Wednesday, March 26, 2014

How to Configure Cert Mode Communication For OAM 11g

Sharing something which I did today to kill time. I configured cert mode communication with OAM 11gR2. Although, you will find the same steps in oracle documentation but this blog is intended only to share/record my experience and is not intended to replace the oracle documentation in any case:

Environment Details:

OAM 11g R2, Admin Server: 7001, OAM Server: 14100
OAM 11g WebGate
OUD as user store
OHS running on 7778 port
java version "1.6.0_24"
OEL 6.3
WLS WLS_DOMAIN=/app/u01/middleware/user_projects/idm_domain
ORACLE_INSTANCE_NAME=instance5 /app/u01/middleware/Oracle_WT1/instances/instance5
OAMAGENT= webgate5

1. Installed openssl (openssl-1.0.0e.tar.gz) to create my own Certificate Authority (CA) and create self signed certificate as this what oracle recommends to use for configuring CERT mode.

Here is the link from where i downloaded the openssl from

2. Create your own CA Authority

Please refer the below link on how to create your own Certificate Authority:

3. Generating a Certificate Request and Private Key

oracle@oam custom]$ openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8

Generating a 2048 bit RSA private key
writing new private key to 'aaa_key.pem'
Enter PEM pass phrase: Oracle123
Verifying - Enter PEM pass phrase: Oracle123
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NC
Locality Name (eg, city) [Default City]:Charlotte
Organization Name (eg, company) [Default Company Ltd]:MYEXAMPLE
Organizational Unit Name (eg, section) []:OAM
Common Name (eg, your name or your server's hostname) []:OAM.EXAMPLE.COM
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Oracle123
An optional company name []:MYEXAMPLE

This creates two files - aaa_key.pem and aaa_req.pem.

The certificate request for Webgate generates the request file aaa_req.pem, which you must send to a root CA that is trusted by the OAM Sever.  Now, submit the certificate request (aaa_req.pem) to a trusted CA to get signed certificate i.e., aaa_cert.pem

Use the below command to sign the certificate request:

openssl x509 -req -in aaa_req.pem -CA aaa_chain.pem -CAkey rootCA.key -CAcreateserial -out aaa_cert.pem -days 500
Signature ok
Getting CA Private Key

This will generated the signed certificate named aaa_cert.pem in base64 (PEM) format. 
Note: The aaa_chain.pem and rootCA.key are generated during the setup of Certificate Authority.
You can run the above command again to generate the aaa_cert.der file or you can run the below command to convert .PEM to .DER format:
openssl x509 -in aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER

4. Retrieving the OAM Keystore Alias and Password

cd $ORACLE_IDM/common/bin/

Start the WebLogic Scripting Tool:
 1.     In the WLST shell, enter the command to connect and then enter the requested information. For example:
2.     wls:/offline> connect()
3.     Please enter your username [weblogic] : weblogic
4.     Please enter your password [welcome1] : Oracle123
5.     Please enter your server URL [t3://localhost:7001] : t3://
wls:/idm_domain/serverConfig> domainRuntime()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
wls:/idm_domain/domainRuntime> listCred(map="OAM_STORE",key="jks")

Note: Here, OAM_STORE represents the name of your OAM Keystore.

Already in Domain Runtime Tree
[Name : jks, Description : null, expiry Date : null]

Note: Pay close attention to the password of the OAM Keystore that is displayed because this is required to import the certificates.

5. Importing the Trusted, Signed Certificate Chain Into the OAM Keystore

Note: The keystores associated with Oracle Access Manager 11g accepts only PKCS8 DER format certificates:

Unzip and locate the Readme file in the following location:

cd $ORACLE_IDM/oam/server/tools

Import the trusted certificate chain using the following command:

Note: When prompted to trust this certificate, type yes.

