Skip to main content

Setting up X509 Authentication with OAM PS3

I have Used Certgen utility to generate certificates.

Copy the certgen utility on server and generate a ca authority.

Run the below command to generate the ca.

./certgen ca ca-key.pem ca.pem


Generate the server certificate as below:

./certgen.sh server ca-key.pem ca.pem


Generated server certs and key. Generated files: key: server_key.pem , cert: server_cert.pem

convert this cert into pkcs format using below command:

openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out myserver.
p12 -name "Server"




Create 2 Custom Keystores to store Server and Root Certs on OAM server. You can generate Keystore using Keytool or other tools like Keystore Explorer on windows. Once these Keystores are created put them on OAM server. Below is the command to generate the keystore using keytool:

keytool -genkey -alias mydomain -keyalg RSA -keystore Server.jks -keysize 2048

Login to WebLogic Admin Console.
Navigate to OAM server instance > Configuration > Keystores tab
Verify Keystores value is set to “Custom Identity and Custom Trust”.
Change the Path of these server and trust keystore in Weblogic.


Update the Password also for these keystores.

Click on the SSL tab. Change Host Verification to none. Change Two-way Client cert behavior to "Client cert requested and enforced".


Enable and provide SSL port in 'General' Tab as below:



Import ca cert generated above into trust.jks and import myserver.p12 (Server cert) into Server.jks.

keytool -importkeystore -deststorepass welcome1 -destkeystore /home/oracle/customIdentity.jks -srckeystore my-server.p12 -srcstoretype PKCS12

Certificates can be imported in pem format also.

keytool -import -trustcacerts -alias root -file ca.pem -keystore trust.jks

Once all the certs are imported into keystores and their respective locations are updated in OAM Managed server, Restart the servers.

Now we need to add Root certs in .oamkeystore and amtruststore.

They are located at <IAMDomain>/config/fmwconfig/.oamkeystore location.Take backup of this directory.

Retrieve the password of this keystore to import certs. Earlier it could have been done using wlst. With PS3 this has to be done by EM console.

Goto Weblogic Domain > IAMDomain > Right Click > System MBean Browser >
Application Defined Beans > com.oracle.jps > Server: wls_oam1 > JpsCredentialStore
> Operations Tab > getPortableCredential
Enter the Map and Key values and Click on Invoke button. OAM_Store and Jks.


Once Password is retrieved use this password to import root certs.

./keytool -importcert -alias ROOT_CA -file /scratch/ ca.pem -keystore <mw>/config/domains/IAMDomain/config/fmwconfig/.oamkeystore -
storepass <encrypted password from previous step> -storetype jceks


./keytool -importcert -alias ROOT_CA -file /scratch/ ca.pem -keystore <mw>/config/domains/IAMDomain/config/fmwconfig/amtruststore -
storepass <encrypted password from previous step> -storetype jceks


Now we need to generate User certificate which will be installed in user's browser to check authenticity.
Generate User cert using above ca certificate.

./certgen.sh client ca-key.pem ca.pem

Provide all the details and convert it to pkcs12 format which is accepted by browsers:

$ openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out
client.p12 -name "User Test"

Now login to OAM console and protect application using X-509 Scheme:



Make sure that SSL port is used in the challenge URL for credential collection in Authentication Scheme:

https://OAM-HOST:14101/oam/CredCollectServlet/X509

Test the Protected resource and it should prompt for the certificate from OAM.


Content of certgen.sh

Save below content in a file and save as certgen.sh to use.


#!/bin/sh
#
# A script generates self-signed root CA cert/key. It will also generate the server and client certs.
# The certs generated should be used for demo/testing purposes only!
#
# Please note that the code provided here is for sample and/or informational use only.
# It will not be supported by Oracle Support and is not deemed to be accurate or error-free."
#
#

usage ()
{
    echo "Usage:"
    echo "  certgen ca [<ca key> <ca cert>]"
    echo "  certgen client <ca key> <ca cert> [ <client key>  <client cert> ]"
    echo "  certgen server <ca key> <ca cert> [ <server key>  <server cert> ]"
}

gen_config ()
{
    echo "Generating ca_config.cnf"
    cat > ca_config.cnf <<EOT
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
[ ca ]
default_ca      = CA_default
[ CA_default ]
certs           = .
crl_dir         = .
database        = index.txt
new_certs_dir   = .
certificate     = $2
serial          = serial
private_key     = $1
RANDFILE        = .rand
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 365
default_crl_days= 30
default_md      = sha1
preserve        = no
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
default_bits            = 1024
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca
string_mask = MASK:0x2002
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = GB
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Berkshire
localityName                    = Locality Name (eg, city)
localityName_default            = Newbury
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = My Company Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server's hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64
[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
EOT
}

gen_ca ()
{
    echo "generating CA cert:$1, $2";
    openssl req -config ca_config.cnf -new -x509 -extensions v3_ca -days 3650 -passin pass:whatever -passout pass:whatever -keyout $1 -out $2
}

gen_client_cert ()
{
    echo "generating client cert:$1, $2";
    openssl req -config ca_config.cnf -new -nodes -keyout $1 -out temp.csr -days 3650

    openssl ca -config ca_config.cnf -policy policy_anything -out $2 -days 3650 -key whatever -extensions xpclient_ext -infiles temp.csr

    rm temp.csr
}

gen_server_cert ()
{
    echo "generating server cert:$1, $2";
    openssl req -config ca_config.cnf -new -nodes -keyout $1 -out temp.csr -days 3650

