Managing Common Services and Certificate Validation

3 Managing Common Services and Certificate Validation

The properties that are used in common can be configured by the services integrated into Oracle Access Management.

This chapter contains the following sections:

3.1 Configuration Options in Oracle Access Management Console

The Oracle Access Management options and settings are collectively called Configuration. Unless explicitly stated, the Configuration options are shared by all Access Manager servers and services in the domain.

Figure 3-1 shows the Configuration options defined in the new Oracle Access Management Console. You can access these settings by clicking Configuration at the top of the Console.

Figure 3-1 Oracle Access Management Configuration Options

Description of "Figure 3-1 Oracle Access Management Configuration Options"

Table 3-1 describes the Configuration options. The items listed apply to all services in the suite.

Table 3-1 Configuration Options

Node	Description
Available Services	See "Available Services of the Common Configuration Section".
User Identity Stores	See "Registering and Managing User Identity Stores" in Managing Data Sources.
Administration	See Delegating Administration.
Certificate Validation	Provides access to the certificate revocation list and OCSP/CDP settings. See: "Certificate Validation and Revocation".
Server Instances	Provides access to all registered OAM Server instances. See: Managing Server Registration
Settings > Common Settings	Provides configurations that apply to all Oracle Access Management services including Session properties, Oracle Coherence, Auditing, and Default and System Identity Stores. See: "Common Settings".
Settings > Access Manager	Provides access to Access Manager operation configurations. See "Managing Common and System Configurations"
Settings > Federation	Provides access to configurations for Oracle Access Management Identity Federation. See Managing Identity Federation Partners, Managing Settings for Identity Federation and Managing Federation Schemes and Policies.

3.2 Available Services of the Common Configuration Section

Available Services shows the Available Services page of the Common Configuration section, which provides the status of services, and controls to enable or disable a service. Initially, only Access Manager services are enabled.

Oracle Access Management Administrators must enable a service in the Oracle Access Management Console to use the related functionality. The exception to this is Identity Context, which is enabled by default and does not have any controls to disable it.

Figure 3-2 Available Services

Description of "Figure 3-2 Available Services"

A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a cross through it indicates that the corresponding service is disabled.

Table 3-2 Common Services

Service	Description
Access Manager	Access Manager functionality is enabled by default. Access Manager Service is required to set SSO policies, configure Access Manager, as well as Common Configuration, and when REST Services are enabled. Default: Enabled No other services are required for Access Manager and Common Configuration.
Adaptive Authentication Service	Required for adaptive authentication functionality. Default: Enabled See Also: Managing the Adaptive Authentication Service and Oracle Mobile Authenticator.
OAuth and OpenIDConnect Service	Enable this service to activate issuance of standard OAuth tokens and support OpenId Connect flows. Default: Enabled See Also: Managing the Oracle Access Management OAuth Service and OpenIDConnect.
Identity Federation	Must be enabled to manage the federation partners. Default: Disabled Note: The Access Manager service must also be enabled because Identity Federation is another authentication module. See Also: Managing Oracle Access Management Identity Federation.

3.2.1 Enabling or Disabling Available Services

The WebLogic AdminServer and OAM Server must be running to enable or disable an available service.

(For details. see Starting and Stopping Servers in Your Deployment).

From the Oracle Access Management Console Launch Pad, click Available Services under Configuration.
Click Enable beside the desired service name (or confirm that the Status check mark is green).
Click Disable beside the desired service name (or confirm that the Status check mark is red).

3.3 Common Settings

Common Settings apply to all services within the suite.

Figure 3-3 shows the named sections on the Common Settings page, which can be expanded to reveal related elements and values.

Figure 3-3 Common Settings Page (Collapsed View)

Description of "Figure 3-3 Common Settings Page (Collapsed View)"

Oracle Access Management Administrators can control and specify parameters used by the entire suite, not just a single service, as introduced in Table 3-3.

Table 3-3 Common Settings

Tab Name Description

Tab Name	Description
Session	Session configuration refers to the process of managing the lifecycle requirements of a session.
Audit Configuration	Oracle Access Management supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Management auditing configuration is recorded in `oam-config.xml`. See Also: "Using the Oracle Access Management Console for Audit Configuration".
Default and System Identity Stores	This section identifies the default identity and system stores, which can be one in the same (or different).

