Configure SSL for Oracle Access Management 12c

Introduction

This tutorial shows you how to configure SSL for the Oracle Access Management 12c domain.

This is the sixth tutorial in the series Getting Started with Oracle Access Management 12c. Read them sequentially.

Objective

To configure SSL for the Oracle Access Management 12c domain.

Prerequisites

Create Keystores and Certificates

Create a Java Keystore

  1. Launch a terminal window as oracle and run the following command to create a java keystore:

    mkdir /u01/app/oracle/admin/domains/oam_domain/keystore
cd /u01/app/oracle/admin/domains/oam_domain/keystore
keytool -genkey -alias <alias> -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname <dn> -keypass <password> -keystore <keystore> -storepass <password>

    For example:

    mkdir /u01/app/oracle/admin/domains/oam_domain/keystore
cd /u01/app/oracle/admin/domains/oam_domain/keystore
keytool -genkey -alias server_cert -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 36500 \
-dname "CN=oam.example.com,OU=Security,O=Example Company,L=Redwood Shores,ST=California,C=US" \
-keypass <password> -keystore oam_keystore.jks -storepass <password>

    Replace <password> with a password of your choice.

    Note: CN=oam.example.com should be set to the host.domain of the server where OAM is installed.

    Make note of the values for -alias, -keystore, -keypass, and -storepass as these are used later in this tutorial.

Create a Certificate Signing Request

  1. Create a Certificate Signing Request (CSR) using the following command:

    keytool -certreq -v -alias <alias> -file <filename> -sigalg SHA256withRSA -keypass <password> -storepass <password> -keystore <keystore>

    For example:

    keytool -certreq -v -alias server_cert -file server.csr -sigalg SHA256withRSA -keypass <password> -storepass <password> -keystore oam_keystore.jks

    Make sure you use the same -alias, -keypass and storepass from Step 1.

    Note: If you see the Warning: The JKS keystore uses a proprietary format in this or subsequents steps you can ignore this error.

    The output should look similar to the following:

    Certification request stored in file <server.csr>
Submit this to your CA

    The CSR should look similar to the following:

    $ cat server.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC+DCCAeACAQAwgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRcwFQYDVQQHEw5SZWR3b29kIFNob3JlczEYMBYGA1UEChMPRXhhbXBsZSBDb21w
etc...
rhEZEIfvX7jTu6b9Vxy2/RR2sYpQpOlKVMWqBdA1E8UdWaFDXtTOAC+d1FcUrZPw
XybKIozSa3lCW+pJ/HCNN30qWiA3Pb76Vi+hlicgXPcUZeYcN2xNM5VXLzY=
-----END NEW CERTIFICATE REQUEST-----

  2. The CSR should be sent to a Certificate Authority (CA) of your choice in order to generate a certificate. The CA should send back the server certificate and root CA certificate(s) that signed the certificate. For the purposes of this tutorial the certificates returned are saved as server.crt and ca.crt for the server certificate and CA certifcate respectively.

    Note: If you do not have a CA you can generate your own for testing purposes. Instructions on how to do this are in the next section.

  3. Once the certificates are recieved copy them to the /u01/app/oracle/admin/domains/oam_domain/keystore directory.

Create a Certificate Authority and Generate the Server Certificate

Note: This section should only be followed if you do not have a Certificate Authority (CA) and need to generate your own CA for testing purposes.

  1. Create a working directory to create the CA files, for example: /stage/ssl:

    mkdir /stage/ssl
    cd /stage/ssl

  2. Generate a 4096-bit private key (ca.key) for the root Certificate Authority (CA):

    openssl genrsa -out ca.key 4096

    The output will look similar to the following:

    Generating RSA private key, 4096 bit long modulus
................................................................................................................................................++
.....................++
e is 65537 (0x10001)

  3. Create a self-signed root CA certificate (ca.crt):

    openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

    When prompted enter the details to create your CA. For example:

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []: Example Company Certificate Authority
Email Address []:

    No output is returned to the screen.

