8 Changing Transport Security Modes

Setting up transport security is the subject of this chapter and is one of the administrative tasks that is common to both the Identity System and the Access System.

This chapter contains the following topics:

• About Transport Security Modes

• Changing Transport Security for the Identity System

• Changing Transport Security Modes for the Access System

• Transport Security Changes for Directory Servers

• Changing Transport Security Passwords

• Importing Multiple CA Certificates

• Changing Access Server Security Password

8.1 About Transport Security Modes

A transport security mode is a method to protect communication between two points, such as a client and a server. To ensure protection, communication can be encrypted with a certificate authority (CA).

Oracle Access Manager offers the following three transport security modes for communication between components, as discussed in greater detail in the Oracle Access Manager Installation Guide:

• Open: Communication is not encrypted for protection. Use this mode when security is not an issue; for example, when testing communications between an AccessGate and the Access Server, as long as you consider your network secure. Open is the default setting.

• Simple: Communication is encrypted with Oracle Access Manager's internal CA. Simple mode encrypts communications using Transport Layer Security, RFC 2246 (TLS v1). The default value for the validity period of Simple transport security mode certificates is 365 days.This mode is less secure than Cert mode. Use this mode if you have some security concerns but do not want to manage your own CA. For more information, see "Simple Transport Security Mode Expires After One Year".

• Cert: Communication is encrypted with an external CA. With Cert mode, communications are encrypted using TLS v1. In addition, each element, both client and server, must present an X.509 certificate (in base64 format) when establishing a connection. The certificate must be provided by you, perhaps from a third-party CA.

Note:

As of version 7.0, the default certificate store format and name has changed from cert7.db to cert8.db. When you upgrade from a version earlier than version 7.0, you continue to use the old certificate store (cert7.db).

When you run the configureAAAServer, setup_ois, or setup_accessmanager utilities, the certificate store format and name is automatically modified to cert8.db. version 7.0 and higher versions work with both the cert7.db (upgraded environments) and cert8.db (new installations) certificate store. On UNIX systems, you use the following tools: start_configureAAAServer, start_setup_ois, start_setup_access_manager.

Note:

All command line utilities and tools must be run as the user who installed the product, as described in the Oracle Access Manager Installation Guide. Oracle recommends that you do not attempt to change ownership or permissions on files after installation.

The following two transport security modes are used for communication between a Oracle Access Manager component and the directory server:

• Open: Directory server communication is not encrypted for protection. Use this mode when security is not an issue; for example, when testing communications between an AccessGate and the Access Server, as long as you consider your network secure. Open is the default setting.

• SSL: Directory server communication using SSL.

Specifying transport security is part of the installation process. See the differences when installing the Identity System or Access System, in Table 8-1.

Table 8-1 Specifying a Security Mode During Installation

Identity System

Access System

Install the Identity Server component. Specify the transport security mode used to communicate with WebPass. Install the WebPass component. Specify the transport security mode used to communicate with the Identity Server.

Install Policy Manager. Specify the transport security mode used to communicate with the Access Server. Create an Access Server instance in the Access System Console. Specify the transport security mode used to communicate with the Policy Manager. Define a WebGate instance in the Access System Console. Specify the transport security mode used to communicate with the Access Server. Install the Access Server component. Configure the transport security mode to communicate with WebGate. Install the WebGate component. Configure the transport security mode to communicate with Access Server.

See also:

See the Oracle Access Manager Installation Guide for more information on installing components.

8.1.1 Transport Security Mode Between Components

Transport security can be configured between the following components:

• Identity System: Transport security between all Identity Servers and WebPass instances must match: either all open, all Simple mode, or all Cert.

• Access System: Transport security among all Policy Managers, Access Servers, and associated WebGates must match: either all open, all Simple mode, or all Cert.

Access Cache Flushing Caveat: When access cache flushing is enabled on the Identity Server, the Identity Server communicates with the Access Server. In this case, the transport security mode among all five of the following components must be in the same mode.

• Identity Servers and WebPass instances

• Policy Managers, Access Servers, and associated WebGates

For details about managing caches, see both Managing Caches of this manual and Oracle Access Manager Access Administration Guide. For more information on caching, see the Oracle Access Manager Deployment Guide.

If you need to change the transport security mode after installation, you can change the security mode in the System Console:

Identity System (WebPass and Identity Server): You select a transport security mode for WebPass and Identity Server instances in the Identity System Console. Decide on the type of transport security mode you want to use before you configure WebPass and Identity Server instances. Again, transport security among all components must match. They must all be open, simple, or cert.

