3 Managing Common Services and Certificate Validation

This chapter explains how to configure properties that are used in common by the services integrated into Oracle Access Management.

This chapter contains the following sections:

• Configuring Oracle Access Management

• Enabling or Disabling Available Services

• Managing Common Settings

• Managing Certificate Validation and Revocation

3.1 Configuring Oracle Access Management

This section introduces the Oracle Access Management options and settings collectively called Configuration. Unless explicitly stated, these Configuration options are shared by all Access Manager servers and services in the domain. Figure 3-1 shows the Configuration options defined in the new Oracle Access Management Console.

Figure 3-1 Oracle Access Management Configuration Options

Description of "Figure 3-1 Oracle Access Management Configuration Options"

Table 3-1 describes the Configuration options. The items listed apply to all services in the suite.

Table 3-1 Configuration Options

Node	Description
Available Services	See "Enabling or Disabling Available Services".
User Identity Stores	See "Managing OAM Identity Stores" in Chapter 5, "Managing Data Sources."
Administration	See Chapter 4, "Delegating Administration."
Certificate Validation	Provides access to the certificate revocation list and OCSP/CDP settings. See: "Managing Certificate Validation and Revocation".
Server Instances	Provides access to all registered OAM Server instances. See: Chapter 6, "Managing Server Registration"
Common Settings	Provides configurations that apply to all Oracle Access Management services including Session properties, Oracle Coherence, Auditing, and Default and System Identity Stores. See: "Managing Common Settings".
Access Manager Settings	Provides access to Access Manager operation configurations. See "Managing Common and System Configurations"
Mobile and Social Settings	Provides access to configurations for Oracle Access Management Mobile and Social. See "Managing Oracle Access Management Mobile and Social"
Federation Settings	Provides access to configurations for Oracle Access Management Identity Federation. See Chapter 5, "Managing Data Sources"
Security Token Service Settings	Provides access to configurations for Oracle Access Management Security Token Service. See "Managing Oracle Access Management Security Token Service"
Access Portal Settings	Provides access to configurations for Oracle Access Portal. See "Managing Oracle Access Management Oracle Access Portal"

3.2 Enabling or Disabling Available Services

Figure 3-2 shows the Available Services page of the Common Configuration section, which provides the status of services, and controls to enable or disable a service. Initially, only Access Manager services are enabled. Oracle Access Management Administrators must enable a service in the Oracle Access Management Console to use the related functionality. The exception to this is Identity Context, which is enabled by default and does not have any controls to disable it.

Figure 3-2 Available Services

Description of "Figure 3-2 Available Services"

A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a line through it indicates that the corresponding service is disabled.

Table 3-2 Common Services

Service	Description
Access Manager	Access Manager functionality is enabled by default. Access Manager Service is required to set SSO policies, configure Access Manager, as well as Common Configuration, and when REST Services are enabled. Default: Enabled No other services are required for Access Manager and Common Configuration.
Identity Federation	Must be enabled to manage the federation partners. Default: Disabled Note: The Access Manager service must also be enabled because Identity Federation is another authentication module. See Also: Part II, "Managing Oracle Access Management Identity Federation".
Security Token Service	Enable this service to use Security Token Service functionality. Default: Disabled Access Manager service is not required. See Also: Part II, "Managing Oracle Access Management Security Token Service".
Mobile and Social	Mobile and Social Services can be deployed in either of two ways: As part of Oracle Access Management, where Access Manager is enabled by default and Mobile and Social must be enabled manually to operate together with Access Manager. Oracle Access Management and Mobile and Social only. Here only Mobile and Social is enabled by default to work on its own (or use a remote Access Manager). See Also: Part II, "Managing Oracle Access Management Mobile and Social"
Access Portal	Must be enabled to manage Access Portal. Default: Disabled See Part II, "Managing Oracle Access Management Oracle Access Portal"

Prerequisites

WebLogic AdminServer must be running.

