4 Managing Services, Certificate Validation, and Common Settings

This chapter explains how to navigate to and configure properties that are common to both Oracle Access Manager and Oracle Security Token Service. This chapter includes the following topics:

4.2 Introduction to Common Configuration Elements

This section introduces the common System Configuration elements, shared by all OAM Servers and services in the domain. Figure 4-1 shows the Common Configuration section of the System Configuration navigation tree.

Figure 4-1 Common Configuration Nodes in Navigation Tree

Common Configuration Nodes in Navigation Tree
Description of "Figure 4-1 Common Configuration Nodes in Navigation Tree"

Table 4-1 introduces the common configuration elements that apply to all services in the suite, and where you can find more information on each one.

Table 4-1 Common Configuration Nodes in Navigation Tree

Node Description

Available Services

Provides access to all services.

See: "Enabling or Disabling Available Services".

Common Settings

Provides properties and settings that apply to all services in the suite, including Session lifetime, Oracle Coherence, Auditing configuration, and Default and System Identity Stores.

See: "Managing the Common Settings".

Server Instances

Provides access to all registered OAM Server instances.

See: Chapter 6, "Managing Common OAM Server Registration"

Session Management

Provides access to user session management operations.

See: Chapter 7, "Managing Sessions"

Certificate Validation

Provides access to the certificate revocation list and OCSP/CDP settings.

See: "Managing Global Certificate Validation and Revocation".

Data Sources

Provides access to registered user identity stores for Oracle Access Manager and Oracle Security Token Service.

See: Chapter 5, "Managing Common Data Sources"

Plug-Ins

Provides access to custom plug-ins to extend authentication functionality for Oracle Access Manager with Oracle Security Token Service.

See: Oracle Fusion Middleware Developer's Guide for Oracle Access Manager and Oracle Security Token Service


4.3 Enabling or Disabling Available Services

By default, Oracle Security Token Service is disabled at installation time, and must be enabled as described here before using Oracle Security Token Service.

Figure 4-2 shows the Available Services page of the Common Configuration section. This page shows the status of services and provides controls to enable or disable a service.

Figure 4-2 Available Services Page

Available Services Page
Description of "Figure 4-2 Available Services Page"

A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a line through it indicates that the corresponding service is disabled.

Oracle Access Manager (OAM) must be enabled, whether Oracle Security Token Service is enabled or disabled. Oracle Access Manager does not require Oracle Security Token Service. However, Oracle Access Manager must be enabled to use Oracle Security Token Service.

Prerequisites

AdminServer must be running.

Logging In to and Signing Out of Oracle Access Manager Console

To enable or disable an available service

  1. Log in to the Oracle Access Manager Console, as usual

         https://hostname:port/oamconsole/
    
  2. From the System Configuration tab, Common Configuration section, click Available Services.

  3. Enable Service: Click Enable beside the desired service name (or confirm that the Status check mark is green).

  4. Disable Service: Click Disable beside the desired service name (or confirm that the Status check mark is red).

4.4 Managing the Common Settings

The Common Settings apply to all OAM Server instances and services. This section provides the following topics:

4.4.1 About Common Settings Pages

Common Settings apply to all services within the suite. Figure 4-3 shows the named sections on the Common Settings page, which can be expanded to reveal related elements and values.

Figure 4-3 Common Settings Page (Collapsed View)

Common Settings Page (Collapsed View
Description of "Figure 4-3 Common Settings Page (Collapsed View)"

OAM Administrators can control and specify parameters used by the entire suite, not just a single service, as introduced in Table 4-2.

Table 4-2 Common Settings

Tab Name Description

Session

Session management refers to the process of managing the lifecycle requirements of a user session, and notification of session events to enable global logout. Global logout is required for OSSO Agents (mod_osso) to ensure that logging out of a session on any entity propagates the logout to all entities.

See Also: "Managing Common Settings".

Coherence

Common Oracle Coherence settings shared by all OAM Servers differ from those for individual OAM Servers. However, in both cases Oracle recommends that you make no adjustments to these settings unless instructed to do so by an Oracle Support Representative.

See Also: "Managing Common Settings".

Audit Configuration

Oracle Access Manager supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Manager auditing configuration is recorded in oam-config.xml.

See Also: "Managing Common Settings".

Default and System Identity Stores

This section identifies the default identity and system stores, which can be one in the same (or different).

See Also: "Managing Common Settings".


4.4.2 Managing Common Settings

Users with valid OAM Administrator credentials can perform the following task to display the Common Settings page and perform changes. Included in each main step is a reference to more information elsewhere in this book.

Prerequisites

The OAM Server must be running.

To manage common settings

  1. From the System Configuration tab, Common Configuration section, double-click Common Settings in the navigation tree.

  2. Session:

    1. On the Common Settings page, expand the Session section.

    2. Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed:


      Session Lifetime
      Idle Timeout
      Maximum Number of Sessions per User
    3. Check the box to enable Database Persistence for Active Sessions (or clear it to disable Database Persistence).