Access System (Policy Manager, AccessGate, and Access Server): You select a transport security mode for the Access System when configuring AccessGate and Access Server instances in the Access System Console. Decide on the type of transport security mode you want to use before you configure the AccessGate and Access Server instances. Again, transport security among all Access System components must match: either all open, all simple mode, or all cert.

After changing the mode in the System Console, follow the process described in:

• "Transport Security Mode Changes for the Access System"

• "Transport Security Changes for Directory Servers"

You may change the security mode between a component and the Directory server after installation:

Identity or Access Server and the Directory Server: Transport security between the directory server and an Identity or Access Server can be in Open or SSL mode. You specify this transport security mode during installation. If you select SSL, you also specify the location of the SSL certificate. The directory server is automatically updated with the specified security mode information.

When configuring SSL for the directory server, note that Oracle Access Manager supports server authentication only. Client authentication is not supported. Oracle Access Manager verifies the server certificate against the Root CA certificate that you imported during product setup.

The Policy Manager is a Web component that reads from and writes to the directory server. You also specify transport security between the Policy Manager and directory server. Figure 8-1 illustrates the supported transport security modes between Oracle Access Manager Web components and servers, and Oracle Access Manager components and the directory server.

Figure 8-1 Transport Security Modes

You can share directory profiles for all components running in SSL mode, even if these components were initially configured in different modes. For example, suppose the Identity Server and Access Server were installed in open mode with the directory, and the Policy Manager was installed with SSL enabled for the directory server. In this case, the cert8.db and key3.db files must exist for each component that communicates with the directory server and must reside in the component_install_dir\identity|access\oblix\config directory. If these files do not exist, copy them from other existing component folders or run the genCert (Policy Manager) or other utilities to generate them, as described in this chapter.

8.1.2 About CA Certificates

This discussion explains the root certificate, request, and other certificate files.If you select the cert transport security mode between components during installation, you must create and install a root certificate. The root certificate file is a chain of certificates that is generated when you submit a certificate signing request, such as a CSR to a certificate authority. This request is in the form of an xxx_req.pem file. You store a root certificate as a file called xxx_chain.pem. You download the xxx_chain.pem file from the Certificate Server and store it in the following directory with the key and cert.pem files, then specify its location during product configuration:

Component_install_dir\identity|access\oblix\config

• Chain file (ois_chain.pem)

• Certificate file (ois_cert.pem)

• Key file (ois_key.pem) the installer may know where this is.

For most components, you install certificates during product setup. You install certificates in the Policy Manager using the genCert utility. The command for this utility is:

genCert -i <install Dir> -m <cert | simple> -P <password> -c <request | install> 

For example:

genCert -i c:\COREid\webcomponent\access\oblix\tools\gencert -m cert -P <password> -c install

You can save an approved certificate to any location that is accessible to the component installer. For example, you can save it to /oblix/config.

Note:

When using certificates generated by a subordinate CA, the root CA's certificate must be present in the xxx_chain.pem along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification and successful Identity System setup.

The certificate request for WebGate generates the certificate-request file aaa_req.pem. You must send this WebGate certificate request to a root CA that is trusted by the AAA server. The root CA returns the WebGate certificates, which can then be installed either during or after WebGate installation.

The following sections describe cert mode, and requesting and installing certificates.

8.2 Changing Transport Security for the Identity System

All Identity Servers and WebPass instances in your installation must run in the same transport security mode. If you specified different modes for different components during your installation, you must change them.

Task overview: Changing transport security for the Identity System

1. If you are changing to simple or cert mode, complete the process for certificate preparation.

2. Perform the steps in "To change the Identity Server transport security mode".

3. Perform the steps in "To change the WebPass transport security mode".

   Note:

   The WebPass and the Identity Server are not be able to communicate with each other until you have changed the transport security mode for both.

To change the Identity Server transport security mode

1. If you are changing to simple or cert mode, complete the certificate preparation process.

2. From the Identity System Console, click the System Configuration sub-tab, then click Identity Server in the left navigation pane.

3. Click the link for the server that you want to modify, then click Modify.

4. Click the appropriate button for the transport security mode of your choice.

   You can select Open, Simple, or Cert mode.

5. Click Save.

6. Restart the Identity Server.

To change the WebPass transport security mode

1. If you are changing to simple or cert mode, complete certificate preparation.

2. From the Identity System Console, click the System Configuration sub-tab, then click WebPass in the left navigation pane.

3. Select the WebPass you want to modify and click Modify.

4. Change the transport security mode

   You can select Open, Simple, or Cert mode.

5. Click Save.

6. Stop the WebPass, restart the Identity Server, then restart the WebPass.

8.2.1 Transport Security Mode Changes for the Identity System

When changing the transport security mode after installation, specify the new mode in the Identity System Console, then change the mode in the appropriate configuration files.

