5.6 Introduction to Oracle Access Management Keystores

A Java keystore is set up to be used for certificates for Simple or Certificate-based communication between OAM Servers and Webgates during authorization. The keystore bootstrap also occurs on the initial AdminServer startup after running the Configuration Wizard.

This section provides the following topics:

5.6.1 Access Manager Security Keys and the Embedded Java Keystore

Keystores are created and configured during Access Manager installation. The password and the key entries password were randomly generated.

The preferred keystore format is JKS (Java keystore). A Java keystore is associated with Access Manager behind the scenes and is used to store cryptographic security keys that are generated to encrypt agent traffic and session tokens:

Every OAM Agent and OSSO Agent has a secret key that other agents cannot read.
There is a key to encrypt Oracle Coherence-based session traffic.
During agent and application registration, a key is generated for encrypting and decrypting SSO Cookies (for Webgates and mod_osso).

Administrators use the Oracle-provided importcert tool for several different procedures related to keystores, keys, and certificates, as described in Securing Communication.

The WLST resetKeystorePassword method allows you to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value. See WLST Command Reference for WebLogic Server.

Table 5-5 identifies the generated Access Manager cryptographic keys.

Table 5-5 Access Manager Keys and Storage

Keys and Storage	Description
Access Manager Cryptographic keys	One per agent secret key shared between 11g Webgate and OAM Server One global shared secret key used by all your 10g Webgates One OAM Server key
Key storage	Agent side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file. Client keystore/scratch/clientTrustStore.jks and /scratch/clientKey.jks can be used. OAM Server side: .oamkeystore contains a per-agent key, and server key, are stored in the credential store on the server side.

Keystores are not accessible using the Oracle Access Management Console. You can manage keystores and certificates as described in Securing Communication.

See Also:

"Identity Federation Keystore"

"About Communication Between OAM Servers and WebGates"
Administering Oracle Fusion Middleware for details about the SSL automation tool and managing ports for WebLogic Server, Oracle HTTP Server, and Oracle Fusion Middleware

5.6.2 Access Manager Keystores

Keystores for Access Manager and Security Token Service are created and configured during the installation of the Access Manger.

Table 5-6 provides a summary of keystores used for Access Manager.

Table 5-6 Keystores for Access Manager and Security Token Service

Keystore Description

Keystore	Description
System Keystore / Partner Keystore .oamkeystore	The container for keys and certificates associated with OAM Server instances (OAM secret keys and Security Token Service private keys for signing and encryption). The container for keys and certificates that are used to establish trust with partners, clients, and agents. The partner keys and certificates are stored in.oamkeystore with sensitive information encrypted. Only one System Keystore of type JCEKS can be present: .oamkeystore. $`DOMAIN_HOME/config/fmwconfig/.oamkeystore` The certificate alias and password can be configured using the Oracle Access Management Console. See Also: Table 43-1 Managing Security Token Service Certificates and Keys
Trust Keystore amtrustkeystore	The Trust Keystore is used to validate keys and certificates presented by clients to establish trust in entities interacting with OAM Server instances. $`DOMAIN_HOME/config/fmwconfig/amtruststore` amtruststore is created during installation, and must include at least one trusted anchor. The Trust Keystore is managed by using the JRE's keytool application. Security Token Service can use a custom trust keystore. See Also: "Managing the Trust Anchors Store (amtruststore)" "Using a Custom Trust Anchor Store for Security Token Service"
Certificate Revocation Lists (CRL) amcrl.jar	Certificate revocation information lists are stored in a ZIP archive on the filesystem. These are used by OAM Servers when performing CRL-based certificate revocation checking. amcrl.jar contains CRL files in the DER format: `$DOMAIN_HOME/config/fmwconfig/amcrl.jar` The OAM Server defines a notification listener for the Keystores and the CRL Zip file. Any changes to these files causes Security Token Service to reload the keystore/crl-zip at runtime, without requiring any restarts. amcrl.jar is created by installation and can be modified using the Oracle Access Management Console. See Also: "Certificate Validation and Revocation" "Managing Certificate Revocation Lists"
Oracle WSM Agent Keystore default-keystore.jks	The Oracle WSM Agent uses this keystore for various cryptographic operations. For these operations, the Oracle WSM Agent uses the keystore configured for Oracle WSM tasks. Oracle strongly recommends that the Oracle WSM Agent keystore and the Access Manager and Security Token Service keystore always be different. Otherwise, keys could be available to any modules authorized by OPSS to access the keystore and Access Manager/Security Token Service keys might be accessed. See Also: "About the Oracle Web Services Manager Keystore (default-keystore.jks)"
OPSS Keystore	For special cases where clients use referencing schemes such as SKI (as opposed to a certificate token being received as part of the web service request), the requester's certificates need to be populated in the OPSS Keystore. This is an uncommon scenario that requires manually provisioning keys to the OPSS keystore. See Also: "About Agents and Security Token Service" Managing Keys and Certificates in Securing Applications with Oracle Platform Security Services.
.cohstore.jks	This is used to store the SSL Key and Certificate that is used to encrypt SSL communication between Coherence nodes. For information on securing Coherence communications, see the Oracle Coherence Security Guide.

