Depending on the public key infrastructure, the digital certificate establishes credentials for Web-based transactions.
See About Certificates, Authorities, and Encryption Keys.
Public Keys at Run Time: There are distinct cases where public key infrastructure materials are used at run time.
For example, during Web Services Security (WSS) protocol communication between Requesters and Security Token Service (with OWSM Agent).
Table 44-1.describes the Security Token Service Public Keys that are used at run time.
Table 44-1 Security Token Service Public Keys Used at Run Time
When Security Token Service ... | Description |
---|---|
Issues SAML Assertions |
|
Issues tokens |
|
Validates SAML Assertions |
|
Uses Web Services Security (WSS) protocol communication |
Between Requesters and Security Token Service (with OWSM Agent) |
The keystore files are distributed across all OAM Servers in the domain by the JMX framework and used for Security Token Service.
Following are the keystore files:
.oamkeystore: For keys and certificates associated with OAM Server instances
.oamkeystore: Partner Keystore for keys and certificates used to establish trust with partners, clients, and agents.
amtruststore: Trust Keystore for keys and certificates that are used to establish trust in entities that are interacting with the OAM Server instances
amcrl.jar: Certificate Revocation Lists (CRL) are used by the OAM Server instances when performing CRL-based certificate revocation checking
See Introduction to Oracle Access Management Keystores.
The keystore files are distributed across all OAM Servers in the domain by the JMX framework. The $DOMAIN_HOME/config/fmwconfig /mbeans directory defines a registration mbeans.xml for each file that indicates the MBean to manage the file and also identify that the file should be propagated across the domain.
Table 44-2 Keystore Mbeans
Keystore | Mbean and Description |
---|---|
System/Partner Keystore: .oamkeystore |
Configuration of the .oamkeystore is done using the JRE's keytool application. |
Trust Keystore: .amtruststore |
Configuration of the amtruststore is done using the JRE's keytool application. |
CRL: amcrl.jar |
CRL MBean: Can be used to manage CRLs. |
The token security key pair is populated to the common keystore shared by Security Token Service. This eliminates the need for Oracle Web Services Manager agents to interact with the common keystore.
You can use a WLST command to retrieve the password for keystores and for the amtruststore.
See Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password.
The keystore of type JKS is required by the Oracle WSM Agent to contain System and Partner keys and certificates.
Oracle WSM Agent functionality is available to Security Token Service to publish WS Policies and enforce message protection on inbound and outbound WS messages. Oracle WSM requires a separate keystore to contain System and Partner keys and certificates.
The Oracle WSM Agent uses a keystore for various cryptographic operations. For these tasks, the Oracle Web Services Manager Agent uses the keystore configured for Oracle Web Services Manager tasks (containing OWSM private keys and OWSM trusted certificates). The OPSS modules publish a keystore service used by Oracle Web Services Manager for certificate validation operations, and the $DOMAIN_HOME/config/fmwconfig/jps-config.xml will contain the settings for the keystore service. The default name is default-keystore.jks, which is specified in jps-config.xml.
Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service keystore always be different. Otherwise, keys could be available to any modules authorized by OPSS to access the keystore and Access Manager keys might be accessed.
Note:
Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service keystore always be different.
During installation, if the Oracle WSM keystore service has not been configured, the installer:
Creates a new keystore in the $DOMAIN_HOME/config/fmwconfig folder (default name is default-keystore.jks)
Creates a key entry with the corresponding certificate that will be used by OWSM for signature and encryption operations. This key entry will be stored in the OWSM Keystore under the orakey
alias
Stores the passwords of the key entry and of the keystore in CSF
Having access to the keystore is sometimes required, to:
Extract the signing/encryption certificate to distribute to clients if necessary
Update or replace the signing/encryption key entry
Add trusted certificates
For the special cases where clients use referencing schemes such as SKI (as opposed to a certificate token being received as part of the web service request), the requester's certificates need to be populated in the OPSS Keystore.
This is an uncommon scenario that requires manually provisioning keys to the OPSS keystore. See About Agents and Security Token Service.