You repeat the steps shown in Table 8-2 as needed for each component.

Table 8-2 Transport Security Mode Changes for the Identity System

New Security Mode	Task Overview
Open	Specify Open mode in the Identity System Console (see "Changing Transport Security for the Identity System" for details).
Simple	Stop the Identity Server. Generate the certificate through Oracle Access Manager's internal CA (see "Changing to Simple Transport Security Mode" for details). Configure the mode in the Identity System Console (see "Changing Transport Security for the Identity System" for details). Restart the Identity Server.
Cert	Stop the Identity Server. Generate the certificate request (see "Changing to Cert Transport Security Mode" for details). Get the certificate approved through an external CA. Install the certificate (see "To install a certificate for Cert mode" for details). Configure the mode in the Identity System Console (see "Changing Transport Security for the Identity System" for details). Restart the Identity Server.

Note:

The clocks of computers running Identity System components must be synchronized, especially when the components are using open or cert mode. A difference of a few seconds is allowed as long as the Identity Server computer's clock is ahead of the WebPass computer's clock. Otherwise, certificate time stamps are invalid, and all requests are rejected. See the Oracle Access Manager Access Administration Guide for details about synchronizing system clocks.

8.2.2 Changing to Simple Transport Security Mode

To change to simple mode, you must first generate a certificate through Oracle Access Manager's internal CA. Depending on the component, you must use the relevant utility:

• Identity Server: setup_ois.exe utility on Windows (or start_setup_ois on UNIX), in IdentityServer_install_dir/identity/oblix/tools/setup.

• WebPass: setup_webpass.exe utility on Windows (or start_setup_webpass on UNIX), in WebPass_install_dir/identity/oblix/tools/setup.

To generate a certificate through the CA

1. Open a Command Prompt window and go to:

   IdentityServer_install_dir/identity/oblix/tools/setup

   where IdentityServer_install_dir is the directory in which the Identity Server is installed; and setup is the directory that contains the utility needed for this task.

2. Execute one of the following commands, depending on the component you are modifying.

   Table 8-3 Setup Commands

   Operating System	Commands
   UNIX	Identity Server: start_setup_ois -i IdentityServer_install_dir/identity -m WebPass: start_setup_webpass -i WebPass_install_dir/identity -m
   Windows	Identity Server: setup_ois.exe -i IdentityServer_install_dir\identity -m WebPass: setup_webpass.exe -i WebPass_install_dir\identity -mwhere WebPass_install_dir is the directory in which WebPass is installed.

   
   

   You are prompted to enter simple or cert mode.

3. Type simple and press Enter.

4. Specify and confirm the Global Pass Phrase.

   This password must be the same across all Identity Servers and WebPass instances within an installation.

5. Continue with "Changing Transport Security for the Identity System".

8.2.3 Changing to Cert Transport Security Mode

To change to cert mode, you must do the following after you install a Identity Server:

• Generate a certificate request to obtain a certificate from an external CA.

• Install the signed certificate after you receive it.

Depending on the component, you must use the relevant utility:

• Identity Server: setup_ois.exe utility on Windows (or start_setup_ois on UNIX), in IdentityServer_install_dir/identity/oblix/tools/setup.

• WebPass: setup_webpass.exe utility on Windows (or start_setup_webpass on UNIX), in WebPass_install_dir/identity/oblix/tools/setup.

To generate a certificate request for Cert mode

1. Open a Command Prompt window and change to:

   IdentityServer_install_dir/identity/oblix/tools/setup

   where IdentityServer_install_dir is the directory in which the Identity Server is installed; setup is the directory that contains the appropriate utility for the component.

2. Run one of the commands in Table 8-4

   Table 8-4 Identity System Request Certificate Commands

   Operating System	Commands
   UNIX	Identity Server: start_setup_ois -i IdentityServer_install_dir/identity -m WebPass: start_setup_webpass -i WebPass_install_dir/identity -m where WebPass_install_dir is the directory in which WebPass is installed.
   Windows	Identity Server: setup_ois.exe -i IdentityServer_install_dir\identity -m. WebPass: setup_webpass.exe -i WebPass_install_dir\identity -m where WebPass_install_dir is the directory in which WebPass is installed.

   
   

   You are prompted to enter simple or cert mode.

3. Type cert and press Enter.

4. Indicate that you are requesting a new certificate.

5. Enter information at the prompts for:

   • A two-letter country code (the default is US).

   • A state or province name.