  4. Use the CA to generate a certificate from the CSR created in the previous section:

    openssl x509 -req -days 36500 -in /u01/app/oracle/admin/domains/oam_domain/keystore/server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

    The output will look similar to the following:

    Signature ok
subject=/C=US/ST=California/L=Redwood Shores/O=Example Company/OU=Security/CN=oam.example.com
Getting CA Private Key

  5. Copy the server.crt and ca.crt to the /u01/app/oracle/admin/domains/oam_domain/keystore/ directory:

    cp server.crt ca.crt /u01/app/oracle/admin/domains/oam_domain/keystore/

Import the certificates into the keystore

  1. Run the following command to import the certificates into the keystore:

    cd /u01/app/oracle/admin/domains/oam_domain/keystore/
keytool -import -v -noprompt -trustcacerts -alias <alias> -file <rootca_file> -keystore <keystore> -storepass <password>

    For example:

    keytool -import -v -noprompt -trustcacerts -alias rootcacert -file ca.crt -keystore oam_keystore.jks -storepass <password>

    The output will look similar to the following:

    Certificate was added to keystore
[Storing oam_keystore.jks]

    Note: If your CA has more than one CA certificate in the chain, then you must repeat the above for each certificate using a different alias each time. For example:

    keytool -import -v -noprompt -trustcacerts -alias rootcacert2 -file ca2.cer -keystore oam_keystore.jks -storepass <password>

  2. Import the Server Certificate into your keystore by running the following command:

    keytool -import -v -alias <alias> -file <server_cert_file> -keystore <keystore> -keypass <password> -storepass <password>

    For example:

    keytool -import -v -alias server_cert -file server.crt -keystore oam_keystore.jks -keypass <password> -storepass <password>

    The output will look similar to the following:

    Certificate reply was installed in keystore
[Storing oam_keystore.jks]

  3. View the contents of the keystore by running the following command:

    keytool -list -v -keystore oam_keystore.jks -storepass <PASSWORD>

    The output will look similar to the following:

    Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: rootcacert
Creation date: Jun 1, 2022
Entry type: trustedCertEntry

Owner: CN=Example Company Certificate Authority, OU=Security, O=Example Company, L=Redwood City, ST=California, C=US
Issuer: CN=Example Company Certificate Authority, OU=Security, O=Example Company, L=Redwood City, ST=California, C=US
Serial number: c3ed8cc19663b1c5
Valid from: Wed Jun 01 09:44:06 GMT 2022 until: Sat May 29 09:44:06 GMT 2032
Certificate fingerprints:
	    SHA1: 5F:F8:C0:B9:CE:1C:75:85:04:C0:23:D0:63:5E:CC:3B:B4:1F:13:B6
	    SHA256: BA:8B:9E:E2:16:BD:59:EF:BC:77:4D:10:F7:9C:D3:7B:A6:77:B7:CF:8F:E3:DB:14:44:1E:75:5E:BD:A8:A0:28
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FD D2 44 11 5F BE 18 12   59 A0 2B 89 37 68 E2 2D  ..D._...Y.+.7h.-
0010: 5D 00 D3 5D                                        ]..]
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FD D2 44 11 5F BE 18 12   59 A0 2B 89 37 68 E2 2D  ..D._...Y.+.7h.-
0010: 5D 00 D3 5D                                        ]..]
]
]

 *******************************************
 *******************************************

Alias name: server_cert
Creation date: Jun 1, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=oam.example.com, OU=Security, O=Example Company, L=Redwood Shores, ST=California, C=US
Issuer: CN=Example Company Certificate Authority, OU=Security, O=Example Company, L=Redwood City, ST=California, C=US
Serial number: 1
Valid from: Wed Jun 01 10:28:02 GMT 2022 until: Fri May 08 10:28:02 GMT 2122
Certificate fingerprints:
	    SHA1: C3:5B:FC:E1:38:60:9A:62:D1:C8:07:CC:36:6F:60:8E:BF:A8:B9:25
	    SHA256: 4A:29:8F:85:D0:5E:9A:49:94:AE:10:F6:77:36:36:BC:4E:75:45:ED:F6:4F:B3:5E:E0:FE:FC:83:1D:DB:BC:9E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Certificate[2]:
Owner: CN=Example Company Certificate Authority, OU=Security, O=Example Company, L=Redwood City, ST=California, C=US
Issuer: CN=Example Company Certificate Authority, OU=Security, O=Example Company, L=Redwood City, ST=California, C=US
Serial number: c3ed8cc19663b1c5
Valid from: Wed Jun 01 09:44:06 GMT 2022 until: Sat May 29 09:44:06 GMT 2032
Certificate fingerprints:
	    SHA1: 5F:F8:C0:B9:CE:1C:75:85:04:C0:23:D0:63:5E:CC:3B:B4:1F:13:B6
	    SHA256: BA:8B:9E:E2:16:BD:59:EF:BC:77:4D:10:F7:9C:D3:7B:A6:77:B7:CF:8F:E3:DB:14:44:1E:75:5E:BD:A8:A0:28
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FD D2 44 11 5F BE 18 12   59 A0 2B 89 37 68 E2 2D  ..D._...Y.+.7h.-
0010: 5D 00 D3 5D                                        ]..]
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FD D2 44 11 5F BE 18 12   59 A0 2B 89 37 68 E2 2D  ..D._...Y.+.7h.-
0010: 5D 00 D3 5D                                        ]..]
]
]

