23.7 Configuring a DCC WebGate for X509 Authentication

Configure a WebGate for DCC and convert it to SSL for using it with X509 authentication.

23.7.1 Configuring the WebLogic Server

Use the procedures in the following sections to configure a WebLogic Server for X509 authentication.

23.7.1.1 Creating the Server and Trust Store

These are common procedures for WebLogic Server.

Create Server certificate

Create a Server Certificate and key for the WLS domain on which Oracle Access Management 11g is deployed. This entails requesting a certificate (in which the Common Name is the OAM server machine name), having the certificate signed and converting it to the P12 format. The Server certificate can be created and signed using any Certificate utility.
Create the server store and the trust store using keytool.

See Securing Communication Between OAM Servers and WebGates for details.

23.7.1.2 Configuring the WebLogic Server Instance

Use the WebLogic console to configure the instance of the WebLogic Server to be SSL and client certificate enabled.

Navigate to the server instance which is to be SSL and Client Cert enabled.

Figure 23-6 Enable SSL

Description of "Figure 23-6 Enable SSL"
Check the SSL Listen Port Enabled check box and provide the port number as in Figure 23-6.
Provide the server and trust keystore path under the “Keystore" tab.

Figure 23-7 Keystore Configuration

Description of "Figure 23-7 Keystore Configuration"
Add the private key alias details under the SSL tab.

The alias name is same name specified as the server store name in Creating the Server and Trust Store.

Figure 23-8 Add Private Key Alias

Description of "Figure 23-8 Add Private Key Alias"
Display the Advanced options under the SSL tab and make the configurations illustrated in Figure 23-9.

Figure 23-9 SSL Advanced Options

Description of "Figure 23-9 SSL Advanced Options"

23.7.1.3 Creating the User Certificate

You can create a user certificate in the .p12 format and install it in your browser.

Run the following OpenSSL commands:

openssl req -config openssl.cnf -new -out weblogic.csr

Provide the certificate details. The Common Name is the name of the user for whom the certificate is requested.
openssl x509 -req -md5 -CAcreateserial -in weblogic.csr -days 180 -CA

F:\openssl\simpleCA\ca.pem -CAkey F:\openssl\simpleCA\ca-key.pem -extfile

F:\openssl\openssl.cnf -out weblogic.pem
openssl rsa -in privkey.pem -out weblogic.key
openssl pkcs12 -export -in weblogic.pem -inkey weblogic.key -out user1k1.p12
Install the .p12 formatted certificate output in your browser.

23.7.1.4 Adding the Root CA Certificate

You can add the Root CA certificate of the certificate utility used to SSL enable the WebLogic server.

(In this example, the OpenSSL certificate utility is used.) The Root CA certificate must be added to the .oamkeystore and amtruststore files located in the following WebLogic directory:

$DOMAIN_HOME/base_domain/config/fmwconfig

Retrieve the password for the .oamkeystore and amtruststore files in WebLogic.
1. Navigate to $MIDDLEWARE_HOME/Oracle_IDM1/common/bin/.
2. Run wlst.sh.
3. Run connect() in the WLST shell.
4. Run domainRuntime() in the WLST shell.
5. Run listCred(map="OAM_STORE",key="jks") in the WLST shell to display the password.

Add the Root CA certificate to the .oamkeystore and amtruststore files using the keytool command.

The value of –storepass is the password retrieved in the previous step. For example:

./keytool -importcert -alias ROOT_CA -file /scratch/CA/ca.pem -keystore /scratch/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig/.oamkeystore -storepass oru8nd3hhd4t4nrmh6unhv825b -storetype jceks
 
./keytool -importcert -alias ROOT_CA -file /scratch/CA/ca.pem -keystore /scratch/Oracle/Middleware/user_projects/domains/base_domain/config/fmwconfig/amtruststore -storepass oru8nd3hhd4t4nrmh6unhv825b -storetype jks

23.7.2 Configuring a WebGate For DCC

You can configure a WebGate for DCC. As part of this procedure you will also create the LDAPScheme_DCC Authentication Scheme.