   • Your city or other locality

   • An organization name (for example, your company)

   • An organizational unit name (for example, your department)

   • A common name (for example, your host name)

   • An email contact address

6. Press Enter.

   You see a message. For example, for the Identity Server certificate:

   "Your certificate request is in the file IdentityServer_install_dir/identity/oblix/config/ois_req.pem."

   The setup_ois utility creates two files in this directory: ois_key.pem, which contains your private key, and ois_req.pem.

7. Submit the ois_req.pem file to be signed by your Certificate Authority.

To install a certificate for Cert mode

1. Open a Command Prompt window and change to the appropriate directory. For example:

   IdentityServer_install_dir/identity/oblix/tools/setup

   where IdentityServer_install_dir is the directory in which the Identity Server is installed.

2. Run one of the commands in Table 8-5.

   Table 8-5 Identity System Install Certificate Commands

   Operating System	Commands
   UNIX	Identity Server: start_setup_ois -i IdentityServer_install_dir/identity -m WebPass: start_setup_webpass -i WebPass_install_dir/identity -m where WebPass_install_dir is the directory in which WebPass is installed.
   Windows	Identity Server: setup_ois.exe -i IdentityServer_install_dir\identity -m where IdentityServer_install_dir is the directory in which the Identity Server is installed WebPass: setup_webpass.exe -i WebPass_install_dir\identity -m where WebPass_install_dir is the directory in which WebPass is installed.

   
   

   You are prompted to enter simple or cert mode.

3. Type cert and press Enter.

4. Indicate that you are installing a certificate.

5. Specify the locations of the following files:

   ois_key.pem

   ois_cert.pem

   ois_chain.pem

   If you have installed certificates for an earlier Oracle Access Manager-generated request, use the default value for ois_key.pem when prompted.

   Note:

   When using certificates generated by a subordinate CA, the root CA's certificate must be present in the ois_chain.pem along with the subordinate CA certificate. Both certificates must be present to ensure appropriate verification and successful Identity System setup.

   Your certificate is installed.

6. Continue with "Changing Transport Security for the Identity System".

8.3 Changing Transport Security Modes for the Access System

Before you change the transport security mode for the AccessGate or Access Server, update the transport security modes for the components in the Access System Console. You cannot update the transport security mode for Policy Manager from the Access System Console. If you are changing from Open mode to another mode, follow the instructions in Table 8-2. If you are changing to Open mode, you need not change the mode for Policy Manager because the Policy Manager automatically detects that the other AccessGate and Access Server are working in Open mode.

To specify transport security mode for Access Server

1. In the Access System Console, navigate to Access System Configuration, Access Server Configuration.

2. Select the Access Server you want to change, and click Modify.

3. Select the appropriate radio button for transport security, and click Save.

4. Restart the Access Server.

To specify transport security mode for AccessGate

1. In the Access System Console, go to Access System Configuration, AccessGate Configuration.

2. Select the AccessGate you want to change, and click Modify.

3. Select the appropriate radio button for transport security, and click Save.

4. Restart the Web server hosting the AccessGate.

8.3.1 Transport Security Mode Changes for the Access System

You can change the transport security mode for Access System components after you have specified the changes in the Access System Console. The process of changing modes depends on the security mode to which you are changing. If you change an Access Server's security mode, you must change the security mode of all Policy Managers and AccessGates pointing to this Access Server to match the new security mode.If you change the security mode for one or more Access Servers, the Transport Security Mode Change Confirmation page may appear. This page notifies you of an incompatibility between the security modes used by the Access Server and one or more AccessGates.

Note:

Configure the Access Server security mode before you configure the mode for an AccessGate/WebGate and Policy Manager.

Table 8-6 lists the process that you follow for each security mode. Repeat these steps as necessary for each installed component.