See Using the New Oracle Access Management Console.

To enable or disable a service

From the Oracle Access Management Console Launch Pad, click Available Services under Configuration.

1. Click Enable beside the desired service name (or confirm that the Status check mark is green).

2. Click Disable beside the desired service name (or confirm that the Status check mark is red).

3.3 Managing Common Settings

The Common Settings apply to all OAM Server instances and services. This section provides the following topics:

• About Common Settings Pages

• Managing Common Settings

3.3.1 About Common Settings Pages

Common Settings apply to all services within the suite. Figure 3-3 shows the named sections on the Common Settings page, which can be expanded to reveal related elements and values.

Figure 3-3 Common Settings Page (Collapsed View)

Description of "Figure 3-3 Common Settings Page (Collapsed View)"

Oracle Access Management Administrators can control and specify parameters used by the entire suite, not just a single service, as introduced in Table 3-3.

Table 3-3 Common Settings

Tab Name	Description
Session	Session configuration refers to the process of managing the lifecycle requirements of a session, and notification of events to enable global logout. Global logout is required for OSSO Agents (mod_osso) to ensure that logging out of a session on any entity propagates the logout to all entities. See Also: "Managing Common Settings".
Coherence	Common Oracle Coherence settings shared by all OAM Servers differ from those for individual OAM Servers. However, in both cases Oracle recommends that you make no adjustments to these settings unless instructed to do so by an Oracle Support Representative. See Also: "Managing Common Settings".
Audit Configuration	Oracle Access Management supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Management auditing configuration is recorded in oam-config.xml. See Also: "Managing Common Settings" and "Using the Oracle Access Management Console for Audit Configuration".
Default and System Identity Stores	This section identifies the default identity and system stores, which can be one in the same (or different). See Also: "Managing Common Settings".

See Also:

Details for other operations common to all OAM components:

• Chapter 8, "Logging Component Event Messages"

• Chapter 12, "Monitoring Performance and Health"

3.3.2 Managing Common Settings

Users with valid Oracle Access Management Administrator credentials can perform the following task to display the Common Settings page and perform changes. Included in each main step is a reference to more information elsewhere in this book.

Prerequisites

The OAM Server must be running.

To manage common settings

1. From the Launch Pad, click Common Settings.

2. Session:

   1. On the Common Settings page, expand the Session section.

   2. Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed:

      
      Session Lifetime (minutes)
      Idle Timeout (minutes)
      Maximum Number of Sessions per User
      

   3. Database Persistence: Check the box to enable Database Persistence for Active Sessions (or clear it to disable Database Persistence).

   4. Click Apply to submit your changes.

   5. See Also: Chapter 17, "Maintaining Access Manager Sessions".

3. Coherence: See "Viewing Common Coherence Settings".

4. Audit Configuration:

   1. Open the Audit Configuration section.

   2. In the Audit Configuration section, enter appropriate details for your environment:

      
      Maximum (Log) Directory Size
      Maximum (Log) File Size
      
      Filter Enabled
      Filter preset (select from the list to define verbosity of audit data)
      Audit Configuration Table: Use Add (+) or Delete (x) buttons to specify users.
      

   3. Click Apply to submit the Audit Configuration (or close the page without applying changes).

   4. See Also: Chapter 9, "Auditing Administrative and Run-time Events".

5. Default Store and System Stores:

   1. Expand the Default and System Identity Stores section.

   2. Click the name of the System Store (or Default Store) to display the configuration page.

   3. See "Setting the Default Store and System Store" for more information.

3.3.3 Viewing Common Coherence Settings

Figure 3-4 shows the Common Settings page with the coherence section expanded.

Note:

Oracle strongly recommends that you do not alter these settings without the assistance of Oracle Support.

Figure 3-4 Common Coherence Settings

Description of "Figure 3-4 Common Coherence Settings"

Table 3-4 describes these settings.