Session

Session configuration refers to the process of managing the lifecycle requirements of a session.

Audit Configuration

Oracle Access Management supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Management auditing configuration is recorded in oam-config.xml.

Default and System Identity Stores

This section identifies the default identity and system stores, which can be one in the same (or different).

3.3.1 Managing Common Settings

Users with valid Oracle Access Management Administrator credentials can perform the following task to display the Common Settings page and perform changes. To manage common settings, the OAM Server must be running.

(For details. see Starting and Stopping Servers in Your Deployment.)

At the top of the Console, click Configuration.
In the Configuration Launch Pad, select Common Settings from the View menu in the Settings section.
Session:
1. On the Common Settings page, expand the Session section.
2. Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed:
  - Session Lifetime (minutes)
  - Idle Timeout (minutes)
  - Maximum Number of Sessions per User
3. Click Apply to submit your changes.
4. See Also: Maintaining Access Manager Sessions.
Audit Configuration:
1. Expand the Audit Configuration section.
2. In the Audit Configuration section, enter appropriate details for your environment:
  - Maximum (Log) Directory Size
  - Maximum (Log) File Size
  - Filter Enabled
  - Filter preset (select from the list to define verbosity of audit data)
  - Audit Configuration Table: Use Add (+) or Delete (x) buttons to specify users.
3. Click Apply to submit the Audit Configuration (or close the page without applying changes).
4. See Also: Auditing Administrative and Run-time Events.
Default Store and System Stores:
1. Expand the Default and System Identity Stores section.
2. Click the name of the System Store (or Default Store) to display the configuration page.
3. See About using the System Store for User Identities for more information.

3.4 Certificate Validation and Revocation

The Certificate Validation module is used by the Security Token Service to validate X.509 tokens and to verify whether or not the certificates have been revoked.

It supports the following options:

A Certificate Revocation List (CRL) is a list of certificates (identified by serial numbers) that have been revoked. Revoked certificates are listed with a reason, an issue date, and the issuing entity. (In addition, each list contains a proposed date for the next release.) Entities presenting these (revoked) certificates should no longer be trusted. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for the particular user. For more information, see Enabling the Certificate Revocation List Functionality
The Online Certificate Status Protocol (OCSP) was developed as an alternative to CRLs. OCSP specifies how the client application that requests information on a certificate's status will obtain it from the server that responds to the request. An OCSP responder can return a signed response signifying that the certificate specified in the request is either good, revoked or unknown. If the OCSP cannot process the request, it returns an error code. For more information, see "Enabling OCSP Certificate Validation" and Additional OCSP Configurations
A CRL Distribution Point extension (CDP extensions) contains information regarding the location of Certificate Revocation Lists (CRLs) and OCSP servers. You o use the Administration Console to define these points. For more information, see Enabling CRL Distribution Point Extensions

3.4.1 Enabling the Certificate Revocation List Functionality

Users with Oracle Access Management Administrator credentials can use the following procedure to enable the CRL functionality and import a current Certificate Authority Certificate Revocation List (CA CRL). Before beginning, you should have your CA CRL ready to import.

To enable:

In the Configuration Launch Pad section of the Oracle Access Management Console, click Certificate Validation.

The Certificate Revocation List tab is displayed.
Confirm that the Enabled box is checked.
Add or remove a CRL.
- Add: Click the Add (green plus sign) button, browse for the CRL file, select it, and click Import.
- Remove: Click the name of the list in the table, click the Delete (x) button, and confirm when asked.
Figure 3-4 is a screenshot of the pop-up window used to add a CA CRL to the CRL List using the Administrative Console.

Figure 3-4 Certificate Revocation List Dialog Box

Description of "Figure 3-4 Certificate Revocation List Dialog Box"
Click Apply to save the configuration.
Proceed to "Enabling OCSP Certificate Validation".

Note:

To search for CRLs in the table, enable Query by Example from the View drop-down. Enter filter strings in the header fields displayed and hit Enter.

3.4.2 Enabling OCSP Certificate Validation

Users with Oracle Access Management Administrator credentials can use the following procedure to enable the OCSP. Before you begin, you should have the URL of the OCSP service ready to import.

