44.5 Managing Certificate Validation

Certificate validation requires the Trust Anchors Store (.amtruststore).

Conditions for Security Token Service Certificate Validation (OSTS Certificate Validation Criteria)

STS validates a certificate when:
  • The security token to be validated is one of the following types:

    • X.509

    • X.509v3

    • PKCS#7

  • A SAML Assertion must be validated.

  • Security Token Service is configured to validate the signing certificate of a SAML Issuing Authority.

Table 44-4 lists the successful validation requirements.

Table 44-4 Successful Certificate Validation Requirements

Certificates Must ... How ...

Be linked to a trusted anchor:

  • by being a trusted anchor

  • or by having its issuer being a trusted anchor

Not be revoked:

  • by being a trusted anchor

  • or by having its issuer being a trusted anchor

The revocation status of a certificate can be decided by checking:

  • Against a list of CRLs that were uploaded by the Administrator

  • Against an OCSP server

  • CRL Distribution Points

You need to perform the following tasks to manage this store and validation:

44.5.1 Managing the Trust Anchors Store (amtruststore)

The Trust Anchors keystore is managed using the keytool command.

Certificates added to the keystore are detected by the Certificate Validation module.

Note:

Notification is performed by using the JMX Notification Framework and may take some time, depending on the notification refreshing time (60 seconds by default).

Prerequisites for Managing the Trust Anchors Store (amtruststore)

See Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password.

To manage the Trust Anchors Store (amtruststore)

  1. Locate keytool.
  2. Execute the following command. 
    keytool -keystore $DOMAIN_HOME/config/fmwconfig/amtruststore 
-storetype JKS -alias orakey -file $CERT_FILE
  3. Observe messages on the screen and enter a password if requested.
  4. Proceed as follows:

44.5.2 Managing Certificate Revocation Lists

Security Token Service uses the common infrastructure certification validation module. Trusted Certificates and Certificate Revocation Lists (CRLs) used during certificate validation are stored in Trust Keystore and CRL ZIP file.

The Security Token Service configuration stores the OCSP/CDP settings. You can add or remove certificate revocation lists (CLRs) to check the revocation status of a certificate, perform the following operations.

See Certificate Validation and Revocation.

44.5.2.1 Prerequisites for Managing Certificate Revocation Lists

You need to have your Certificate Revocation List ready so you can import it.

44.5.2.2 Task Overview: Manage Certificate Validation and Revocation Lists

You must perform the following tasks to manage Certificate Validation and Revocation lists:

  1. From the Oracle Access Management Console System Configuration tab, Common Configuration section, select Certificate Validation.

  2. See Enabling the Certificate Revocation List Functionality.

  3. See Enabling OCSP Certificate Validation:

  4. See Enabling CRL Distribution Point Extensions.

44.5.3 Using a Custom Trust Anchor Store for Security Token Service

Optionally, if a particular deployment requires a set of trust anchors separate from that of Access Manager, another keystore can be configured as the trusted certificate store for Security Token Service.

This can be done by having the Administrator perform the following tasks.

Note:

44.5.3.1 Task Overview: Deploying a Custom Keystore for Trusted Certificates

You can deploy a custom keystore for a Trusted Certificate.

To deploy a custom keystore:

  1. Create the JKS keystore in the $DOMAIN_HOME/config/fmwconfig directory.
  2. In the Oracle Access Management Console, Security Token Service Settings page, enter the full path name of the new trust store and Apply your changes.
  3. In the domain where Security Token Service is deployed, the Custom Trust Anchor Keystore must be propagated manually by the Administrator across all the servers.