Encryption and Signing Certificates stored in a keystore are used by the Security Token Service.
Security Token Service uses keys to:
Sign outgoing Assertions
Decrypt any incoming XML encrypted data contained inside the RST message (tokens, entropies...), which is not handled by the WSS Protocol
Security Token Service uses the following keystore for storing Encryption and Signing Certificates.
$DOMAIN_HOME/config/fmwconfig/.oamkeystore
You need to perform the following tasks to manage Security Token Service keys:
You can reset the password that protects keystores, and the key entries that are using the same password as the keystore.
These keystores were created and configured during installation, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. The password and key entries password were randomly generated. The WLST resetKeystorePassword
method allows the Administrator to set the .oamkeystore password and any key entries with a password identical to the .oamkeystore password to a new value:
Updates the .oamkeystore password
Updates the key entries in .oamkeystore that had the same password as the keystore
Updates Access Manager, Identity Federation, and Security Token Service configuration to reflect the changes
Updates the amtruststore password (if the keystore is protected by the same password as the default .oamkeystore)
You can reset system and trust keystore passwords through the WebLogic Server AdminServer.
To reset system and trust keystore passwords:
connect()
command.domainRuntime()
.resetKeystorePassword(
)An Administrator can add a new key entry into the System keystore (.oamkeystore) using the keytool command to create and add the new key entry.
Once the entry has been added, it must be defined in the Security Token Service configuration screen so that it can be used to sign assertions and decrypt incoming messages. The following topics describe how to add a new entry to sign SAML Assertions or decrypt XML-Encrypted data not covered by WSS:
You need to configure a new entry to sign SAML Assertions or decrypt XML-Encrypted data not covered by WSS.
Before you begin, ensure that the Oracle Access Manager service is enabled.
To configure a new entry:
Locate keytool.
Either generate a self signed certificate or generate a certificate request, export the request to a remote Certificate Authority, and import the certificate issued by the Certificate Authority.
Observe messages on the screen.
Proceed as needed:
Users with valid Administrator credentials can edit an existing template to use a signing key.
To configure a SAML Issuance template to use a signing key:
Users with valid Administrator credentials can edit an existing template to use a signing key.
See About Security Token Service Settings.
To set the default encryption key:
You can use Certificate Retrieval Service to distribute the certificate of a key entry.
In some cases, it is required to distribute the Security Token Service keys used for SAML Signature operations or XML encryption operations:
When a Relying Party needs to have access to the Security Token Service signing key, in order to validate the SAML Assertion issued by Security Token Service
When a token needs to be encrypted for Security Token Service Server
To distribute the certificate of a key entry used by Security Token Service for SAML Signature operations or XML encryption operations, use the Certificate Retrieval Service by specifying the KeyID (listed in System Configuration, Security Token Service, Security Token Service Settings and the preferred encoding (der vs pem).