This is something that has become more prevalent in integrations that I have been doing recently and it isn’t easily found in the Oracle documentation.  A clients LDAP server is SSL protected and they want to leverage their LDAP in the Oracle BI implementation. The steps to configure SSL for LDAP are shown below.

  • Configure the LDAP Authentication provider. Make sure you select SSLEnabled on the Configuration > Provider Specific page.

Connecting Weblogic Server - Configure the LDAP Authentication

  • Obtain the root certificate authority (CA) certificate for the LDAP server.
  • Create or import the cert into a trust keystore using the preceding certificate. For example, the following example shows using the keytool command to import into the OBIEE default trust store “cacerts” with the root LDAP cert.
  • keytool -import -keystore cacerts -alias -file
  • To verify the cert has imported correctly use the following keytool command: keytool –list –v –alias -keystore
  • Copy the keystore to a location from which WebLogic Server has access.
  • Start the WebLogic Server Administration Console and navigate to the server-name > Configuration > Keystores page, where server-name is the WebLogic Server instance for which you are configuring this keystore.
  • Keep all the other paths as they are. ONLY change Custom Trust Keystore to the path and file name of the trust keystore created in step 3

Weblogic server LDAP - change Custom Trust Keystore

  • In Custom Trust Keystore Type, enter jks.
  • In Custom Trust Keystore Passphrase, enter the password used when creating the keystore.
  • Reboot the WebLogic Server instance for changes to take effect.

You should now see user from the LDAP server appearing in the weblogic admin console.

The directions above only get the users into the weblogic console. If someone were to attempt to login, they would see some sort of binding error with ssl. To resolve this you will need to put the corresponding LDAP server’s root certificate in an additional keystore used by the virtualization (libOVD) functionality.

  • Set environment variables ORACLE_HOME, WL_HOME and JAVA_HOME.

For example (on Windows):

set ORACLE_HOME=\Oracle_BI1

set WL_HOME=\wlserver_10.3

set JAVA_HOME=\Oracle_BI1\jdk

  • Set up the keystore by running libovdconfig.sh (on UNIX), or libovdconfig.bat (on Windows), using -createKeystore option.

For example, on UNIX, open a shell prompt and change the directory to /oracle_common/bin. Then, run the following command (which prompts for the Oracle Business Intelligence administrator user name and password), for example:

./libovdconfig.bat -host -port -username -domainPath /user_projects/domains/bifoundation_domain -createKeystore

Windows location:

\oracle_common\bin\libovdconfig.bat

  • When prompted, enter the Oracle Business Intelligence administrator password, and the OVD Keystore password (a new password that will be used to secure a Keystore file), created by the libovdconfig.bat -createKeystore command.
  • Once this command runs, you may see two new credentials in the Credential Store and a new Keystore file called adapters.jks under   \user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores.

Weblogic server LDAP - new credentials in the Credential Store

  • Export the root certificate from the LDAP directory
  • Import the root certificate to the libOVD keystore using the keytool command:

/Oracle_BI1/jdk/bin/keytool -import -keystore \user_projects\domains\bifoundation_domain\config\fmwconfig\ovd\default\keystores/adapters.jks -storepass -alias -file

  • Restart WebLogic and BI System processes.

You should now be able to login with users from the LDAP server.

Resources

http://docs.oracle.com/cd/E21764_01/web.1111/e13707/atn.htm#BABDBHAA

http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/ssl.htm#CIHJHHCA