39.5 Defining Keystore Settings for Federation

The following topics describe how to define Keystore settings for Federation:

39.5.1 About Managing Keytore Settings for Identity Federation

You view and manage keystores configured for use with federation partners on the Federation Settings page of the console.

Figure 39-2 illustrates the expanded Federation Proxy Settings section of the Federation Settings page.

Figure 39-2 Keystore Settings

Description of Figure 39-2 follows
Description of "Figure 39-2 Keystore Settings"

Table 39-4 describes each element on the Keystore Settings section of the Federation Settings page.

Table 39-4 Keystore Settings for Federation

Element Description

Keystore Location

This element specifies the keystore path.

Key ID

This is the unique key ID.

Description

This element provides a brief description of the key, such as its usage type.

Alias

This element specifies the key alias.

Note: You can choose one of the aliases that is available in the keystore using the drop-down.

Password

This element specifies the key password.

39.5.2 Managing Identity Federation Encryption/Signing Keys

As described in Managing Data Sources, Identity Federation uses keys in the following keystore to store encryption and signing certificates:

$DOMAIN_HOME/config/fmwconfig/.oamkeystore

39.5.2.1 Task Overview: Managing Identity Federation Encryption/Signing Keys

Note:

AM denotes Access Manager and IF denotes Identity Federation in this discussion.

39.5.2.2 Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password

You can reset the password that protects the keystores as well as the key entries which use the same password as the keystore.

The keystores have been created and configured by the IM/OAMAM installer, and the password and the key entries password were randomly generated. The WLST resetKeystorePassword method allows you to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value. The command updates the:

  • .oamkeystore password

  • Key entries in the .oamkeystore which had the same password as the keystore

  • OAMAM/IF configuration to reflect the change

  • amtruststore password if the keystore is protected by the same password as the .oamkeystore (default)

To set the system keystore (.oamkeystore) password:

  1. Enter the WLST scripting environment.
  2. Connect to the WebLogic Server AdminServer, using the connect() command.
  3. Navigate to the domain runtime tree: domainRuntime() .
  4. Execute the following command:
    resetKeystorePassword()
    
  5. Enter and confirm the password.

39.5.2.3 Adding a New Key Entry to the System Keystore (.oamkeystore)

You can add a new key entry into the system keystore (.oamkeystore) using the keytool command to create and add the new key entry.

Once the entry has been added, it must be defined in the Identity Federation settings configuration screen so that it can be used to sign assertions and decrypt incoming messages.

39.5.2.3.1 Task Overview: Adding a New Key Entry to the System Keystore (.oamkeystore)

The following topics describe how to add a new entry to the system keystore to sign SAML assertions or decrypt XML-encrypted data not covered by WSS:

39.5.2.3.2 Adding a New Entry in the .oamkeystore

There are no prerequisites for this task. The system keystore (.oamkeystore) password has been reset.

To add a new entry in the .oamkeystore:

  1. Locate keytool.
  2. Use keytool to:
    • Generate a self-signed certificate, or

    • Generate a certificate request, export the request to a remote Certificate Authority (CA), and finally import the certificate issued by the CA.

39.5.2.3.3 Adding a New Entry in the Identity Federation Settings

In the Identity Federation settings, you can add a new row to the Keystore table.

To add a new entry in the Identity Federation settings:

  1. In the Oracle Access Management Console, click Federation at the top of the window.
  2. In the Federation console, Select Federation from the drop-down list in the Settings section.
  3. On the Federation Settings page, navigate to the Keystore table.
  4. Add a row.
  5. Enter a key ID that will be used to reference this key when configuring Identity Federation.
  6. Select the alias of the key entry stored in .oamkeystore.
  7. Enter the key password.
  8. Click Apply.

39.5.2.3.4 Configuring the Signing and Encryption Key

Once the key has been added to the keystore table, you can configure Identity Federation to use the key.

To configure the signing and encryption key:

  1. In the Oracle Access Management Console, click Federation at the top of the window.
  2. In the Federation console, Select Federation from the drop-down list in the Settings section.
  3. Navigate to the General section.
  4. Select the Signing Key from the list of available key entries that were defined in the keystore table.
  5. Select the encryption key from the list of available key entries that were defined in the keystore table.
  6. Click Apply.

Identity Federation will now use those keys to sign and decrypt messages.

39.5.2.3.5 Using WLST for Key Transport Algorithm

Oracle Identity Federation supports RSA 1.5 as the key transport algorithm by default. The key transport algorithm can be changed from RSA 1.5 to RSA-OAEP based on the requirement, by adding a new property, defaultkeytransportmethod to oam-config.xml using the WLST commands.

You can configure the defaultkeytransportmethod parameter in oam-config.xml as follows:

<Setting Name=”defaultkeytransportmethod” Type=”xsd: xsd”>
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
</Setting>
For example:
  • To update the key transport algorithm for a specific partner only (in this example, OIFSP), use the following WLST command:
    updatePartnerProperty(partnerName=”OIFSP”, partnerType=”SP”, propName=”defaultkeytransportmethod”, propValue=”http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”,type=”string”)
    
  • To update the key transport algorithm for all partners that use a specific partner profile (in this example, saml20-sp-partner-profile), use the following WLST command:
    putStringProperty("/fedpartnerprofiles/saml20-sp-partner-profile/defaultkeytransportmethod","http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
    
  • To update the key transport algorithm for all defined SP partners, use the following WLST command:
    putStringProperty("/idpglobal/defaultkeytransportmethod", “http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p”)
    

    Note:

    This is a global change.