The following topics describe how to define Keystore settings for Federation:
You view and manage keystores configured for use with federation partners on the Federation Settings page of the console.
Figure 39-2 illustrates the expanded Federation Proxy Settings section of the Federation Settings page.
Figure 39-2 Keystore Settings
Table 39-4 describes each element on the Keystore Settings section of the Federation Settings page.
Table 39-4 Keystore Settings for Federation
This element specifies the keystore path.
This is the unique key ID.
This element provides a brief description of the key, such as its usage type.
This element specifies the key alias.
Note: You can choose one of the aliases that is available in the keystore using the drop-down.
This element specifies the key password.
As described in Managing Data Sources, Identity Federation uses keys in the following keystore to store encryption and signing certificates:
AM denotes Access Manager and IF denotes Identity Federation in this discussion.
You can reset the password that protects the keystores as well as the key entries which use the same password as the keystore.
The keystores have been created and configured by the IM/OAMAM installer, and the password and the key entries password were randomly generated. The WLST
resetKeystorePassword method allows you to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value. The command updates the:
Key entries in the .oamkeystore which had the same password as the keystore
OAMAM/IF configuration to reflect the change
amtruststore password if the keystore is protected by the same password as the .oamkeystore (default)
To set the system keystore (.oamkeystore) password:
You can add a new key entry into the system keystore (.oamkeystore) using the
keytool command to create and add the new key entry.
Once the entry has been added, it must be defined in the Identity Federation settings configuration screen so that it can be used to sign assertions and decrypt incoming messages.
The following topics describe how to add a new entry to the system keystore to sign SAML assertions or decrypt XML-encrypted data not covered by WSS:
There are no prerequisites for this task. The system keystore (.oamkeystore) password has been reset.
To add a new entry in the .oamkeystore:
Generate a self-signed certificate, or
Generate a certificate request, export the request to a remote Certificate Authority (CA), and finally import the certificate issued by the CA.
In the Identity Federation settings, you can add a new row to the Keystore table.
To add a new entry in the Identity Federation settings:
Once the key has been added to the keystore table, you can configure Identity Federation to use the key.
To configure the signing and encryption key:
Identity Federation will now use those keys to sign and decrypt messages.
Oracle Identity Federation supports RSA 1.5 as the key transport algorithm by default. The key transport algorithm can be changed from RSA 1.5 to RSA-OAEP based on the requirement, by adding a new property, defaultkeytransportmethod to oam-config.xml using the WLST commands.
You can configure the defaultkeytransportmethod parameter in oam-config.xml as follows:
<Setting Name=”defaultkeytransportmethod” Type=”xsd: xsd”> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p </Setting>
updatePartnerProperty(partnerName=”OIFSP”, partnerType=”SP”, propName=”defaultkeytransportmethod”, propValue=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”,type=”string”)
Note:This is a global change.