 *******************************************
 *******************************************

Configure OAM for SSL

In this section you configure the OAM AdminServer to use SSL using the keystore generated earlier.

  1. Launch a browser and access the WebLogic Server Console at http://oam.example.com:7001/console. Login as weblogic/<password>.

  2. In the Change Center click Lock and Edit.

  3. In the Domain Structure pane, under oam_domain navigate to Environment > Servers. Click on AdminServer.

  4. In the General tab, click the SSL Listen Port Enabled checkbox. Click Save:

    Description of the illustration sslenabled.jpg

  5. Click on the Keystores tab. In the Keystores tab, under Keystores click Change:

    Description of the illustration keystores.jpg

  6. In the Keystores drop down list, select Custom Identity and Custom Trust. Click Save.

  7. Fill out the Keystore fields as follows and click Save:

    Field Value
    Custom Identity Keystore /u01/app/oracle/admin/domains/oam_domain/keystore/oam_keystore.jks
    Custom Identity Keystore Type JKS
    Custom Identity Keystore Passphrase <password>
    Confirm Custom Identity Keystore Passphrase <password>
    Custom Trust Keystore /u01/app/oracle/admin/domains/oam_domain/keystore/oam_keystore.jks
    Custom Trust Keystore Type JKS
    Custom Trust Keystore Passphrase <password>
    Confirm Custom Trust Keystore Passphrase <password>

    For example:

    Description of the illustration keystorevalues.jpg

  8. Click on the SSL tab. Fill out the fields as follows and click Save:

    Field Value
    Private Key Alias server_cert
    Private Key Passphrase <password>
    Confirm Private Key Passphrase <password>

    For example:

    Description of the illustration ssltab.jpg

  9. Expand the Advanced section and under Hostname Verification select None from the drop down list. Click Save.

  10. In the Change Center click Activate Changes.

  11. Test you can access the WLS Console via SSL e.g https://oam.example.com:7002/console. Login as weblogic/<password>.

  12. In the Change Center click Lock and Edit.

  13. In the Domain Structure pane, under oam_domain navigate to Environment > Servers. Click on oam_server1.

  14. Repeat steps 4-10 above for oam_server1.

  15. In the Change Center click Lock and Edit.

  16. In the Domain Structure pane, under oam_domain navigate to Environment > Servers. Click on oam_policy_mgr1.

  17. Repeat steps 4-10 above for oam_policy_mgr1.

  18. Test you can access the Policy Manager Console via SSL e.g https://oam.example.com:14151/access. Login as weblogic/<password>.

Change Load Balancing settings to SSL

  1. Launch a browser and access the WebLogic Server Console at https://oam.example.com:7002/oamconsole. Login as weblogic/<password>.

  2. Navigate to Configuration and then under the Settings tile select View > Access Manager.

  3. Under Load Balancing and WebGate Traffic Load Balancer set the following and click Apply:

    • OAM Server Protocol: https
    • OAM Server Port: 14101

    For example:

    Description of the illustration lbssl.jpg

  4. Restart the oam_server1 server:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./stopManagedWebLogic.sh oam_server1
./startManagedWebLogic.sh oam_server1

Next Tutorial

Configure Oracle Unified Directory for Oracle Access Management 12c.

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com.

Acknowledgements