    openssl ca -config ca_config.cnf -policy policy_anything -out $2 -days 3650 -key whatever -extensions xpserver_ext -infiles temp.csr

    rm temp.csr
}

#at least one argument
if [ $# -lt 1 ]
then
    usage
    exit 1
fi


#default file names if not specified in command line
ca_key_file=cakey.pem
ca_cert_file=cacert.pem
client_key_file=client_key.pem
client_cert_file=client_cert.pem
server_key_file=server_key.pem
server_cert_file=server_cert.pem

case $1 in
ca)
    if [ x$2 != x ]
    then
        ca_key_file=$2
        ca_cert_file=$3
    fi
    gen_config $ca_key_file $ca_cert_file
    gen_ca $ca_key_file $ca_cert_file
    if [ -f $ca_key_file -a -f $ca_cert_file ]
    then
        echo "Generated files: key: $ca_key_file , cert: $ca_cert_file"
    else
        echo "Failed to generated all files"
    fi
    ;;
client)
    if [ $# -ne 3 -a $# -ne 5 ]
    then
        usage
        exit 1
    fi
    ca_key_file=$2
    ca_cert_file=$3
    gen_config $ca_key_file $ca_cert_file
    if [ x$4 != x ]
    then
        client_key_file=$4
        client_cert_file=$5
    fi
    if [ ! -f index.txt ]
    then
        touch index.txt
    fi

    if [ ! -f serial ]
    then
        echo 01 > serial
    fi
    gen_client_cert $client_key_file $client_cert_file
    if [ -f $client_key_file -a -f $client_cert_file ]
    then
        echo "Generated files: key: $client_key_file , cert: $client_cert_file"
    else
        echo "Failed to generated all files"
    fi
    if [ $client_cert_file != `cat serial.old`.pem ]
    then
        rm `cat serial.old`.pem
    fi
    ;;
server)
    if [ $# -ne 3 -a $# -ne 5 ]
    then
        usage
        exit 1
    fi
    ca_key_file=$2
    ca_cert_file=$3
    gen_config $ca_key_file $ca_cert_file
    if [ x$4 != x ]
    then
        server_key_file=$4
        server_cert_file=$5
    fi
    if [ ! -f index.txt ]
    then
        touch index.txt
    fi

    if [ ! -f serial ]
    then
        echo 01 > serial
    fi
    gen_server_cert $server_key_file $server_cert_file
    if [ -f $server_key_file -a -f $server_cert_file ]
    then
        echo "Generated files: key: $server_key_file , cert: $server_cert_file"
    else
        echo "Failed to generated all files"
    fi
    if [ $server_cert_file != `cat serial.old`.pem ]
    then
        rm `cat serial.old`.pem
    fi
    ;;
*) usage; exit 1;;
esac



#cleanups
rm ca_config.cnf

Comments

Popular posts from this blog

Developing Prepopulate Adapter with OIM 11g R2

1.      Prepopulate Adapter in OIM uses the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. 2.      Write the Java code which returns the value which has to be populated on the form. 3.      This code will implement the plugin point oracle.iam.request.plugins.PrePopulationAdapte r. Code Snippet: - package com.oracle.oim.utility.eventhandler; import java.io.Serializable; import java.util.Iterator; import java.util.List; import java.util.logging.Logger; import oracle.iam.identity.exception.NoSuchUserException; import oracle.iam.identity.exception.UserLookupException; import oracle.iam.identity.usermgmt.api.UserManager; import oracle.iam.identity.usermgmt.vo.User; import oracle.iam.platform.Platform; import oracle.iam.platform.authz.exception.AccessDeniedException; import oracle.iam.request.exception.RequestServiceException; import oracle.iam.request.vo.Beneficiary; import oracle.iam.request.vo.RequestData; public c

OIM Tuning

Application Module tuning is a critical setting which will affect the UI performance. Following are the recommended application module settings for OIM and these are already set out-of-box (OOB) in later releases of OIM 11g R2. Ensure that these settings are implemented as recommended in your environment. -Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60 - Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true - Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1 - Djbo.connectfailover=false -Djbo.max.cursors=5 - Doracle.jdbc.implicitStatementCacheSize=5 - Doracle.jdbc.maxCachedBufferSize=19 open DOMAIN_HOME/bin/setDomainEnv.sh file for the WebLogic Server instance.find these lines: JAVA_OPTIONS="${JAVA_OPTIONS}" export JAVA_OPTIONS and change it to: JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1 -Djbo.ampool.maxavailablesize=120 -D

Creating Role through OIM API - 11gR2

package com.oim.utilities; import java.util.HashMap; import oracle.iam.identity.rolemgmt.api.RoleManager; import oracle.iam.identity.rolemgmt.api.RoleManagerConstants; import oracle.iam.identity.rolemgmt.vo.Role; import oracle.iam.platform.OIMClient; public class RoleManagement  { static RoleManager roleManager=null; static OIMClient client=null; @SuppressWarnings("null") public static void createRole(String roleName){ System.out.println("RoleManagement :: createRole :: role name is "+roleName); try  { if (roleName!=null) { HashMap<String, Object> mapAttrs = new HashMap<String, Object>();; mapAttrs.put(RoleManagerConstants.ROLE_NAME, roleName); mapAttrs.put(RoleManagerConstants.ROLE_DISPLAY_NAME,roleName); mapAttrs.put(RoleManagerConstants.ROLE_DESCRIPTION, roleName); Role role = new Role(mapAttrs); // Initialising the OIM Connection client=ClientOIM.initialise(); System.out.println("RoleManagemen