System Keystore / Partner Keystore

.oamkeystore

The container for keys and certificates associated with OAM Server instances (OAM secret keys and Security Token Service private keys for signing and encryption).

The container for keys and certificates that are used to establish trust with partners, clients, and agents. The partner keys and certificates are stored in.oamkeystore with sensitive information encrypted.

Only one System Keystore of type JCEKS can be present: .oamkeystore.

$DOMAIN_HOME/config/fmwconfig/.oamkeystore

The certificate alias and password can be configured using the Oracle Access Management Console.

See Also:

Trust Keystore

amtrustkeystore

The Trust Keystore is used to validate keys and certificates presented by clients to establish trust in entities interacting with OAM Server instances.

$DOMAIN_HOME/config/fmwconfig/amtruststore

amtruststore is created during installation, and must include at least one trusted anchor.

The Trust Keystore is managed by using the JRE's keytool application. Security Token Service can use a custom trust keystore.

See Also:

Certificate Revocation Lists (CRL)

amcrl.jar

Certificate revocation information lists are stored in a ZIP archive on the filesystem. These are used by OAM Servers when performing CRL-based certificate revocation checking.

amcrl.jar contains CRL files in the DER format:

$DOMAIN_HOME/config/fmwconfig/amcrl.jar

The OAM Server defines a notification listener for the Keystores and the CRL Zip file. Any changes to these files causes Security Token Service to reload the keystore/crl-zip at runtime, without requiring any restarts.

amcrl.jar is created by installation and can be modified using the Oracle Access Management Console.

See Also:

Oracle WSM Agent Keystore

default-keystore.jks

The Oracle WSM Agent uses this keystore for various cryptographic operations. For these operations, the Oracle WSM Agent uses the keystore configured for Oracle WSM tasks.

Oracle strongly recommends that the Oracle WSM Agent keystore and the Access Manager and Security Token Service keystore always be different. Otherwise, keys could be available to any modules authorized by OPSS to access the keystore and Access Manager/Security Token Service keys might be accessed.

OPSS Keystore

For special cases where clients use referencing schemes such as SKI (as opposed to a certificate token being received as part of the web service request), the requester's certificates need to be populated in the OPSS Keystore.

This is an uncommon scenario that requires manually provisioning keys to the OPSS keystore.

See Also:

"About Agents and Security Token Service"
Managing Keys and Certificates in Securing Applications with Oracle Platform Security Services.

.cohstore.jks

This is used to store the SSL Key and Certificate that is used to encrypt SSL communication between Coherence nodes. For information on securing Coherence communications, see the Oracle Coherence Security Guide.

5.6.3 Identity Federation Keystore

Identity Federation and Access Manager store key pairs and certificates that are used for digital signatures and encryption operations.

Identity Federation uses keys to:

Sign outgoing assertions
Decrypt incoming XML encrypted data contained inside the SAML message

The following keystore is used to store the encryption and signing certificates:

$DOMAIN_HOME/config/fmwconfig/.oamkeystore

Identity Federation uses CSF to securely store keystore passwords, as well as server credentials such as HTTP Basic Authentication usernames and passwords.

See Also: