44.2 Introduction to Security Token Service Certificates and Keys

Depending on the public key infrastructure, the digital certificate establishes credentials for Web-based transactions.

See About Certificates, Authorities, and Encryption Keys.

Public Keys at Run Time: There are distinct cases where public key infrastructure materials are used at run time.

For example, during Web Services Security (WSS) protocol communication between Requesters and Security Token Service (with OWSM Agent).

Table 44-1.describes the Security Token Service Public Keys that are used at run time.

Table 44-1 Security Token Service Public Keys Used at Run Time

When Security Token Service ...	Description
Issues SAML Assertions	Security Token Service Signing Assertions using a key defined in the STS Global settings Security Token Service using the Requester's signing certificate as a proof key for Holder-of-Key of type Public Key confirmation method Security Token Service using the Relying Party's encryption certificate to encrypt the secret proof key for Holder-of-Key of type Secret Key confirmation method Security Token Service using the Requester's encryption certificate to encrypt a secret proof/entry in the RSTR for Holder-of-Key of type Secret Key confirmation method
Issues tokens	Security Token Service uses the Relying Party's encryption certificate to encrypt the outgoing token
Validates SAML Assertions	Security Token Service uses the Issuing Authority's signing certificate to verify the signature of the incoming SAML Assertion
Uses Web Services Security (WSS) protocol communication	Between Requesters and Security Token Service (with OWSM Agent)

44.2.1 About Keystores and Security Token Service

The keystore files are distributed across all OAM Servers in the domain by the JMX framework and used for Security Token Service.

Following are the keystore files:

.oamkeystore: For keys and certificates associated with OAM Server instances
.oamkeystore: Partner Keystore for keys and certificates used to establish trust with partners, clients, and agents.
amtruststore: Trust Keystore for keys and certificates that are used to establish trust in entities that are interacting with the OAM Server instances
amcrl.jar: Certificate Revocation Lists (CRL) are used by the OAM Server instances when performing CRL-based certificate revocation checking

See Introduction to Oracle Access Management Keystores.

The keystore files are distributed across all OAM Servers in the domain by the JMX framework. The $DOMAIN_HOME/config/fmwconfig /mbeans directory defines a registration mbeans.xml for each file that indicates the MBean to manage the file and also identify that the file should be propagated across the domain.

Table 44-2 Keystore Mbeans

Keystore	Mbean and Description
System/Partner Keystore: .oamkeystore	Configuration of the .oamkeystore is done using the JRE's keytool application.
Trust Keystore: .amtruststore	Configuration of the amtruststore is done using the JRE's keytool application.
CRL: amcrl.jar	CRL MBean: Can be used to manage CRLs.

The token security key pair is populated to the common keystore shared by Security Token Service. This eliminates the need for Oracle Web Services Manager agents to interact with the common keystore.

You can use a WLST command to retrieve the password for keystores and for the amtruststore.

See Resetting System Keystore (.oamkeystore) and Trust Keystore (amtruststore) Password.

44.2.2 About the Oracle Web Services Manager Keystore (default-keystore.jks)

The keystore of type JKS is required by the Oracle WSM Agent to contain System and Partner keys and certificates.

Oracle WSM Agent functionality is available to Security Token Service to publish WS Policies and enforce message protection on inbound and outbound WS messages. Oracle WSM requires a separate keystore to contain System and Partner keys and certificates.

The Oracle WSM Agent uses a keystore for various cryptographic operations. For these tasks, the Oracle Web Services Manager Agent uses the keystore configured for Oracle Web Services Manager tasks (containing OWSM private keys and OWSM trusted certificates). The OPSS modules publish a keystore service used by Oracle Web Services Manager for certificate validation operations, and the $DOMAIN_HOME/config/fmwconfig/jps-config.xml will contain the settings for the keystore service. The default name is default-keystore.jks, which is specified in jps-config.xml.

Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service keystore always be different. Otherwise, keys could be available to any modules authorized by OPSS to access the keystore and Access Manager keys might be accessed.

Note:

Oracle strongly recommends that the Oracle WSM Agent keystore and the Security Token Service keystore always be different.

During installation, if the Oracle WSM keystore service has not been configured, the installer:

Creates a new keystore in the $DOMAIN_HOME/config/fmwconfig folder (default name is default-keystore.jks)
Creates a key entry with the corresponding certificate that will be used by OWSM for signature and encryption operations. This key entry will be stored in the OWSM Keystore under the orakey alias
Stores the passwords of the key entry and of the keystore in CSF

Having access to the keystore is sometimes required, to:

Extract the signing/encryption certificate to distribute to clients if necessary
Update or replace the signing/encryption key entry
Add trusted certificates

See Configuring OWSM for WSS Protocol Communication.

44.2.3 About Using the OPSS Keystore for Requester Certificates

For the special cases where clients use referencing schemes such as SKI (as opposed to a certificate token being received as part of the web service request), the requester's certificates need to be populated in the OPSS Keystore.

This is an uncommon scenario that requires manually provisioning keys to the OPSS keystore. See About Agents and Security Token Service.