[oracle@oam custom]$ keytool -importcert -file aaa_chain.pem -trustcacerts -storepass 4h94npscjjrbtl7ql375fjiju -storetype JCEKS -keystore /app/u01/middleware/user_projects/domains/idm_domain/config/fmwconfig/.oamkeystore

Serial number: a719d32a4d962e18
Valid from: Mon Mar 24 21:27:15 CDT 2014 until: Wed Jan 11 20:27:15 CST 2017
Certificate fingerprints:
             MD5:  28:CD:C6:36:7A:B3:37:C9:8F:90:63:AD:2C:2D:09:CF
             SHA1: 68:88:B0:D2:10:43:86:73:32:1D:AC:6A:86:2B:15:CF:75:A0:72:95
             Signature algorithm name: SHA1withRSA
             Version: 3
#1: ObjectId: Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BC F0 37 1F 6A 4D C6 05   04 BE 10 3B 7C A2 0B D9  ..7.jM.....;....
0010: D5 84 F4 E6                                ....
#2: ObjectId: Criticality=false
#3: ObjectId: Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BC F0 37 1F 6A 4D C6 05   04 BE 10 3B 7C A2 0B D9  ..7.jM.....;....
0010: D5 84 F4 E6                                        ....
Trust this certificate? [no]:  yes
Certificate was added to keystore.

Convert the aaa_cert.pem to DER format

[oracle@oam custom]$ openssl x509 -in aaa_cert.pem -inform PEM -out aaa_cert.der -outform DER

The above command will convert the signed certificate (aaa_cert.pem) to DER format i.e., aaa_cert.der

Convert the aaa_key.pem to DER format

[oracle@oam custom]$ openssl pkcs8 -topk8 -nocrypt -in aaa_key.pem -inform PEM -out aaa_key.der -outform DER
Enter pass phrase for aaa_key.pem: Oracle123

The above command will convert the private key (aaa_key.pem) to DER format i.e., aaa_key.der

6. Import the aaa_key.der and the aaa_cert.der format certificates into the .oamkeystore using Oracle supplied importcert.jar file

[oracle@oam importcert]$ java -cp importcert.jar -keystore /app/u01/middleware/user_projects/domains/idm_domain/config/fmwconfig/.oamkeystore -privatekeyfile ~/Downloads/openssl-1.0.0e/custom/aaa_key.der -signedcertfile ~/Downloads/openssl-1.0.0e/custom/aaa_cert.der -alias my.certmode -storetype JCEKS
Enter Keystore password :      4h94npscjjrbtl7ql375fjiju                  
Enter Alias password :         Oracle123

Certificates imported to keystore

7. Adding Certificate Details to Access Manager Settings

After importing the certificates into the keystore, you must add the alias and password that you specified earlier into Access Manager settings configuration in Oracle Access Manager Console. To add certificate details to Access Manager Settings:

1.     From the Oracle Access Manager Console, click the System Configuration tab.
2.     From the System Configuration tab, Access Manager Settings section, open the Access Manager Settings page.
3.     Expand the Access Protocol section of the page, if needed.
4.     Fill in the alias and alias password details acquired in the previous procedure. For example:
Cert Mode Configuration
PEM keystore Alias: my.certmode
PEM keystore Alias Password: Oracle123

8. Setting the OAM_server mode to cert

Open the OAM Server registration page, Server instances,oam-server1. Select the Proxy tab, change the Proxy mode to Cert, and click Apply.

9. Generating a Private Key and Certificate Request for the WebGate

Use the following procedure to retrieve the private key, certificate, and CA certificate for the Webgate
1.     Generate both the certificate request (aaa_req.pem) and Private Key (aaa_key.pem) as follows:

[oracle@oam webgate]$ openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8
Generating a 2048 bit RSA private key
writing new private key to 'aaa_key.pem'
Enter PEM pass phrase: Oracle123
Verifying - Enter PEM pass phrase: Oracle123
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:St Louis
Locality Name (eg, city) [Default City]:Missouri
Organization Name (eg, company) [Default Company Ltd]:MYEXAMPLE
Organizational Unit Name (eg, section) []:OAM
Common Name (eg, your name or your server's hostname) []
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:Oracle123
An optional company name []:MYEXAMPLE

This will generate  the files, aaa_key.pem  and aaa_req.pem

Submit the certificate request (aaa_req.pem) to a trusted CA.

