Configuring X.509 Certificate Validation

Before you can configure the OAMCertificateVerifier, you must have the OAM Trusted Key for the embedded certificate that OAM Keystore uses. Once you identify the OAM Trusted Key, you must export the certificate to a local keystore that the OAMCertificateVerifier can access. Refer to the OAM documentation for detailed information on obtaining the OAM Trusted Key and exporting a certificate.

To export the OAM Identity Assertion X509 Certificate, perform the following. These steps assume that you are using Oracle WebLogic and may differ depending on your environment. Refer to your OAM documentation for information on performing these steps for other applications:

  1. Retrieve the Oracle Keystore Password using the WLST connect() command and then the listCred(map="OAM_STORE", key="jks") command. Make note of the password and location of the keystore.

  2. Export the certificate using the following syntax:

    keytool -exportcert -keystore $domain_home/config/fmwconfig/
    default-keystore.jks     -storetype JKS -alias keyname -file $cert_file

    Provide the location of the keystore noted in Step 1, as well as the keystore type and the name of the file that will hold the certificate. The following example extracts the certificate from the base_domain/config/fmwconfig/ directory and provides an alias of assertion-key, identifies the key store as oamkeystore and the certificate file as assertion.cer:

    keytool -exportcert -v -alias assertion-key -storetype JKS
    –keystore .oamkeystore -file assertion.cer

  3. Once the certificate has been exported to the file you identified in Step 2, copy the certificate file to the ATG server.

  4. Import the certificate into the oamkeystore.ks on the ATG server by running the importcert command. The importcert command uses the following syntax:

    keytool -importcert –keystore $domain_home/config/fmwconfig/
    default-keystore.jks -storetype JKS –alias $trusted_cert_alias
    -file $trusted_cert_file

    For example:

    keytool -importcert -v -keystore C:\all\oamkeystore.ks
    -storetype JKS -alias assertion-key -file C:\all\assertion.cer

    This produces output similar to the following:

    Enter keystore password:
    Re-enter new password:
    Owner: CN=OAM User Assertion Issuer CA Root
    Issuer: CN=OAM User Assertion Issuer CA Root
    Serial number: 66
    Valid from: Tue May 21 05:54:34 CST 2013 until: Fri May 19 05:54:34 CST 2023
    Certificate fingerprints:
         MD5: 03:A3:6D:C7:AC:36:D7:30:01:6B:34:52:97:B0:DD:6B
         SHA1: 37:A7:CB:F0:3E:BF:99:D9:93:51:0D:B3:9C:AA:9C:43:0A:0C:30:79
         Signature algorithm name: MD5withRSA
         Version: 1
    Trust this certificate? [no]:  y
    Certificate was added to keystore
    [Storing c:\all\oamkeystore.ks]

    When prompted, enter the keystore password noted in Step 1. When asked to trust the certificate, answer yes to add the certificate to the keystore.

  5. Configure the OamCertificateVerifier.properties file in your /localconfig directory to include the keystore locations:

    $class=atg.userprofiling.oam.security.CertificateVerifier
    keystoreLocation=C:/all/oamkeystore.ks
    keystoreType=JKS
    certificateHeaderName=oam_identity_assertion
    keyStorePassword=oampass

  6. Configure the OamRemoteUserServlet.properties file in your /localconfig directory to add the OamCertificateVerifier:

    # add the OamCertificateVerifier to the trustVerifiers property
    trustVerifiers=\
                   /atg/userprofiling/oam/OamCertificateVerifier

Once you have configured the X.509 certificate validation, you can provide additional validation by configuring the system to recognize OAM authentication cookies.

Configuring OAM Authentication Cookies

By default, OAM maintains a session cookie that uses the OAMAuthnCookie<host:port><random number> format. For detailed information on OAM authentication cookies and their formats, refer to your OAM documentation.

The ATG platform can be configured to check for the presence of OAM authentication cookies by performing the following steps:

  1. Configure the /atg/userprofiling/oam/OamCookieVerifier.properties file in your /localconfig directory:

    $class=atg.userprofiling.oam.security.OAMCookieVerifier
    # For 11g webgates the cookieNamePrefix property value is as below.
    # For 10g webgates use ObSSOCookie.

    cookieNamePrefix=OAMAuthnCookie_
    webgateHost^=Configuration.webgateHost
    webgatePort^=Configuration.webgatePort

  2. Configure the /atg/dynamo/servlet/dafpipeline/
    OamRemoteUserServlet.properties     file to use the OAMCookieVerifier:

    # add the OAMCookieVerifier to the trustVerifiers property
    trustVerifiers=\
                   /atg/userprofiling/oam/OAMCookieVerifier

Note that OAM adds this cookie into all HTTP requests. This is different than the Identity Assertion header, which is only added to requests that result in SSO user authentication and the creation of new OAM SSO sessions.

Note: It may be necessary to add or upgrade the user-defined parameter filterOAMAuthnCookie in the WebGate 11g configuration with a value of false. Refer to the Administrator’s Guide for Oracle Access Manager for details on the user-defined parameter filterOAMAuthnCookie. It may be necessary to restart this server for the change to take effect.

Copyright © 1997, 2014 Oracle and/or its affiliates. All rights reserved. Legal Notices