The following topics describe how to define Keystore settings for Federation:
You view and manage keystores configured for use with federation partners on the Federation Settings page of the console.
Figure 39-2 illustrates the expanded Federation Proxy Settings section of the Federation Settings page.
Table 39-4 describes each element on the Keystore Settings section of the Federation Settings page.
Table 39-4 Keystore Settings for Federation
Element | Description |
---|---|
Keystore Location |
This element specifies the keystore path. |
Key ID |
This is the unique key ID. |
Description |
This element provides a brief description of the key, such as its usage type. |
Alias |
This element specifies the key alias. Note: You can choose one of the aliases that is available in the keystore using the drop-down. |
Password |
This element specifies the key password. |
As described in Managing Data Sources, Identity Federation uses keys in the following keystore to store encryption and signing certificates:
$DOMAIN_HOME/config/fmwconfig/.oamkeystore
Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password
Adding a New Key Entry to the System Keystore (.oamkeystore)
Note:
AM denotes Access Manager, STS denotes Security Token Service, and IF denotes Identity Federation in this discussion.
You can reset the password that protects the keystores as well as the key entries which use the same password as the keystore.
The keystores have been created and configured by the IM/OAMAM/OSTS installer, and the password and the key entries password were randomly generated. The WLST resetKeystorePassword
method allows you to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value. The command updates the:
.oamkeystore password
Key entries in the .oamkeystore which had the same password as the keystore
OAMAM/STS/IF configuration to reflect the change
amtruststore password if the keystore is protected by the same password as the .oamkeystore (default)
To set the system keystore (.oamkeystore) password:
You can add a new key entry into the system keystore (.oamkeystore) using the keytool
command to create and add the new key entry.
Once the entry has been added, it must be defined in the Identity Federation settings configuration screen so that it can be used to sign assertions and decrypt incoming messages.
The following topics describe how to add a new entry to the system keystore to sign SAML assertions or decrypt XML-encrypted data not covered by WSS:
There are no prerequisites for this task. The system keystore (.oamkeystore) password has been reset.
To add a new entry in the .oamkeystore:
In the Identity Federation settings, you can add a new row to the Keystore table.
To add a new entry in the Identity Federation settings:
Once the key has been added to the keystore table, you can configure Identity Federation to use the key.
To configure the signing and encryption key:
Identity Federation will now use those keys to sign and decrypt messages.
Oracle Identity Federation supports RSA 1.5 as the key transport algorithm by default. The key transport algorithm can be changed from RSA 1.5 to RSA-OAEP based on the requirement, by adding a new property, defaultkeytransportmethod to oam-config.xml using the WLST commands.
You can configure the defaultkeytransportmethod parameter in oam-config.xml as follows:
<Setting Name=”defaultkeytransportmethod” Type=”xsd: xsd”> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p </Setting>
updatePartnerProperty(partnerName=”OIFSP”, partnerType=”SP”, propName=”defaultkeytransportmethod”, propValue=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”,type=”string”)
putStringProperty("/fedpartnerprofiles/saml20-sp-partner-profile/defaultkeytransportmethod","http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
putStringProperty("/idpglobal/defaultkeytransportmethod", “http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”)
Note:
This is a global change.