You will use the Oracle Access Management Console for the configuration steps. This procedure assumes you have already installed the WebGates for which you will be creating profiles.

Configure an 11g WebGate profile named, for example, ABC_WG1 on http://<host>:7778/index.html.
Configure an 11g WebGate profile named, for example, XYZ_WG1_DCC on http://<host>:7779/index.html.

This WebGate will act as the authentication WebGate.
Navigate to the XYZ_WG1_DCC WebGate profile and Select Allow Credential Collector Operations Option.

This configures the WebGate for use as a DCC.
Create a new Authentication Scheme by making a copy of the LDAPScheme Authentication Scheme and modifying the following values.

Only modify the following values; leave the other parameters untouched.
1. Name as LDAPScheme_DCC
2. Challenge redirect URL is http://<host>:<port>/ (http://<host>:7779/)
3. Challenge URL : /oamsso-bin/login.pl
Navigate to the ABC_WG1 Application Domain and do the following.
1. Go to Authentication Policy.
2. Select Authentication Policy (Protected Resource Policy).
3. Select the newly created Authentication Scheme LDAPScheme_DCC.
Restart the Oracle HTTP Server with port 7779 in use.
Access the protected resource at http://<host>:7778/index.html.

You should get challenge page from the authenticating WebGate server (port 7779). After providing valid credentials, the resource on the port 7778 server should be displayed.

23.7.3 Converting the DCC WebGate to SSL

You can convert the DCC WebGate instance to SSL.

The following sections have details.

23.7.3.1 Generating Server Certificates

You can generate server certificates using Oracle Wallet Manager (OWM).

Create a Wallet using OWM.
1. Start OWM.
```
$ <webtier>/bin/owm
```
2. Select Wallet > New and follow the on screen instructions to create a Certificate Request.
3. Save the created Wallet in an accessible location and write down the path for future reference.
4. Select the Auto Login option and save the Wallet again.
Create and export the server request file as server.csr using OWM.
1. Select Operations > Export Certificate Request.
2. Save as server.csr
Sign server.csr to generate user certificate server.pem.

You can use the OpenSSL utility as follows:
```
openssl x509 -req -md5 -CAcreateserial -in ohs_server.csr -days 3656 -CA /
  <path>/ca.pem -CAkey /<path>/ca-key.pem -out server.pem
```
The values of ca.pem and ca-key.pem should be the same ones used when generating the client certificate.
Import the CA certificate (ca.pem) into OWM.
1. Select Operations > Import Trusted Certificate.
2. Point to ca.pem, your CA certificate.
3. Import the CA certificate and save the wallet.
Import server.pem as user cert
1. Select Operations > Import User Certificate.
2. Point to the server.pem certificate generated in step 3.
3. Import the server certificate and save the wallet.
Edit the Oracle HTTP Server (OHS) ssl.conf file to point to this wallet as follows.
```
#Path to the wallet
SSLWallet "/<path to wallet>/wallet"
SSLVerifyClient require
```
ssl.conf is located at <webtier>/<instance_home>/config/ohs/ssl.conf.
Restart the OHS instance.

23.7.3.2 Generating and Importing Client Certificates

You can generate and import client certificates and create a new X509 authentication scheme.

Create a user certificate by following the steps documented in Creating the User Certificate.
Create a new Authentication Scheme named X509_DCC as illustrated in Figure 23-10.

Add a Challenge Redirect URL. The Challenge URL should be blank.

Figure 23-10 New X509 Scheme

Description of "Figure 23-10 New X509 Scheme"
Import <user_cert>.p12 into your browser.
Access the protected resource via its SSL port. For example:
```
https://<ohs_host>:<ohs_port>/index.html
```
A popup is displayed asking which certificate to use. Select the appropriate certificate and the requested resource is accessed.