Previous Topic: How to Configure an LDAP User Directory Connection over SSLNext Topic: LDAP Load Balancing and Failover


Configure an Oracle User Directory Connection Over SSL

CA SiteMinder® lets you configure the connection between the Policy Server and Oracle database to communicate over SSL.

Note: A prerequisite for this communication is that the Oracle database must be enabled for SSL. For more information about enabling the database for SSL, see the Oracle documentation.

How the Policy Server connects to an Oracle Database over SSL

The following process describes how the connection is established between the Policy Server and the Oracle database over SSL:

  1. When the Policy Server makes a connection request, the Oracle database server presents its public certificate. The Policy Server can be configured to validate the authenticity of the certificate that the Oracle database server presents.

    Optionally, you can configure the Policy Server to communicate with an Oracle database over SSL without configuring the Policy Server to validate the certificate.

    Note: The Policy Server uses a trust store to validate the certificate authenticity. The trust store can either be a single public certificate of the Certificate Authority (CA) or a PKCS12 trust store that contains a list of public certificates from trusted CAs. The public certificate is not password-protected, whereas, the PKCS12 trust store is encrypted and password-protected.

  2. If the certificate that the Oracle database server presents matches a certificate in the trust store, an encrypted connection is established between the Policy Server and Oracle database. If the certificate that does not match a certificate in the trust store, the connection fails and the Policy Server generates an error.
Configure SSL on Windows

You can configure the Policy Server to communicate with Oracle over SSL using the ODBC Data Source Administrator Console.

Follow these steps:

  1. Open the ODBC Data Source Administrator console.
  2. In the System DSN tab, select a DSN for your CA CA SiteMinder® Oracle database.
  3. Click Configure.

    The ODBC Oracle Wire Protocol Driver Setup dialog appears.

  4. Click the Security tab.
  5. Specify the following encryption parameters:
    Encryption Method

    Specifies the encryption method the Policy Server uses to encrypt data that is sent between the Policy Server and the Oracle database server.

    Default: 0 – No Encryption

    Required Value: 1 – SSL Auto

    Validate Server Certificate

    (Optional) Specifies that the Policy Server validates the authenticity of the certificate that the Oracle database server presents.

    Default: Selected

    To configure SSL without requiring the Policy Server to validate the authenticity of the certificate that the Oracle database presents, clear the selection.

    Trust Store

    Defines the path name of the trust store file. Specify this value only if you require the Policy Server to validate the authenticity of the certificate that the Oracle database presents.

    Required Value: The trust store can either be the public certificate of the CA or a PKCS12 trust store that contains one or more certificates. The public certificate is a single certificate which is not password-protected. The PKCS12 trust store is password-protected.

    Trust Store Password

    Defines the password that is required to access the trust store.

    Host Name In Certificate

    Defines the hostname in the certificate. The hostname in the certificate must match the hostname that is used to connect to the Oracle database server. If the hostname does not match, the connection fails.

    Note: The Key Store, Key Store Password, and Key Password parameters are not applicable for this connection.

  6. Click OK.
Configure SSL on UNIX

Configure SSL for the Policy Server on UNIX to enable the Policy Server to communicate with Oracle over SSL.

Follow these steps:

  1. Edit the system_odbc.ini file using an editor. The system_odbc.ini file is located in the /nete_ps_root/db directory.

    Note: For more information about the system_odbc.ini file, see the Policy Server Installation Guide.

  2. Add the following parameters to the Oracle DSN that you want to connect over SSL:

    Note: For more information about the parameters, see Configure SSL on Windows.

    ValidateServerCertificate=0 or 1
    

    Note: Specify 1, if you want to validate the Server Certificate. Specify 0, if you do not want to validate the Server Certificate.

    TrustStore=Path to the CA certificate or PKCS12 trust store
    TrustStorePassword=TrustStorePassword
    HostNameInCertificate=hostname.domain.com
    

    Example:

    ValidateServerCertificate=1
    TrustStore=\nete_ps_root\db\MyCAcert.cer or 
                \nete_ps_root\db\MyCertTrustStore.p12
    TrustStorePassword=abcd
    HostNameInCertificate=mydbhost.abc.com
    
  3. Save and close the system_odbc.ini file.