Table 3-4 Common Coherence Settings

Element	Description
Port	Value between 1 and 65535 is supported.
Cluster Address	Value between 224.1.255.0 to 239.255.255.255 is allowed.
Time to Live	Value between 0 and 255 is supported.
Cluster Port	Value between 1 and 65535 is supported.

To view Common Coherence settings

1. From the System Configuration tab, expand the Common Configurations section, and double-click Common Settings.

2. On the Common Settings page, expand the Coherence section.

3. Close the page when you finish; do not make any changes.

3.4 Managing Certificate Validation and Revocation

The Certificate Validation module is used by the Security Token Service to validate X.509 tokens and to verify whether or not the certificates have been revoked. It supports the following options.

• A Certificate Revocation List (CRL) is a list of certificates (identified by serial numbers) that have been revoked. Revoked certificates are listed with a reason, an issue date, and the issuing entity. (In addition, each list contains a proposed date for the next release.) Entities presenting these (revoked) certificates should no longer be trusted. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for the particular user. For more information, see Section 3.4.1, "Managing Certificate Revocation Lists."

• The Online Certificate Status Protocol (OCSP) was developed as an alternative to CRLs. OCSP specifies how the client application that requests information on a certificate's status will obtain it from the server that responds to the request. An OCSP responder can return a signed response signifying that the certificate specified in the request is either good, revoked or unknown. If the OCSP cannot process the request, it returns an error code. For more information, see Section 3.4.2, "Enabling OCSP Certificate Validation."

• A CRL Distribution Point extension (CDP extensions) contains information regarding the location of Certificate Revocation Lists (CRLs) and OCSP servers. You can use the Administration Console to define these points. For more information, see Section 3.4.3, "Enabling CRL Distribution Point Extensions."

The following sections provide more information.

• Additional OCSP Configurations

• Using the configureOAMOSCSPCertValidation WLST Command

3.4.1 Managing Certificate Revocation Lists

Users with Oracle Access Management Administrator credentials can use the following procedure to enable the CRL functionality and import a current Certificate Authority Certificate Revocation List (CA CRL).

Prerequisites

Have your CA CRL ready to import.

To import Certificate Revocation Lists

1. Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.

   The Certificate Revocation List tab is displayed.

2. Confirm that the Enabled box is checked.

3. Add or remove a CRL.

   • Add: Click the Add (green plus sign) button, browse for the CRL file, select it, and click Import.

   • Remove: Click the name of the list in the table, click the Delete (x) button, and confirm when asked.

   Figure 3-5 is a screenshot of the pop-up window used to add a CA CRL to the CRL List using the Administration Console.

   Figure 3-5 Certificate Revocation List Dialog Box

   
   Description of "Figure 3-5 Certificate Revocation List Dialog Box"
   
   

4. Click Apply to save the configuration.

5. Proceed to "Enabling OCSP Certificate Validation".

Note:

To search for CRLs in the table, enable Query by Example from the View drop-down. Enter filter strings in the header fields displayed and hit Enter.

3.4.2 Enabling OCSP Certificate Validation

Users with Oracle Access Management Administrator credentials can use the following procedure to enable the OCSP.

Prerequisites

Have the URL of the OCSP service ready to import.

To enable OCSP certificate validation

1. Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.

   The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.

2. Click the OCSP/CDP tab.

   1. Enable OCSP.

   2. Enter the URL of the OCSP Service.

   3. Enter the Subject DN of the OCSP Service.

   4. Save this configuration.

   Figure 3-6 illustrates how to add an OCSP URL using the Administration Console. See "Using the configureOAMOSCSPCertValidation WLST Command" for details on how to do this using the WLST command.

   Figure 3-6 OCSP/CDP Settings

   
   Description of "Figure 3-6 OCSP/CDP Settings"
   
   

3. Proceed to "Enabling CRL Distribution Point Extensions".

3.4.3 Enabling CRL Distribution Point Extensions

Users with Oracle Access Management Administrator credentials can use the following procedure to add CRL distribution points in issued certificates.