Table 8-6 Transport Security Mode Changes for the Access System

New Security Mode	Task Overview
Open	Access Server: Move the appropriate directory or files to a new folder (see "Changing to Open Transport Security Mode" for details). Configure the Access Server instance in the Access System Console (see "To specify transport security mode for Access Server" for details). Run the configAAAServer program to specify the new mode. For details about using the ConfigureAAAServer Tool, see the Oracle Access Manager Access Administration Guide. AccessGate/WebGate: Move the appropriate directory or files to a new folder (see "Changing to Open Transport Security Mode" for details). Configure the AccessGate instance in the Access System Console (see "To specify transport security mode for AccessGate" for details). Run the configAccessGate or the configureWebGate program, as appropriate, to specify the new mode. To modify an AccessGate through the command line, see the Oracle Access Manager Access Administration Guide. Policy Manager: Restart the Web server on which the Policy Manager is installed.
Simple	Access Server: Move the appropriate directory or files to a new folder (see "Changing to Simple Transport Security Mode" for details). Configure the Access Server instance in the Access System Console (see "To specify transport security mode for Access Server" for details). Run the configAAAServer program to specify the new mode. For details about using the ConfigureAAAServer Tool, see theOracle Access Manager Access Administration Guide. AccessGate/WebGate: Move the appropriate directory or files to a new folder (see "Changing to Simple Transport Security Mode" for details). You do not need to do this if you are changing over from Open mode. Configure the new mode for the AccessGate instance in the Access System Console (see "To specify transport security mode for AccessGate" for details). Run the configAccessGate or the configureWebGate program, as appropriate, to specify the new mode. To modify an AccessGate through the command line, see the Oracle Access Manager Access Administration Guide. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed; gencert is the directory containing the gencert utility.
Cert	Access Server: Move the appropriate directory or files to a new folder (see "Changing to Cert Transport Security Mode" for details). Configure the Access Server instance in the Access System Console (see "To specify transport security mode for Access Server" for details). Run the configAAAServer program to specify the new mode. For details about using the ConfigureAAAServer Tool, see the Oracle Access Manager Access Administration Guide. AccessGate/WebGate: Move the appropriate directory or files to a new folder (see "Changing to Cert Transport Security Mode" for details). You do not need to do this if you are changing over from Open mode. Configure the new mode for the AccessGate instance in the Access System Console (see "To specify transport security mode for AccessGate" for details). Run the configAccessGate or the configureWebGate program, as appropriate, to generate the certificate request and install the certificate. To modify an AccessGate through the command line, see the Oracle Access Manager Access Administration Guide. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed; gencert is the directory containing the gencert utility.

8.3.2 Changing to Open Transport Security Mode

To change transport security mode from Simple or Cert to Open, run the appropriate configuration program. Depending on the component, you must use:

• Access Server: configureAAAServer on Windows (or start_configureAAAServer on UNIX), in AccessServer_install_dir/access/oblix/tools/configureAAAServer.

• WebGate: configureWebGate on Windows (or start_configureWebGate on UNIX), in WebGate_install_dir/access/oblix/tools/configureWebGate.

• Policy Manager: gencert in PolicyManager_install_dir/access/oblix/tools/gencert

To change to Open security mode

1. Move the following directory to a new folder:

   component_install_dir/access/oblix/config/simple (if in Simple mode)

   or

   component_install_dir/access/oblix/config/*.pem and password.xml (if in Cert mode)

   where component_install_dir is the directory in which the Access System components are installed. For example, the Policy Manager or Access Server or WebGate.

   This saves a previous configuration in case you want to revert to it.

2. Execute one of the commands in Table 8-7.

   Table 8-7 Access System Commands: Change to Open Mode

   Operating System	Commands
   UNIX	Access Server: start_configureAAAServer reconfig AccessServer_install_dir/access where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: start_configureAccessGate -i AccessGate_install_dir/access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. Note: If you are using Linux NPTL with Oracle Access Manager, see "NPTL Requirements and Post-Installation Tasks". WebGate: start_configureWebGate -i WebGate_install_dir/access -t WebGate -Rwhere WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir/access/oblix/tools/gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.
   Windows	Access Server: configureAAAServer.exe reconfig AccessServer_install_dir\access -Rwhere AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: configureAccessGate.exe -i AccessGate_install_dir\access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. WebGate: configureWebGate.exe -i WebGate_install_dir\access -t WebGate -Rwhere WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.

   
   

8.3.3 Changing to Simple Transport Security Mode

To implement Simple mode, you do not need to request or install a certificate from an external CA. Oracle Access Manager ships with its own internal CA.

To change to Simple security mode

1. Move the following files to a new folder:

   AccessSystem_install_dir/access/oblix/config/*.pem

   and

   AccessSystem_install_dir/access/oblix/config/password.xml (if in Cert mode)

   where AccessSystem_install_dir is the directory in which the Access System components are installed. For example, the Policy Manager or Access Server or WebGate.

   This creates a backup file of your older configuration.

2. Generate a certificate through Oracle Access Manager's internal CA:

   1. Open a command prompt window and change to the appropriate AccessSystem_install_dir/access/oblix/tools/UtilityDirectory,

      Where:

      UtilityDirectory is the directory containing the utility for the component you are modifying: configureAAAserver, configureWebGate, or genCert (for Policy Manager).

