Communication between the agent and server works when the WebGate mode matches (or is higher) than the OAM Server mode.
When you register an OAM Agent or a new OAM Server, you can specify the Security mode. However, changing the global passphrase requires that you reconfigure all agents to use the mode and the new global passphrase.
During agent registration, at least one OAM Server instance must be running in the same mode as the agent. Otherwise, registration fails. After agent registration, however, you could change the communication mode of the OAM Server.
The highest level of security is Cert mode, the lowest is Open mode. The agent mode can be higher but not lower. For example, Open mode can be updated to SIMPLE or CERT.
This section provides the information you need to configure Simple mode communication.
Task overview: Configuring Simple mode communication includes
For Simple mode encryption, Access Manager includes a certificate authority with its own private key, which is installed across all WebGates and OAM Servers.
During installation, the OAM Server generates and saves the private-public keypair for the server. Similarly, for the OAM agent, an Oracle certificate authority is installed with the agent installation.
The installer generates a random global passphrase initially, which can be edited or viewed as needed. When an agent is registered in SIMPLE mode, the following client certificates are generated to be consumed by clients:
aaa_key.pem: Contains private key
aaa_cert.pem: Signed certificate
password.xml: Contains the random global passphrase in obfuscated format
Changing the global passphrase requires reconfiguring all agents that are already configured in Simple mode.
Retrieve the random global passphrase generated by Access Manager for Simple mode communication during installation.
To retrieve the random global passphrase for Simple mode communication
Where $ORACLE_IDM_HOME represents the base installation directory path; /common/bin is the path wherein the scripting tool is located.
wls:/offline> connect() Please enter your username [weblogic] : Please enter your password [weblogic] : Please enter your server URL [t3://localhost:7001] : wls:/base_domain/serverConfig>
Artifacts generated for Simple Security mode use the Global Pass phrase and any change must be propagated to WebGates.
To update an existing WebGate registration for Simple mode, you can delete the WebGate registration using the Oracle Access Management Console, then re-register it (specifying Simple mode and disabling the automatic generation of policies). Alternatively, you can edit the WebGate registration and then copy the artifacts as described here.
To update the WebGate registration for Simple mode
From: $WLS_DOMAIN_HOME/output/AGENT_NAME (the WebLogic domain home where the OAM AdminServer is installed)
10g WebGate: ObAccessClient.xml
10g WebGate: password.xml
Restart the Web server to instantiate the change to SIMPLE mode to validate the results
To validate SIMPLE mode changes:
d:\middleware\ohs_home\instances\ohs_webgate11g\bin opmnctl stopall opmnctl startall
$(Oracle_Home)/user_projects/domains/base_domain/bin/stopComponent.sh ohs1 ( stopComponent.sh ohs1 ) $(Oracle_Home)/user_projects/domains/base_domain/bin/startComponent.sh ohs1