Note:
An MDC partner profile is exposed by each data center and used by other data centers to communicate with it. Registering an MDC partner is a two step process. Consider an MDC with three data centers. In DC1, expose an MDC partner profile by creating a 10g or 11g WebGate (DC1_MDC_Partner). Then, register DC1_MDC_Partner in DC2 and DC3 using addPartnerForMultiDataCentre. See addPartnerForMultiDataCentre for details.
The following sections have details about the security modes.
OPEN Security Mode is the default mode of the Access Manager deployment. No configuration is needed.
The following is a sample input properties file for use with the addPartnerForMultiDataCentre WLST command.
remoteDataCentreClusterId= <CLUSTER ID OF REMOTE DC FOR WHICH THE AGENT IS BEING ADDED> oamMdcAgentId= <AGENT ID OF THE REGISTERED PARTNER IN datacenter ABOVE> PrimaryHostPort=<fully-qualified-host-name:OAM-port> for example:PrimaryHostPort=adc.example.com:5575 SecondaryHostPort=<fully-qualified-host-name:OAM-port> for example:SecondaryHostPort=adc.example.com:5577 AccessClientPasswd=<ACCESS CLIENT PASSWORD OF oamMdcAgentId IN datacenter> oamMdcSecurityMode=OPEN agentVersion=<WEBGATE AGENT VERSION 10g or 11g> #NA ----> Not Applicable trustStorePath=NA keyStorePath=NA globalPassPhrase=NA keystorePassword=NA
The following is a sample input properties file for use with the addPartnerForMultiDataCentre WLST command.
remoteDataCentreClusterId= <CLUSTER ID OF REMOTE DC FOR WHICH THE AGENT IS BEING ADDED> oamMdcAgentId=<AGENT ID OF THE REGISTERED PARTNER IN datacenter ABOVE> PrimaryHostPort=<fully-qualified-host-name:OAM-port> for example:PrimaryHostPort=adc.example.com:5575 SecondaryHostPort=<fully-qualified-host-name:OAM-port> for example:SecondaryHostPort=adc.example.com:5577 AccessClientPasswd=<ACCESS CLIENT PASSWORD OF oamMdcAgentId IN datacenter> oamMdcSecurityMode=SIMPLE agentVersion=<WEBGATE AGENT VERSION 10g or 11g> #Copy the oamclient-truststore.jks & oamclient-keystore.jks from #<DOMAIN_HOME>/output/webgate-ssl/ from 'datacenter with cluster ID #remoteDataCentreClusterId' above into the local DC say /scratch/MDCArtifacts/ and #refer them in the below parameters trustStorePath=</scratch/MDCArtifacts/oamclient-truststore.jks> keyStorePath=</scratch/MDCArtifacts/oamclient-keystore.jks> #Use the online WLST command displaySimpleModeGlobalPassphrase() to list #the global passphrase in SIMPLE mode. Admins can also update this in the UI #@ System Configuration-->Access Manager-->Access Manager Settings--> #Access Protocol-->Simple Mode Configuration-->Global Passphrase. #globalPassPhrase & keystorePassword are the same for SIMPLE mode globalPassPhrase=<passphrase resulted in using the above steps> keystorePassword=<same as globalPassPhrase>
clientTrustStore.jks and clientKeyStore.jks KeyStores for the partners to communicate in CERT mode.In an MDC setup, each Clone data center is a replica of the Master data center. For the newly cloned data centers to communicate with the existing data centers in CERT mode, the KeyStores generated may be reused across data centers. However, while configuring the domain across multiple nodes (such as adding a new OAM server to a new host), ensure that the new host’s file system has the required artifacts stored in the same directory structure as that of the AdminServer node.
Run the following openssl command from a Linux command prompt to generate aaa_key.pem and aaa_req.pem.
openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8
Use the certreq command to generate the certificate and chain.
Create aaa_cert.pem using the following procedure.
Open aaa_req.pem in a text editor and copy the contents.
Exclude the trailing spaces from your selection.
Paste the copied text into Signcsr.
Include [-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----].
Copy the output into a text editor and save it as aaa_cert.pem.
Create aaa_chain using the following procedure.
Open certreq.
Click on chain.pem and copy/paste the contents into a text editor and save it as aaa_chain.pem.
Excluding traiing and leading spaces from your selection.
Encrypt the private key (aaa_key.pem) using the following command.
openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass:Welcome1 -des
The password used in this command must be defined as the access client password or agent key password while registering the MDC partner.
Copy aaa_key.pem, aaa_cert.pem and aaa_chain.pem to a temporary location.
For example, /tmp/clientCertArtifacts/
Convert aaa_cert.pem and aaa_key.pem into DER format using one of the following commands.
-openssl x509 -in /tmp/clientCertArtifatcs/aaa_cert.pem -inform PEM -out /tmp/clientCertArtifatcs/aaa_cert.der -outform DER;
-openssl pkcs8 -topk8 -nocrypt -in /tmp/clientCertArtifatcs/aaa_key.pem -inform PEM -out /tmp/clientCertArtifatcs/aaa_key.der -outform DER;
Import the aaa_key.der and aaa_cert.der into clientKeyStore.jks; and the aaa_chain.pem into clientTrustStore.jks with the below steps
-cd $IDM_HOME/oam/server/tools/importcert/; -unzip importcert.zip; -java -cp importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore /tmp/clientCertArtifatcs/clientKeyStore.jks -privatekeyfile /tmp/clientCertArtifatcs/aaa_key.der -signedcertfile /tmp/clientCertArtifatcs/aaa_cert.der -storetype jks -genkeystore yes -keytool -importcert -file /tmp/clientCertArtifatcs/aaa_chain.pem -trustcacerts -keystore /tmp/clientCertArtifatcs/clientTrustStore.jks -storetype JKS
Enter the keystore passwords when prompted. The password needs to be defined in the input properties file for the addPartnerForMultiDataCentre WLST command as well.
If not done when creating the certificates for the WebGate, import the aaa_key.der and aaa_cert.der formatted certificates into the .oamkeystore using the same Oracle provided importcert.jar used in the previous step.
-java -cp importcert.jar oracle.security.am.common.tools.importcerts.CertificateImport -keystore /scratch/Oracle/Middleware/domains/ base_domain/config/fmwconfig/.oamkeystore -privatekeyfile /tmp/clientCertArtifacts/aaa_key.der -signedcertfile /tmp/clientCertArtifacts/aaa_cert.der -alias mycertmode1 -storetype JCEKS
alias is the alias name defined when setting CERT mode in Access Manager.
The following is a sample input properties file for use with the addPartnerForMultiDataCentre WLST command.
remoteDataCentreClusterId= <CLUSTER ID OF REMOTE DC FOR WHICH THE AGENT IS BEING ADDED> oamMdcAgentId=<AGENT ID OF THE REGISTERED PARTNER IN datacenter ABOVE> PrimaryHostPort=<fully-qualified-host-name:OAM-port> for example:PrimaryHostPort=adc.example.com:5575 SecondaryHostPort=<fully-qualified-host-name:OAM-port> for example:SecondaryHostPort=adc.example.com:5577 AccessClientPasswd=<ACCESS CLIENT PASSWORD OF oamMdcAgentId IN datacenter> oamMdcSecurityMode=CERT agentVersion=<WEBGATE AGENT VERSION 10g or 11g> trustStorePath=</tmp/clientCertArtifatcs/clientTrustStore.jks > keyStorePath=</tmp/clientCertArtifatcs/clientKeyStore.jks > globalPassPhrase=NA #use keystore password used for generating keystore in the previous step keystorePassword=<keystore password given while generating keystore>