To enable CDP

1. Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.

   The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.

2. Open the OCSP/CDP tab.

   1. Enable CDP.

   2. Save this configuration.

   Figure 3-6 illustrates this.

3.4.4 Additional OCSP Configurations

Support for HTTP Proxy and multiple OCSP Responder configurations have been added for this 11g Release 2 (11.1.2.2) version of Oracle Access Manager. Example 3-1 illustrates the current Certificate Validation Module configuration.

Example 3-1 Certificate Validation Module Configuration

<Setting Name="CertValidationModule" Type="htf:map">
      <Setting Name="certpathvalidationocspcertsubject" 
          Type="xsd:string"></Setting>
      <Setting Name="certpathvalidationocspurl" Type="xsd:string"></Setting>
      <Setting Name="certvalidationcrlstorelocation" 
           Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/
           domains/base_domain/config/fmwconfig/amcrl.jar</Setting>
      <Setting Name="defaulttrustcastorelocation"     
           Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/
           domains/base_domain/config/fmwconfig/amtruststore</Setting>
      <Setting Name="defaulttrustcastoretype" Type="xsd:string">jks</Setting>
      <Setting Name="certpathvalidationcdpenabled" 
           Type="xsd:boolean">false</Setting>
      <Setting Name="certpathvalidationcrlenabled" 
           Type="xsd:boolean">false</Setting>
      <Setting Name="certpathvalidationocspenabled" 
           Type="xsd:boolean">false</Setting>
</Setting>

The following sections contain configuration information for these new features.

• Using WLST to Configure HTTP Proxy

• Configuring Multiple OCSP Responders

3.4.4.1 Using WLST to Configure HTTP Proxy

The Oracle Access Manager OCSP checker can perform authentication against OCSP responders that are outside an enterprise's intranet via HTTP Proxy. Use the updateHTTPProxyConfig WLST command to configure the proxy.

3.4.4.1.1 Using the updateHTTPProxyConfig WLST Command

Online command that configures the OAM OCSP checker to use HTTP proxy.

3.4.4.1.2 Description

Adds or updates proxy information.

3.4.4.1.3 Syntax

updateHTTPProxyConfig(proxyHost, proxyPort, conTimeOut)

Argument	Definition
proxyHost	Mandatory. The host name of the proxy.
proxyPort	Mandatory. The port number of the proxy.
conTimeOut	Mandatory. The connection timeout in milliseconds.

3.4.4.1.4 Example

updateHTTPProxyConfig(proxyHost="hostname.example.com", proxyPort="8888", 
  conTimeOut="600")

3.4.4.2 Configuring Multiple OCSP Responders

Certificate authentication currently supports authentication against a single OCSP responder as documented in "Enabling OCSP Certificate Validation". Support for multiple OCSP responders has been added since the responder URL is now part of the certificate's Authority Information Access Extension. To support multiple OCSP Responders, the three lines of configuration in Example 3-2, "Multiple OCSP Responder Configuration" must be added to the top of the Certificate Validation Module configuration section (illustrated in Example 3-1).

Example 3-2 Multiple OCSP Responder Configuration

<Setting Name="CertValidationModule" Type="htf:map">
      <Setting Name="certpathvalidationocspurltocamap" Type="htf:map">
      <Setting Name="<url_value>" Type="xsd:string">
          <ocsp_responder_subject></Setting>
      </Setting>
      <Setting Name="useJDKOCSP" Type="xsd:string">false</Setting>
      ...
</Setting>

Configure the first and second lines to enable multiple OCSP responders.

• Set certpathvalidationocspenabled to true.

• Update the certpathvalidationocspurltocamap configuration. It is of type Map, the key is the OCSP Responder URL (URL Encoded) and the value is the OCSP Responder's Certificate subject.