      For example:

      cd COREid/WebComponent/access/oblix/tools/configureWebGate
      

   2. Execute one of the commands in Table 8-8.

      Table 8-8 Access System Commands: Change to Simple Mode

      Operating System	Commands
      UNIX	Access Server: start_configureAAAServer reconfig AccessServer_install_dir/access where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: start_configureAccessGate -i AccessGate_install_dir/access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. Note: If you are using Linux NPTL with Oracle Access Manager, see "NPTL Requirements and Post-Installation Tasks". WebGate: start_configureWebGate -i WebGate_install_dir/access -t WebGate -R where WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencertwhere PolicyManager_install_dir is the directory in which the Policy Manager is installed.
      Windows	Access Server: configureAAAServer.exe reconfig AccessServer_install_dir\access -R where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: configureAccessGate.exe -i AccessGate_install_dir\access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. WebGate: configureWebGate.exe -i WebGate_install_dir\access -t WebGate -R where WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.

      
      

   3. When you are prompted to enter Open, Simple, or Cert mode, select Simple mode and press Enter.

   4. Specify and confirm the Global Pass Phrase.

      This password must be the same across all Access Servers and AccessGates and WebGates. For more information on the Global Pass Phrase, see the Oracle Access Manager Installation Guide.

      WARNING:

      You must reinstall the Policy Manager if the Simple mode password for the Policy Manager is changed, or if the Access System is changed from Simple mode to Cert mode

8.3.4 Changing to Cert Transport Security Mode

The following procedure describes changing the transport security mode to Cert.

Note:

The certificate request for WebGate generates the certificate-request file aaa_req.pem. You need to send this WebGate certificate request to a root CA that is trusted by the AAA server. The root CA returns the WebGate certificates, which can then be installed either during or after WebGate installation.

To change to Cert security mode

1. Move the following to a new folder:

   AccessSystem_install_dir/access/oblix/config/simple (if in Simple mode)

   This creates a backup of your old configuration

2. Generate a certificate request.

   1. Open a Command Prompt window and change to the following directory:

      AccessSystem_install_dir/access/oblix/tools/UtilityDirectory

      where AccessSystem_install_dir is directory in which the Access System components are installed and UtilityDirectory is the directory containing the tool for the component you are modifying: configureAAAServer, configureWebGate, configureAccessGate, or genCert (genCert is used by Policy Manager).

      For example:

      cd COREid/WebComponent/access/oblix/tools/genCert
      

   2. Execute one of the commands in Table 8-9, depending on which component you are modifying.

      Table 8-9 Access System Request Certificate Commands

      Operating System	Commands
      UNIX	Access Server: start_configureAAAServer reconfig AccessServer_install_dir/access where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: start_configureAccessGate -i AccessGate_install_dir/access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. Note: If you are using Linux NPTL with Oracle Access Manager, see "NPTL Requirements and Post-Installation Tasks". WebGate: start_configureWebGate -i WebGate_install_dir/access -t WebGate -R where WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.
      Windows	Access Server: configureAAAServer.exe reconfig AccessServer_install_dir\access -R where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: configureAccessGate.exe -i AccessGate_install_dir\access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. WebGate: configureWebGate.exe -i WebGate_install_dir\access -t WebGate -R where WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.

      
      

   3. When you are prompted for a mode, select Cert and press Enter.

   4. Indicate that you are requesting a certificate.

   5. Answer the prompts for information, including the following:

      • A two-letter country code (the default is US)

      • A state or province name

      • Your city or other locality

      • An organization name (your company, for example)

      • An organizational unit name (your department, for example)

      • A common name (must be your host computer name)

      • An email contact address

   6. Press Enter.

      A message is displayed stating that your certificate request is in the file AccessServer_install_dir/access/oblix/config/aaa_req.pem.

      The setup_aaa utility actually creates two files in this directory:

      aaa_key.pem, which contains your private key, and aaa_req.pem.

   7. Submit the aaa_req.pem file to the Certificate Authority to get your request signed.

3. Save the approved certificate to a file which the installer can access.

4. Save the CA chain in base64 code format to a .pem file that the installer can access.

5. After you receive the certificate from your CA, install the signed certificate.

To install the signed certificate for Cert mode

1. Open a Command Prompt window and change to the AccessSystem_install_dir/access/oblix/tools/componentDirectory

   where AccessSystem_install_dir is the directory in which Access System is installed and componentDirectory is the directory for the component you are modifying: configureAAAServer, configureWebGate, configureAccessGate, or genCert (genCert is the utility used by Policy Manager).

