locked
SERVER 2012 R2 STANDARD X509 CERTIFICATES EXPORT TO ORACLE FOR SINGLE SIGN ON RRS feed

  • Question

  • Hi all, running a server 2012 R2 standard with just AD installed. I need to be able to export my X509 certs to an Oracle system as part of a Single Sign On (SSO) solution. I do not have the server configured as a Certificate Authority and ADFS is not installed. The question is, would I be able to export the X509 Username attribute/User filter attribute and Certificate mapping information to Oracle without enabling CA or ADFS on my server?

    Thank you in advance for any assistance! I am well versed in several Server OS but not in Oracle and also not in SSO.

    
    Tuesday, August 16, 2016 1:48 PM

Answers

  • As long as it adheres to the basic principles of x509, it would work. You would need the whole Cert chain that is the Root certificate and the intermediate certificate all in one file, if you are using internal certificate that is self-signed certificate CRL validation might be a problem, especially if your app is accessed over a browser, if its CA generated cert, than the CA CRL and AIA path must be accessible either over http, UNC or ftp or LDAP.

    If its a Public CA cert than the cert would be accessible anywhere, your problems quite less.

    • Proposed as answer by Alvwan Monday, August 29, 2016 9:19 AM
    • Marked as answer by Alvwan Friday, September 2, 2016 8:11 AM
    Tuesday, August 23, 2016 7:28 AM

All replies

  • Hi,

    Thanks for your post.

    Generally, to export the CA certificate on the Active Directory server, we should have certificate authority (CA) installed.

    Regarding your situation, below article may be helpful to you:

    How to: Use the X.509 Certificate Management Tools

    https://msdn.microsoft.com/en-us/library/ms819944.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 17, 2016 7:25 AM
  • How is the SSO going to work with Oracle, LDAPS..? or Kerberos or through Web SSO, this needs more clarity

    " I need to be able to export my X509 certs to an Oracle system as part of a Single Sign On (SSO) solution.", what certificate CA certificate or user certificates mapped to user accounts in AD or LDAPS Server Auth certificate?

    Wednesday, August 17, 2016 9:14 AM
  • Hi,

    Maybe you could contact Oracle support team to get more information about SSO part with Oracle system as we have less experience with Oracle system.

    Thanks for your understanding.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 19, 2016 9:11 AM
  • Thank you for your quick response. We do not have CA or ADFS enabled but if there is no other recourse we will do so. Is there no other way to get weblogic to recognize the X.509 certificate attribute and the certificate mapping? One additional note, it looks like SSL is not checked in weblogic and I am very sure that it must.

    
    Monday, August 22, 2016 1:54 PM
  • The SSO only extends to weblogic. All we need in weblogic is the user filter attribute set, the user certificate and the certificate mapping. Is generating a self signed certificate with IIS not an option? In weblogic there is the ability to import a self signed certificate.

    Thank you!

    Monday, August 22, 2016 2:02 PM
  • I have already used the MMC snap in. That was our natural first step.
    Monday, August 22, 2016 2:03 PM
  • Oracle Weblogic will authenticate utilizing LDAP and X.509
    Monday, August 22, 2016 2:28 PM
  • Oracle weblogic supports SSO with ADFS

    https://blogs.oracle.com/blogbypuneeth/entry/steps_to_configure_saml_sso

    but that is not your question

    you have stated this

    "Oracle Weblogic will authenticate utilizing LDAP and X.509", that means it would bind with LDAPS with certificate hosted on a Domain Controller on port 636, most likely.

    If a user certificate mapping is to be used for authentication against LDAP server, than that needs to be done on weblogic or on the Webserver which would be hosting the app.

    This is still not clear.

    If the question was on importing certificate into weblogic, than you need use openssl to convert the .pfx  file into pem or cer or ,jks file with a separate key file  

    https://www.digicert.com/ssl-support/jks-import-export-java.htm

    I am sorry but I am still able to understand what exactly you need

    Monday, August 22, 2016 3:20 PM
  • I agree with you that weblogic would import the certificate (in this case its a DER) and the certificate mapping must be set correctly in weblogic in order to access the LDAP bind information. My question is simply this: Will a certificate generated either in .per .cer or.pfx be sufficient for weblogic to recognize it even though it was not generated by a CA? We can convert the certs from a p7b to a x.509 already. Conversion is not the issue unless the conversion utilizing openssl somehow creates a self signed certificate. The issue is the certificate itself.

    Thank you!

    Monday, August 22, 2016 5:38 PM
  • As long as it adheres to the basic principles of x509, it would work. You would need the whole Cert chain that is the Root certificate and the intermediate certificate all in one file, if you are using internal certificate that is self-signed certificate CRL validation might be a problem, especially if your app is accessed over a browser, if its CA generated cert, than the CA CRL and AIA path must be accessible either over http, UNC or ftp or LDAP.

    If its a Public CA cert than the cert would be accessible anywhere, your problems quite less.

    • Proposed as answer by Alvwan Monday, August 29, 2016 9:19 AM
    • Marked as answer by Alvwan Friday, September 2, 2016 8:11 AM
    Tuesday, August 23, 2016 7:28 AM