  <Setting Name="certpathvalidationocspurltocamap" Type="htf:map">
       <Setting Name=" http%3A%2F%2Flocalhost%3A9797" Type="xsd:string">
       emailAddress=sagar@pspl.com,CN=ps2436,OU=OBLIX-QA,O=PSPL,
       L=PUNE,ST=MAHA,C=MY</Setting>
  </Setting>
  

• (Optionally) set values for certpathvalidationocspcertsubject and certpathvalidationocspurl.

The Responder URLs will be fetched first from the AuthorityInformationAccess extension of the user's X.509 certificate and second from Modules/Plugin (CertValidation). The Responder Subjects will be fetched first from the defined configuration map and second from the Module/Plugin (CertValidation) configuration. In cases where these configurations are not found, the OCSP validation will fail.

Configure the third line to provide backward compatibility for those who want to use JDK OCSP validation rather than the new OAM OCSP Checker. By default, the JDK OCSP Checker is enabled. When configuring the OAM OCSP Checker using the WLST command, the flag is set to false. For more information on the WLST command, see Section 3.4.5, "Using the configureOAMOSCSPCertValidation WLST Command."

Depending on the Certificate Validation Module configuration there are three different options as documented in Table 3-5.

Table 3-5

Configuration	OCSP Configuration (certpathvalidationocspenabled)	CRL Configuration (certpathvalidationcrlenabled)	JDK/OAM OCSP Configuration (useJDKOCSP)
No OCSP Checking Simple certificate validation is performed during OAM X-509 authentication	False	False	False
OAM OCSP X-509 authentication performs certificate validation with OCSP checking using the new OAM OCSP Checker.	True	True/False (does not matter)	False
JDK OCSP X-509 authentication performs certificate validation with OCSP checking using the JDK OCSP Checker.	True	True	True

To enable OCSP validation to be done using one configured responder URL, set the certpathvalidationcrlenabled and certpathvalidationocspenabled properties to true and set values for the certpathvalidationocspcertsubject and certpathvalidationocspurl properties. If these properties are not set, OCSP validation will be done using the responder URL defined within the user certificate's AIA Extension. If no URL is defined, OCSP validation will fail.

3.4.5 Using the configureOAMOSCSPCertValidation WLST Command

Online command that updates the OAM OCSP configuration including:

• Updates or adds an OCSP responder URL and subject details to the "certpathvalidationocspurltocamap"

• Clear the newly added configuration; for example, "certpathvalidationocspurltocamap"

• Set or unset the "useJDKOCSP" flag to enable or disable JDK OCSP

3.4.5.1 Description

Updates the OAM OCSP configuration by adding/modifying the OCSP responder URL and subject details in the certpathvalidationocspurltocamap property and enabling/disabling the use of the JDK OCSP Checker.

3.4.5.2 Syntax

configureOAMOCSPCertValidation(url, subject, clear (optional), 
  display (optional), useJDKOCSP (optional))

Argument	Definition
url	Mandatory. Takes as a value the valid URL.
subject	Mandatory. Takes the details being modified.
clear	Optional. Takes a value of true or false.
display	Optional. Takes a value of true or false.
useJDKOCSP	Optional. Takes a value of true or false.

3.4.5.3 Examples

The following example enables the OAM OCSP and sets the Responder URL and subject.

configureOAMOCSPCertValidation(url="http://sample:9898", 
    subject="cert-subject-detail")

The following example enables the OAM OCSP and updates the Responder URL and subject.

configureOAMOCSPCertValidation(url="http://sample:9898", 
    subject="details changed/updated")

The following example disables and clears the OAM OCSP.

configureOAMOCSPCertValidation(url="http://sample:9898", subject="subject-detail", clear="true")

The following example enables/disables the JDK OCSP.

configureOAMOCSPCertValidation(url="http://sample:9898", 
    subject="details changed/updated", useJDKOCSP="true")