To enable:

Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.

The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.
Click the OCSP/CDP tab.
1. Enable OCSP.
2. Enter the URL of the OCSP Service.
3. Enter the Subject DN of the OCSP Service.
4. Save this configuration.
Figure 3-5 illustrates how to add an OCSP URL using the Administration Console. See "WLST configureOAMOSCSPCertValidation" for details on how to do this using the WLST command.

Figure 3-5 OCSP/CDP Settings

Description of "Figure 3-5 OCSP/CDP Settings"
Proceed to "Enabling CRL Distribution Point Extensions".

3.4.3 Enabling CRL Distribution Point Extensions

Users with Oracle Access Management Administrator credentials can use the following procedure to add CRL distribution points in issued certificates.

To enable:

Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.

The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.
Open the OCSP/CDP tab.
1. Enable CDP.
2. Save this configuration.
Figure 3-5 illustrates this.

3.4.4 Additional OCSP Configurations

Support for HTTP Proxy and multiple OCSP Responder configurations are added in Oracle Access Manager.

The following example illustrates the current Certificate Validation Module configuration.

Certificate Validation Module Configuration

<Setting Name="CertValidationModule" Type="htf:map">
      <Setting Name="certpathvalidationocspcertsubject" 
          Type="xsd:string"></Setting>
      <Setting Name="certpathvalidationocspurl" Type="xsd:string"></Setting>
      <Setting Name="certvalidationcrlstorelocation" 
           Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/
           domains/base_domain/config/fmwconfig/amcrl.jar</Setting>
      <Setting Name="defaulttrustcastorelocation"     
           Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/
           domains/base_domain/config/fmwconfig/amtruststore</Setting>
      <Setting Name="defaulttrustcastoretype" Type="xsd:string">jks</Setting>
      <Setting Name="certpathvalidationcdpenabled" 
           Type="xsd:boolean">false</Setting>
      <Setting Name="certpathvalidationcrlenabled" 
           Type="xsd:boolean">false</Setting>
      <Setting Name="certpathvalidationocspenabled" 
           Type="xsd:boolean">false</Setting>
</Setting>

The following sections contain configuration information for these new features.

3.4.4.1 Configuring Multiple OCSP Responders

Certificate authentication currently supports authentication against a single OCSP responder as documented in "Enabling OCSP Certificate Validation". Support for multiple OCSP responders has been added since the responder URL is now part of the certificate's Authority Information Access Extension.

To support multiple OCSP Responders, the three lines of configuration from the following example of Multiple OCSP Responder Configuration must be added to the top of the Certificate Validation Module configuration section (illustrated in the following example).

Multiple OCSP Reponder Configuration

<Setting Name="CertValidationModule" Type="htf:map">
      <Setting Name="certpathvalidationocspurltocamap" Type="htf:map">
      <Setting Name="<url_value>" Type="xsd:string">
          <ocsp_responder_subject></Setting>
      </Setting>
      <Setting Name="useJDKOCSP" Type="xsd:string">false</Setting>
      ...
</Setting>

Configure the first and second lines to enable multiple OCSP responders.

Set certpathvalidationocspenabled to true.

Update the certpathvalidationocspurltocamap configuration. It is of type Map, the key is the OCSP Responder URL (URL Encoded) and the value is the OCSP Responder's Certificate subject.

<Setting Name="certpathvalidationocspurltocamap" Type="htf:map">
     <Setting Name=" http%3A%2F%2Flocalhost%3A9797" Type="xsd:string">
     emailAddress=sagar@pspl.com,CN=ps2436,OU=OBLIX-QA,O=PSPL,
     L=PUNE,ST=MAHA,C=MY</Setting>
</Setting>

(Optionally) set values for certpathvalidationocspcertsubject and certpathvalidationocspurl.

The Responder URLs will be fetched first from the AuthorityInformationAccess extension of the user's X.509 certificate and second from Modules/Plugin (CertValidation). The Responder Subjects will be fetched first from the defined configuration map and second from the Module/Plugin (CertValidation) configuration. In cases where these configurations are not found, the OCSP validation will fail.

