13.5 Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security

Configure secure server communication modes and manage through the settings for the common OAM Proxy.

This section describes the following topics:

13.5.1 OAM Proxy Simple and Cert Mode Transport Security

Simple and Cert modes are similar.

Table 13-6 outlines the similarities between Simple and Cert modes.

Table 13-6 Summary: Simple and Cert Mode

Artifact or Process Simple Mode Cert Mode Open Mode

X.509 digital certificates only.

X

X

N/A

Communication between OAM Agents and OAM Servers is encrypted using Transport Layer Security, RFC 2246 (TLS v1).

X

X

N/A

For each public key there is a corresponding private key that Access Manager stores in a file:

aaa_key.pem

generated by openSSL

aaa_key.pem

generated by your CA

N/A

Signed certificates in Privacy Enhanced Mail (PEM) format

aaa_cert.pem generated by openSSL

aaa_cert.pem generated by your CA

N/A

During OAM Server configuration, secure the private key with a Global passphrase or PEM format details, depending on which mode you are using. Before an OAM Server or Webgate can use a private key, it must have the correct passphrase.

Global passphrase stored in a nominally encrypted file:

  • password.xml

PEM format:

  • Keystore Alias

  • Key KEYSTOREStore Alias Password

N/A

During OAM Agent or OAM Server registration, the communication mode is propagated to the Oracle Access Management Console.

Same passphrase for each Webgate and OAM Server instance.

Different passphrase for each Webgate and OAM Server instance.

N/A

The certificate request for the Webgate generates the certificate request file, which you must send to a root CA that is trusted by the OAM Sever.

The root CA returns the Webgate certificates, which can then be installed either during or after Webgate installation.

cacert.pem

The certificate request, signed by the Oracle-provided openSSL Certificate Authority

aaa_req.pem

The certificate request, signed by the your Certificate Authority

N/A

Encrypt the private key using the DES Algorithm. For example:

openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass: passphrase -des

N/A

X

N/A

Agent Key Password

N/A

Enter a password during agent registration in Cert Security mode (see Table 15-1).

N/A

During Agent registration, ObAccessClient.xml is generated in:

$DOMAIN_HOME/output/$Agent_Name/

ObAccessClient.xml

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir/config/OHS/ohs1/webgate/config
  • If:
  • $11gWebgate_instance_dir=$ORACLE_HOME/instance/instance1
  • 10g Webgate: $Webgate_install_dir/oblix/lib

ObAccessClient.xml

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir/...
  • 10g Webgate: $Webgate_install_dir/...

ObAccessClient.xml

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir/...
  • 10g Webgate: $Webgate_install_dir/ ...

During Agent registration, password.xml is generated in:

$DOMAIN_HOME/output/$Agent_Name/

See Also: Securing Communication

password.xml

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir/...
  • 10g Webgate: $Webgate_install_dir/...

password.xml

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir/...
  • 10g Webgate: $Webgate_install_dir/...

N/A

During Agent registration, aaa_key.pem is generated in:

$DOMAIN_HOME/output/$Agent_Name/

See Also: Securing Communication

aaa_key.pem

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir...
  • 10g Webgate: $Webgate_install_dir...

aaa_key.pem

Copy to:

  • 11g Webgate: $11gWebgate_instance_dir...
  • 10g Webgate: $Webgate_install_dir...

N/A

13.5.2 Configuration Settings of Common OAM Proxy Page for Secure Server Communications

You can the configure settings of Common OAM Proxy Page for Secure Server Communications.

Table 13-7 describes the settings required for Simple or Cert mode configurations.

Table 13-7 Server Common OAM Proxy Secure Communication Settings

Mode Description

Simple Mode Configuration

The global passphrase for communication using OAM-signed X.509 certificates. This is set during initial OAM Server installation.

Administrators can edit this passphrase and then reconfigure all existing OAM Agents to use it, as described in"Viewing or Editing Simple or Cert Settings for OAM Proxy".

Cert Mode Configuration

Details required for the Key KEYSTOREStore where the Cert mode X.509 certificates signed by an outside Certificate Authority reside:

  • PEM Keystore Alias

  • PEM Keystore Alias Password

Note: These are set during initial OAM Server installation. The certificates can be imported using the import certificate utility or the keytool shipped with JDK.

Administrators can edit the alias and password and then reconfigure all existing OAM Agents to use them, as described in"Viewing or Editing Simple or Cert Settings for OAM Proxy".

13.5.3 Viewing or Editing Simple or Cert Settings for OAM Proxy

Administrators can use view or edit Simple or Cert mode settings for the common OAM Proxy.

To view or edit:

  1. In the Oracle Access Management Console, click Configuration at the top of the window.
  2. In the Configuration console, select Access Manager from the View menu in the Settings section.
  3. Expand the Access Protocol section.
  4. Simple Mode Configuration: Add or alter a Global Passphrase if you are using OAM-signed X.509 certificates.
  5. Cert Mode Configuration: Specify the following details.
    • PEM Keystore Alias

    • PEM Keystore Alias Password

  6. Click Apply to submit the changes and dismiss the Confirmation window (or close the page without applying changes).
  7. Update Agent registration pages as needed to regenerate artifacts, and then replace the earlier artifacts as described in Introduction to Agents and Registration or Registering and Managing OAM 11g Agents.

13.5.4 Configuring 64-bit and 32–bit WebGate in Cert Mode

64-bit WebGates now support SHA2 (256,384 & 512 bit) certificates.

Run the following command to configure a 64-bit and 32–bit WebGate in cert mode.

<Oracle Middleware Home>/oracle_common/bin/orapki wallet add 
 -wallet $DOMAIN_HOME/output/$Agent_Name/cwallet.sso -trusted_cert 
 -cert <Root CA path .i.e. aaa_chain.pem> -auto_login_only
  • Copy cwallet.sso from <WebGate InstanceDir>/webgate/config/ present in <Webgate Install dir> to a temp folder on access server.

  • Run the following command to update cwallet.sso on OAM server, and manually add cacert.pem to /webgate/config/cwallet.sso:

    orapki wallet add -wallet -trusted_cert -cert <Root CA path .i.e. aaa_chain.pem cacert.pem> -auto_login_only
    
  • Make the wallet OAM 11.1.2.3 and above compatible using the following command :

    orapki wallet convert -wallet -auto_login_only
    
  • Copy the new cwallet.sso to WebGate config folder.

  • Restart the webserver for WebGate.

13.5.5 Tuning the Simple Mode WebGate

If using a simple mode WebGate, you can improve the response time of the OAM login page by changing the aaaTimeoutThreshold time parameter in the WebGate profile from -1 to 10.

For detailed information about the AAA Timeout Threshold configuration element, see Table 15-3 in Registering and Managing OAM 11g Agents.