[oracle@oam webgate]$ openssl x509 -req -in aaa_req.pem -CA ../aaa_chain.pem -CAkey ../rootCA.key -CAcreateserial -out aaa_cert.pem -days 500
Signature ok
subject=/C=US/ST=St Louis/L=Missouri/O=MYEXAMPLE/OU=OAM/
Getting CA Private Key

Encrypt the private key (aaa_key.pem) using a password as follows:

[oracle@oam webgate]$ openssl rsa -in aaa_key.pem -passin pass:Oracle123 -out aaa_key.pem -passout pass:Oracle123 -des
writing RSA key

10. Update the communication mode in the WebGate Agent registration in the OAm admin console

From the System Configuration tab, Access Manager Settings section, expand the SSO Agents node, and expand OAM Agents.

On the agent's registration page, locate the Security options and click Cert (or Simple).
Cert Mode: Enter the Agent key Password, Oracle123

11. Copy the updated WebGate files/Artifacts to the proper WebGate location

[oracle@oam config]$ pwd

oracle@oam config]$ cp /app/u01/middleware/user_projects/domains/idm_domain/output/webgate5/cwallet.sso .
[oracle@oam config]$ cp /app/u01/middleware/user_projects/domains/idm_domain/output/webgate5/ObAccessClient.xml .
[oracle@oam config]$ cp /app/u01/middleware/user_projects/domains/idm_domain/output/webgate5/password.xml .

12. Copy the WebGate certificate files (.PEM) to the proper WebGate location

[oracle@oam config]$ pwd
[oracle@oam config]$ cp ~/Downloads/openssl-1.0.0e/custom/webgate/aaa_cert.pem .
[oracle@oam config]$ cp ~/Downloads/openssl-1.0.0e/custom/webgate/aaa_key.pem .
[oracle@oam config]$ cp ~/Downloads/openssl-1.0.0e/custom/aaa_chain.pem .

13. Verifying Cert Mode Configuration
You must restart the Web server to instantiate the change to Cert mode. Then you can validate the results.
14. To validate Cert mode changes
In a browser window, enter the URL to a resource protected by the Webgate using cert mode.


Issue Encountered:

while doing this configuration first time, I used the same certificate in step #3 & #9 and got different kind of errors/warnings like:

Could not read file oblog_config.xml

OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized.

So, second time, I configured the simple mode first to see if that works or not. After successfully configuring OAM in SIMPLE mode (found that so easy to configure) , I updated the configuration to CERT mode using different certificates in step3 & step9 though I kept the information in both certificate request as same and it worked like charm.




Wednesday, March 12, 2014

WebLogic Startup Issues

Spent last two days troubleshooting below issues:

Issue Description: WebLogic Admin Server not starting up

Error Message:
<> <> <> <1394648437222> java.lang.AssertionError: java.lang.reflect.InvocationTargetException

Troubleshooting Steps:

For above, tried couple of things like deleting the /data, /tmp and /cache folder and modifying/backupin the config.xmlgenerating new SerializedSystemIni.dat but nothing worked.

Issue Description: OIM Managed Server not starting up on node1 but running fine on node2.

Resolution: The issue got resolved after restoring the filesystem as we found that most of the configuration were messed up.

Error Message:

< access denied ( context=SYSTEM,mapName=oim,keyName=default-keystore.jks read)

Troubleshooting Steps:

Added the below debugging level:

set JAVA_OPTIONS=-Djps.auth.debug="true" %JAVA_OPTIONS%
set JAVA_OPTIONS=-Djps.auth.debug.verbose="true" %JAVA_OPTIONS%
set"access,failure" %JAVA_OPTIONS%

Tried replacing the system-jazn-data.xml from node2, added entries for oimclient.jar and org.springframework_2.5.jar but issue still persists.

will keep posting the updates......