. Save and close the system_odbc.ini file.