    4. Click Apply to submit your changes.

    5. See Also: Chapter 7, "Managing Sessions".

  3. Coherence: See "Viewing Common Coherence Settings".

  4. Audit Configuration:

    1. Open the Audit Configuration section.

    2. In the Audit Configuration section, enter appropriate details for your environment:


      Maximum Log directory size
      Maximum Log file size
      Filter settings to include specific users from the audit (click + button above
      the Users table and enter a value in the field
    3. Click Apply to submit the Audit Configuration (or close the page without applying changes).

    4. See Also: Chapter 25, "Auditing Administrative and Run-time Events".

  5. Default and System Identity Stores:

    1. Expand the Default and System Identity Stores section.

    2. Click the name of the System Store (or Default Store) to display the configuration page.

    3. See "Setting the Default Store and System Store" for more information.

4.4.3 Viewing Common Coherence Settings

Figure 4-4 shows the Common Settings page with the coherence section expanded.

Note:

Oracle strongly recommends that you do not alter these settings without the assistance of Oracle Support.

Figure 4-4 Common Coherence Settings

Common Coherence Settings
Description of "Figure 4-4 Common Coherence Settings"

Table 4-3 describes these settings.

Table 4-3 Common Coherence Settings

Element Description

Port

Value between 1 and 65535 is supported.

Cluster Address

Value between 224.1.255.0 to 239.255.255.255 is allowed.

Time to Live

Value between 0 and 255 is supported.

Cluster Port

Value between 1 and 65535 is supported.


To view Common Coherence settings

  1. From the System Configuration tab, expand the Common Configurations section, and double-click Common Settings.

  2. On the Common Settings page, expand the Coherence section.

  3. Close the page when you finish.

4.5 Managing Global Certificate Validation and Revocation

This section provides the following topics:

4.5.1 About Certificate Validation and Revocation Lists

Oracle Access Manager uses the Online Certificate Status Protocol (OCSP) to maintain the security of a server and other network resources. OCSP is used for obtaining the revocation status of an X.509 digital certificate. OCSP specifies the communication syntax between the server containing the certificate status and the client application that is informed of that status.

An OCSP responder can return a signed response signifying that the certificate specified in the request is 'good', 'revoked' or 'unknown'. If OCSP cannot process the request, it can return an error code.

The certificate validation module is used by OSTS to validate X.509 tokens and to verify if needed whether or not the certificates are revoked, by using

  • Certificate Revocation Lists (CRLs)

  • Online Certificate Status Protocol (OCSP)

  • CRL Distribution Point extensions (CDP extensions)

A Certificate Revocation List (CRL) is a common way to maintain access to servers in a network when using a public key infrastructure. The CLR is a list of subscribers paired with their digital certificate status. Revoked certificates are listed with a reason. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for the particular user.

Figure 4-5 shows OCSP/CDP settings for global certificate validation in the console.

Figure 4-5 OCSP/CDP Settings for Global Certificate Validation

OCSP/CDP Settings for Global Certificate Validation
Description of "Figure 4-5 OCSP/CDP Settings for Global Certificate Validation"

Figure 4-6 shows adding a CA CRL using the console.

Figure 4-6 Certificate Revocation List Dialog Box

Certificate Revocation List Dialog Box
Description of "Figure 4-6 Certificate Revocation List Dialog Box"

4.5.2 Managing Certificate Revocation Lists (CLRs)

Users with OAM Administrator credentials can use the following procedure to maintain the security of a server and other network resources. This is accomplished by enabling continuous data protection and importing current CA Certificate Revocation Lists.

Prerequisites

Have your CA Certificate Revocation List (CA CRL) ready to import.

To manage certificate revocation lists

  1. From the Oracle Access Manager Console System Configuration tab, Common Configuration section, select Certificate Validation.

  2. Open the Certificate Revocation List node and:

    1. Confirm that the Enabled box is checked.

    2. Add: Click the Add button, browse for the CRL file and select it, click Import.

    3. Remove: Click the name of the list in the table, click the Delete (x) button, and confirm when asked.

    4. Save the configuration.

  3. Search for CRLs:

    1. Review the table.

    2. Enable Query by Example and enter the filter strings in the header fields of the table.

  4. Proceed to "Managing Certificate Validation".

4.5.3 Managing Certificate Validation

Users with OAM Administrator credentials can use the following procedure to maintain the security of a server and other network resources. This is accomplished by enabling the Online Certificate Status Protocol.

Prerequisites

Have your CA Certificate Revocation List (CA CRL) ready to import.

To manage certificate validation

  1. From the Oracle Access Manager Console System Configuration tab, Common Configuration section, select Certificate Validation.

  2. Open the Certificate Revocation List node:

    1. Confirm that the Enabled box is checked.

    2. Save the configuration.

  3. Open the OCSP/CDP node and:

    1. Enable OCSP

    2. Enter the URL of the OCSP Service

    3. Enter the Subject DN of the OCSP Service

    4. Save this configuration.

    5. Proceed to "Configuring CDP".

4.5.4 Configuring CDP

Users with OAM Administrator credentials can use the following procedure to maintain the security of a server and other network resources.

To configure CDP

  1. From the Oracle Access Manager Console System Configuration tab, Common Configuration section, select Certificate Validation.

  2. Open the Certificate Revocation List node:

    1. Confirm that the Enabled box is checked.

    2. Save the configuration.

  3. Open the OCSP/CDP node and:

    1. Enable CDP.

    2. Save this configuration.