   For example:

   cd COREid/access/oblix/tools/configureAAAServer
   

2. Execute one of the commands in Table 8-10.

   Table 8-10 Access System Install Certificate Commands

   Operating System	Commands
   UNIX	Access Server: start_configureAAAServer reconfig AccessServer_install_dir/access where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: start_configureAccessGate -i AccessGate_install_dir/access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. Note: If you are using Linux NPTL with Oracle Access Manager, see "NPTL Requirements and Post-Installation Tasks". WebGate: start_configureWebGate -i WebGate_install_dir/access -t WebGate -R where WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.
   Windows	Access Server: configureAAAServer.exe reconfig AccessServer_install_dir\access -R where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: configureAccessGate.exe -i AccessGate_install_dir\access -t AccessGate -R where AccessGate_install_dir is the directory in which the AccessGate is installed. WebGate: configureWebGate.exe -i WebGate_install_dir\access -t WebGate -R where WebGate_install_dir is the directory in which WebGate is installed. Policy Manager: Run the genCert utility to specify the new mode. The genCert utility is located in the directory PolicyManager_install_dir\access\oblix\tools\gencert where PolicyManager_install_dir is the directory in which the Policy Manager is installed.

   
   

3. When you are prompted to enter Simple or Cert mode, type Cert and press Enter.

4. Indicate that you are installing a certificate.

5. Specify the locations of the key, server certificate, and CA chain files:

   • aaa_key.pem

   • aaa_cert.pem

   • aaa_chain.pem

   where aaa is the name you specify for the file (applicable only to Cert and chain files).

   WARNING:

   The Webgate certificate request generates the certificate-request file aaa_req.pem. You need to send this certificate request to a root CA that is trusted by the AAA server. The root CA returns the WebGate certificates, which can then be installed either during or after WebGate installation.

   If you have installed certificates for an earlier Oracle Access Manager-generated request, use the default value for aaa_key.pem when prompted.

   Your certificate is installed.

6. Restart the AccessGate or Access Server, as appropriate.

8.4 Transport Security Changes for Directory Servers

When you install the Identity Server and the Access Server, you can specify Open or SSL mode between each of these servers and the directory server. To change the transport security mode after installation, you must reconfigure the Identity Server or the Access Server, as appropriate. During reconfiguration, you can change the security mode between the directory server and the Identity or Access Server.

Note:

See the Oracle Access Manager Installation Guide for additional information about adding directory certificates after installation.

To change transport security between the Identity Server and directory server

1. From a command line, find the appropriate setup_ois tool for your platform.

   On UNIX, for example:

   IdentityServer_install_dir/identity/oblix/tools/setup
   

2. At the command prompt, run the appropriate executable.

   On UNIX, for example:

   start_setup_ois -i
   

   You are guided through the steps required to set up the Identity Server.

3. When you are asked whether you want SSL between the Identity Server and the directory server, select either y (yes) or n (no).

   Note:

   If you select SSL, provide the full path to the location of the CA certificate when asked.

4. Complete the rest of the steps to finish the reconfiguration process.

To change transport security to SSL between the Policy Manager and directory server

1. From a command line, find the appropriate setup_access_manager tool for your platform.

   On UNIX, for example:

   PolicyManager_install_dir/access/oblix/tools/setup_am
   

   Note:

   cert8.db, used to set up SSL between Policy Manager and the directory server, is created using the setup_access_manager command only.

2. At the command prompt, run the appropriate executable to create the cert8.db file.

   On UNIX, for example:

   ./start_setup_access_manager -i <install_dir> -C <rootCA_cert_file_path>
   

   You are guided through the steps required to set up the Policy Manager. When setting up SSL between the Policy Manager and directory server, you must use setup_access_manager on Windows (or start_setup_access_manager on UNIX). The gencert utility used only to create or renew the certificate for the components with transport security mode set as Simple/Cert.

3. When you are asked, provide the full path of the file containing the Root CA certificate for the directory server.

4. Complete the rest of the steps to finish the reconfiguration process.

To change transport security between the Access Server and the directory server

1. From a command line, navigate to the folder where the configureAAAServer tool is located:

   AccessServer_install_dir/access/oblix/tools/configureAAAServer
   

   Note:

   On UNIX systems, use the start_configureAAAServer tool.

2. At the command line, run the following executable:

   configureAAAServer install AccessServer_install_dir/access

3. Select 1 (Y) to reconfigure the Access Server.

   You are guided through the steps required to set up the Access Server. Specify the same required information that was used when installing the Access Server, including the transport security mode.

4. When you are asked to specify the mode for the directory server, select either Open or SSL.

5. If you select SSL, provide the full path to the location of the CA certificate.

6. Complete the rest of the steps to finish the reconfiguration process.

8.5 Changing Transport Security Passwords

When communicating with each other, components authenticate one another using a password-based mechanism.

