Configure Cert mode communication for Access Manager with at least one OAM Server instance running in the same mode as the agent.
This topic describes how to configure Cert mode communication for Access Manager. The following tasks apply to Cert mode only.
Note:
In Simple mode, the bundled Access Manager-CA-signed certificates are used and most of the following tasks are not needed.
Prerequisites
During agent registration, at least one OAM Server instance must be running in the same mode as the agent. Otherwise, registration fails. After agent registration, however, you could change the communication mode of the OAM Server.
Task overview: Adding certificates for the OAM Server includes
The certificate request for WebGate generates the request file aaa_req.pem, which you must send to a root CA that is trusted by the OAM Sever. The root CA returns the certificates, which can then be installed either during or after 10g WebGate installation (for 11g WebGate these must be copied to the WebGate instance area manually after WebGate installation and configuration).
aaa_key.pem (reserved name for WebGate key file, which cannot be changed)
aaa_cert.pem (reserved name for WebGate certificate file, which cannot be changed)
aaa_chain.pem (reserved name for CA Cert for WebGate side)
During component installation in Cert mode, you are asked to present a certificate obtained from an external CA. If you do not yet have a certificate you can request one. Until you receive the certificate, you can configure the WebGate in Simple mode. However, you cannot complete OAM deployment until the certificates are issued and installed.
If you choose Cert mode when registering WebGate as an OAM Agent, a field appears where you can enter the Agent Key Password. When editing an 11g WebGate registration, password.xml is updated only when the mode is changed from Open to Cert or Simple to Cert. In cert mode, once generated, password.xml cannot be updated. Editing the agent Key Password does not result in creation of a new password.xml.
You must create a Cert request and send that to the CA. When the certificate is returned you must import it to the OAM Server (or copy it to the WebGate).
Use the following procedure to retrieve the private key, certificate, and CA certificate for the OAM Server.
Note:
The certified tool is openSSL. Oracle recommends that you use openSSL rather than other tools to generate certificates and keys in PEM format.
To retrieve the private key and certificates for OAM Server
Users with valid Administrator credentials can perform the following task to retrieve the alias of the certificate in the specified keystore to be used for authentication, and the password that is required to import a certificate.
To retrieve the OAM Keystore password:
Confirm the Oracle Access Management Console is running.
On the computer hosting the Oracle Access Management Console, locate the WebLogic Scripting Tool in the OAM Installation path to use when retrieving the keystore password. For example:
$ORACLE_IDM_HOME/common/bin/
Here, $ORACLE_IDM_HOME is the base installation directory; /common/bin is the path in which the scripting tool is located.
Start the WebLogic Scripting Tool:
·/ wlst.sh
In the WLST shell, enter the command to connect and then enter the requested information. For example:
wls:/offline> connect() Please enter your username [weblogic] : Please enter your password [welcome1] : Please enter your server URL [t3://localhost:7001] : wls:/base_domain/serverConfig>
Enter the following command to change the location to the read-only domainRuntime tree (For help, use help(domainRuntime)). For example:
wls:/OAM_AC> domainRuntime()
Use the Oracle Enterprise Manager Console to retrieve the credentials for the OAM keystore.
Login to the Oracle Enterprise Manager Console.
Navigate to Farm_base_domain -> WebLogic Domain -> <domain name>
Right click and select 'System mbean browser'.
Search for JpsCredentialStore.
Alternatively, navigate to application defined mbeans ->com.oracle.jps -> Domain: <domain name> -> JpsCredentialStore ->JpsCredentialStore
Click the 'operations' tab in the right hand window.
Click getPortableCredential.
Enter OAM_STORE for or Parameter 1 and jks for or Parameter 2.
Click Invoke.
The returned value is the keystore password.
Pay close attention to the password of the OAM Keystore that is displayed because this is required to import the certificates.
Proceed to the following topic:
See Importing the Trusted, Signed Certificate Chain Into the Keystore.
The Oracle-provided importcert tool is used to import existing private key, signed certificate (public key) files into the specified keystore format: JKS (client keystore format) or JCEKS (OAM Server keystore format; .oamkeystore for instance.).
The keystores associated with Access Manager accepts only PKCS8 DER format certificates:
If you have PEM format certificates signed by your certificate authority (CA), the following procedure describes how to convert and then import these using the importcert shipped with Access Manager.
If PEM format certificates are not available, create a certificate request and have it signed by your CA before beginning the following procedure.