Configure the third line to provide backward compatibility for those who want to use JDK OCSP validation rather than the new OAM OCSP Checker. By default, the JDK OCSP Checker is enabled. When configuring the OAM OCSP Checker using the WLST command, the flag is set to false. For more information on the WLST command, see WLST configureOAMOSCSPCertValidation.

Depending on the Certificate Validation Module configuration there are three different options as documented in Table 3-4.

Table 3-4 OCSP Responder Configuration Options

Configuration	OCSP Configuration (certpathvalidationocspenabled)	CRL Configuration (certpathvalidationcrlenabled)	JDK/OAM OCSP Configuration (useJDKOCSP)
No OCSP Checking Simple certificate validation is performed during OAM X-509 authentication	False	False	False
OAM OCSP X-509 authentication performs certificate validation with OCSP checking using the new OAM OCSP Checker.	True	True/False (does not matter)	False
JDK OCSP X-509 authentication performs certificate validation with OCSP checking using the JDK OCSP Checker.	True	True	True

Configuration

OCSP Configuration (certpathvalidationocspenabled)

CRL Configuration (certpathvalidationcrlenabled)

JDK/OAM OCSP Configuration (useJDKOCSP)

No OCSP Checking

Simple certificate validation is performed during OAM X-509 authentication

False

OAM OCSP

X-509 authentication performs certificate validation with OCSP checking using the new OAM OCSP Checker.

True

True/False

(does not matter)

False

JDK OCSP

X-509 authentication performs certificate validation with OCSP checking using the JDK OCSP Checker.

True

To enable OCSP validation to be done using one configured responder URL, set the certpathvalidationcrlenabled and certpathvalidationocspenabled properties to true and set values for the certpathvalidationocspcertsubject and certpathvalidationocspurl properties. If these properties are not set, OCSP validation will be done using the responder URL defined within the user certificate's AIA Extension. If no URL is defined, OCSP validation will fail.

3.5 WLST updateHTTPProxyConfig

The Oracle Access Manager OCSP checker can perform authentication against OCSP responders that are outside an enterprise's intranet through HTTP Proxy.

Use the updateHTTPProxyConfig WLST command to configure the OAM OCSP checker to use HTTP proxy.

Description

Adds or updates proxy information.

Syntax

updateHTTPProxyConfig(proxyHost, proxyPort, conTimeOut)

Argument	Definition
proxyHost	Mandatory. The host name of the proxy.
proxyPort	Mandatory. The port number of the proxy.
conTimeOut	Mandatory. The connection timeout in milliseconds.

Example

updateHTTPProxyConfig(proxyHost="hostname.example.com", proxyPort="8888", 
  conTimeOut="600")

3.6 WLST configureOAMOSCSPCertValidation

You can use the configureOAMOSCSPCertValidation online command to update the OAM OCSP configuration.

It includes the following:

Updating or adding an OCSP responder URL and subject details to the "certpathvalidationocspurltocamap"
Clearing the newly added configuration; for example, "certpathvalidationocspurltocamap"
Setting or unsetting the "useJDKOCSP" flag to enable or disable JDK OCSP

Description

Updates the OAM OCSP configuration by adding/modifying the OCSP responder URL and subject details in the certpathvalidationocspurltocamap property and enabling/disabling the use of the JDK OCSP Checker.

Syntax

configureOAMOCSPCertValidation(url, subject, clear (optional), 
  display (optional), useJDKOCSP (optional))

Argument	Definition
url	Mandatory. Takes as a value the valid URL.
subject	Mandatory. Takes the details being modified.
clear	Optional. Takes a value of true or false.
display	Optional. Takes a value of true or false.
useJDKOCSP	Optional. Takes a value of true or false.

Examples

The following example enables the OAM OCSP and sets the Responder URL and subject.

configureOAMOCSPCertValidation(url="http://sample:9898", 
    subject="cert-subject-detail")

The following example enables the OAM OCSP and updates the Responder URL and subject.

configureOAMOCSPCertValidation(url="http://sample:9898", 
    subject="details changed/updated")

The following example disables and clears the OAM OCSP.

configureOAMOCSPCertValidation(url="http://sample:9898", subject="subject-detail", clear="true")

The following example enables/disables the JDK OCSP.

configureOAMOCSPCertValidation(url="http://sample:9898", 
    subject="details changed/updated", useJDKOCSP="true")