C.5 Configuring Simple Mode Communication with Access Manager

The transport security communication mode is chosen during OAM installation. In Simple mode, the installer generates a random global passphrase initially, which can be edited as required later.


Communication between the agent and server works when the WebGate mode matches (or is higher) than the OAM Server mode.

When you register an OAM Agent or a new OAM Server, you can specify the Security mode. However, changing the global passphrase requires that you reconfigure all agents to use the mode and the new global passphrase.


During agent registration, at least one OAM Server instance must be running in the same mode as the agent. Otherwise, registration fails. After agent registration, however, you could change the communication mode of the OAM Server.

The highest level of security is Cert mode, the lowest is Open mode. The agent mode can be higher but not lower. For example, Open mode can be updated to SIMPLE or CERT.

This section provides the information you need to configure Simple mode communication.

Task overview: Configuring Simple mode communication includes

  1. Reviewing:

  2. Retrieving the Global Passphrase for Simple Mode

  3. Updating WebGate Registration for Simple Mode

  4. Verifying SIMPLE Mode Configuration

C.5.1 About Simple Mode, Encryption, and Keys

For Simple mode encryption, Access Manager includes a certificate authority with its own private key, which is installed across all WebGates and OAM Servers.

During installation, the OAM Server generates and saves the private-public keypair for the server. Similarly, for the OAM agent, an Oracle certificate authority is installed with the agent installation.

The installer generates a random global passphrase initially, which can be edited or viewed as needed. When an agent is registered in SIMPLE mode, the following client certificates are generated to be consumed by clients:

  • aaa_key.pem: Contains private key

  • aaa_cert.pem: Signed certificate

  • password.xml: Contains the random global passphrase in obfuscated format


Changing the global passphrase requires reconfiguring all agents that are already configured in Simple mode.

C.5.2 Retrieving the Global Passphrase for Simple Mode

Retrieve the random global passphrase generated by Access Manager for Simple mode communication during installation.

To retrieve the random global passphrase for Simple mode communication

  1. Ensure that the Oracle Access Management Console is running.
  2. On the computer hosting the Oracle Access Management Console, locate the WebLogic Scripting Tool in the following path. For example:

    Where $ORACLE_IDM_HOME represents the base installation directory path; /common/bin is the path wherein the scripting tool is located.

  3. Start the WebLogic scripting tool. For example, on a Unix system:
    ./ wlst.sh
  4. In the WLST shell, enter the command to connect and then enter the requested information. For example:
    wls:/offline> connect()
    Please enter your username [weblogic] :
    Please enter your password [weblogic] :
    Please enter your server URL [t3://localhost:7001] :
  5. Enter the following command to change the location to the read-only domainRuntime tree (for help, use help(domainRuntime)). For example:
  6. View the global passphrase by entering the following command. For example:
    wls:/OAM_AC> displaySimpleModeGlobalPassphrase()
  7. Proceed to "Updating WebGate Registration for Simple Mode".

C.5.3 Updating WebGate Registration for Simple Mode

Artifacts generated for Simple Security mode use the Global Pass phrase and any change must be propagated to WebGates.

To update an existing WebGate registration for Simple mode, you can delete the WebGate registration using the Oracle Access Management Console, then re-register it (specifying Simple mode and disabling the automatic generation of policies). Alternatively, you can edit the WebGate registration and then copy the artifacts as described here.

To update the WebGate registration for Simple mode

  1. In the Oracle Access Management Console, click Application Security at the top of the window.
  2. In the Launch Pad tab, click Agents.
  3. On the Search page, define your criteria and open the desired agent registration, as described in "WebGate Search Controls".
  4. In the registration page, locate the Security options and click Simple.
  5. Click Apply to submit the changes.
  6. Copy the updated WebGate files as follows:

    11g WebGate:

    • ObAccessClient.xml
    • cwallet.sso (11g WebGate only)
    • password.xml
    • From: $WLS_DOMAIN_HOME/output/AGENT_NAME (the WebLogic domain home where the OAM AdminServer is installed)

    • To: $OHS_INSTANCE_HOME/config/OHS/ohs2/webgate/config

    10g WebGate: ObAccessClient.xml

    • From: $WLS_DOMAIN_HOME/output/AGENT_NAME

    • To: $WebGate_install_dir/oblix/lib

    10g WebGate: password.xml

    • From: $WLS_DOMAIN_HOME/output/AGENT_NAME

    • To: $WebGate_install_dir/oblix/config

  7. Copy the following files, as directed for your WebGate release:
    • aaa_key.pem
    • aaa_cert.pem

    11g WebGate:

    • From: $IDM_DOMAIN_HOME/output/AGENT_NAME

    • To: $OHS_INSTANCE_HOME/config/OHS/ohs2/webgate/config/simple

    10g WebGate:

    • From: $IDM_DOMAIN_HOME/output/AGENT_NAME

    • To: $WebGate_install_dir/oblix/config/simple

  8. Restart the OAM Server and the Oracle HTTP Server instance.

C.5.4 Verifying SIMPLE Mode Configuration

Restart the Web server to instantiate the change to SIMPLE mode to validate the results

To validate SIMPLE mode changes:

  1. From a command-line window, restart the Web server as shown in the following example:
    For 11g Webgate:
    opmnctl stopall
    opmnctl startall
    For 12c Webgate:
    $(Oracle_Home)/user_projects/domains/base_domain/bin/stopComponent.sh ohs1
    ( stopComponent.sh ohs1 ) $(Oracle_Home)/user_projects/domains/base_domain/bin/startComponent.sh ohs1
  2. In a browser window, enter the URL to a resource protected by the WebGate using Simple mode.
  3. Enter your login credentials, when asked.
  4. Confirm that the resource is served.