Following are the steps for using the JDK version 8 keytool. If you have a different version of keytool, refer the documentation for your JDK version.
Note:
When you use the keytool utility, the default key pair generation algorithm is Digital Signature Algorithm (DSA). However, Oracle Access Management and WebLogic Server do not support DSA and you must specify another key pair generation and signature algorithm.
Prerequisites
Retrieving the OAM Keystore Alias and Password
To import the trusted certificate chain into the keystore:
For setting up OAM Server in CERT mode, before making any changes to .oamkeystore, download the artifacts using offline WLST command:
downloadAccessArtifacts(domainHome="/new/path/base_domain", propsFile="/path/dbschema.properties") ---- contents of dbschema.properties ---- oam.entityStore.schemaUser=MYPREFIX_OAM oam.entityStore.schemaPassword=Secret oam.entityStore.ConnectString=jdbc:oracle:thin:@dbhost.us.oracle.com:1521/servicename.us.oracle.com
Note:
At every restart of Admin servers , changes are pulled in from DB . Hence we need to downloadAccessArtifacts and saveAccessArtifacts , to save the cert mode changes .Locate the keytool in the following path:
$MW_HOME/jdk8/bin/keytool
Unzip importcert.zip and locate the Readme file in the following location:
$ORACLE_IDM_HOME/oam/server/tools/importcert/README
aaa_chain.pem: Using a text editor, modify the aaa_chain.pem file to remove all data except that which is contained within the CERTIFICATE blocks, then save the file.
----BEGIN CERTIFICATE-----
...
CERTIFICATE
...
-----END CERTIFICATE-----
Import the trusted certificate chain using the following command with details for your environment. For example:
keytool -importcert -file aaa_chain.pem -trustcacerts -storepass <password>
-keystore $ORACLE_HOME\user_projects\domains\$DOMAIN\config\fmwconfig\
.oamkeystore -storetype JCEKS
When prompted to trust this certificate, type yes.
aaa_cert.pem:
Edit aaa_certn.pem using TextPad to remove all data except that which is contained within the CERTIFICATE blocks, and save the file in a new location to retain the original. For example:
----BEGIN CERTIFICATE-----
...
CERTIFICATE
...
-----END CERTIFICATE-----
Enter the following command to convert the signed certificate (aaa_cert.pem) to DER format using openSSL or any other tool. For example:
openssl x509 -in aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER
aaa_key.pem:
Edit aaa_key.pem to remove all data except that which is contained within the CERTIFICATE blocks, and save the file in a new location to retain the original. For example:
----BEGIN CERTIFICATE-----
...
CERTIFICATE
...
-----END CERTIFICATE-----
Enter the following command to convert the private key (aaa_key.pem) to DER format using openSSL or any other tool. For example:
openssl pkcs8 -topk8 -nocrypt -in aaa_key.pem -inform PEM -out aaa_key.der -outform DER
Import signed DER format certificates into the keystore. For example:
Import aaa_key.der using the following command line arguments and details for your environment. For example:
c:\Middleware\idm_home\oam\server\tools\importcert
- java -cp importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore <> -privatekeyfile <path> -signedcertfile <path> -alias [ -storetype <> genkeystore <> -help]
Note:
Enter the key store password and alias password when prompted. On a Windows system, use a semicolon (;) instead of a colon (:) in the command line.
After making changes, please upload the changes to db using the following offline WLST command: saveAccessArtifacts(domainHome="/mwhome/user_projects/domains/base_domain", propsFile="/path/dbschema.properties").
After importing the certificates into the keystore, add the alias and password that you specified earlier into Access Manager settings configuration in Oracle Access Management Console.
Note:
No explicit configuration is needed for Simple mode, which is provided out of the box.
See Also:
To add certificate details to Access Manager Settings
Retrieve the private key, certificate, and CA certificate for the WebGate using openSSL.
To retrieve the private key and certificates for WebGates
For all communication modes (Open, Simple, or Cert), the Agent registration should be updated from the Oracle Access Management Console:
Registering an Agent: If you choose Cert mode when registering an OAM Agent, a field appears where you can enter the Agent Key Password.
Editing/Updating an Agent: When editing an 11g WebGate registration, password.xml is updated only when the mode is changed from Open to Cert or Simple to Cert.
Editing the agent Key Password does not result in creation of a new password.xml. In Cert mode, once generated, password.xml cannot be updated.
Prerequisites
Adding Certificate Details to Access Manager Settings
To update the communication mode in the WebGate Agent registration