• Simple Mode: In Simple mode, all components in an Identity or Access System must use the same password within the installation. Oracle Access Manager generates certificates that are required by Transport Layer Security (TLS). Any installation can generate valid certificates.

• You can store the password in a local file so that each component can start unattended. Or you may have the component prompt for the password when it starts. Prompting requires a system administrator to start each element manually and type the password.

• Cert Mode: Cert mode requires a password for each component's private key file. You can use a different password for each component.

As with Simple mode, you can store the password in a local file so that each component can start unattended, or you may have the component prompt for the password when it starts. Prompting requires a system administrator to start each component manually and type the password.

You can change the password for Cert or Simple transport security mode.

To change the certificate password for the Identity System

1. Open a Command Prompt window and change to the IdentityServer_install_dir/identity/oblix/tools/setup directory, where IdentityServer_install_dir is the directory in which the Identity Server is installed.

   For example:

   cd COREid/identity/oblix/tools/setup
   

2. Run one of the commands in Table 8-11.

   Table 8-11 Identity System Commands for Certificate Password Changes

   Operating System	Commands
   UNIX	Identity Server: start_setup_ois -i IdentityServer_install_dir/identity -k where IdentityServer_install_dir is the directory in which the Identity Server is installed. WebPass: start_setup_webpass -i WebPass_install_dir/identity -k where WebPass_install_dir is the directory in which WebPass is installed.
   Windows	Identity Server: setup_ois.exe -i IdentityServer_install_dir\identity -k where IdentityServer_install_dir is the directory in which the Identity Server is installed. WebPass: setup_webpass.exe -i WebPass_install_dir\identity -k where WebPass_install_dir is the directory in which WebPass is installed.

   
   

3. Specify the transport security mode this component is using.

4. Specify the old password.

5. Specify and confirm the new password.

6. Restart the Identity Server.

To change the certificate password for the Access System

1. Open a Command Prompt window and change to the AccessSystem_install_dir/access/oblix/tools/UtilityDirectory

   where AccessSystem_install_dir is the directory in which the Access System is installed and UtilityDirectory is the directory for the component you are modifying. For example:

   cd COREid/access/oblix/tools/configureAccessGate
   

2. Run one of the commands in Table 8-12.

   Table 8-12 Access System Commands for Certificate Password Changes

   Operating System	Commands
   UNIX	Access Server: start_configureAAAServer chpasswd AccessServer_install_dir/access where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: start_configureAccessGate -i AccessGate_install_dir/access -t AccessGate -k where AccessGate_install_dir is the directory in which the Access Server is installed. Note: If you are using Linux NPTL with Oracle Access Manager, see "NPTL Requirements and Post-Installation Tasks". WebGate: start_configureWebGate -i WebGate_install_dir/access -t WebGate -k where WebGate_install_dir is the directory in which the Access Server is installed.
   Windows	Access Server: configureAAAServer.exe chpasswd AccessServer_install_dir\access where AccessServer_install_dir is the directory in which the Access Server is installed. AccessGate: configureAccessGate.exe -i AccessGate_install_dir\access -t AccessGate -k where AccessGate_install_dir is the directory in which the Access Server is installed. WebGate: configureWebGate.exe -i WebGate_install_dir\access -t WebGate -k where WebGate_install_dir is the directory in which the Access Server is installed.

   
   

3. Specify the transport security mode this component is using.

4. Specify the old password.

5. Specify and confirm the new password.

6. Restart the Access Server.

8.6 Importing Multiple CA Certificates

Oracle Access Manager recognizes one CA certificate for each directory server type for transport security between a component and the directory server for user data, configuration data, or policy data.

If your implementation has separate directory servers for user data, configuration data, or policy data, you can have separate CA certificates for each. Thus you can have up to three CA certificates in your implementation; one for the user directory, one for the configuration directory, and one for the policy directory.

WARNING:

If your installation uses replicated or multiple directories that have established SSL using certificates from different certificate authorities, you need to import the various certificates manually into the cert8.db file. The cert8.db file is encrypted and stored in a proprietary Mozilla format.

For more information about adding directory server CA certificates, see the Oracle Access Manager Installation Guide.

8.7 Changing Access Server Security Password

You can change the Access Server transport security mode from the command line. For Simple mode, the AccessGate or WebGate and the Access Server must have the same password to allow them to communicate with each other.

To change the transport security mode password

1. Run the following executable:

   configureAAAServer chpasswd AccessServer_install_dir

   where AccessServer_install_dir is the directory in which the Access Server is installed.

2. Specify the following when prompted:

   • The transport security mode in which the Access Server is configured.

   • The old password

   • The new password

3. Restart the Access Server.

   See "About Transport Security Modes" for more information.