Configure secure server communication modes and manage through the settings for the common OAM Proxy.
This section describes the following topics:
Simple and Cert modes are similar.
Table 13-6 outlines the similarities between Simple and Cert modes.
See Also:
Table 13-6 Summary: Simple and Cert Mode
| Artifact or Process | Simple Mode | Cert Mode | Open Mode |
|---|---|---|---|
|
X.509 digital certificates only. |
X |
X |
N/A |
|
Communication between OAM Agents and OAM Servers is encrypted using Transport Layer Security, RFC 2246 (TLS v1). |
X |
X |
N/A |
|
For each public key there is a corresponding private key that Access Manager stores in a file: |
aaa_key.pem generated by openSSL |
aaa_key.pem generated by your CA |
N/A |
|
Signed certificates in Privacy Enhanced Mail (PEM) format |
aaa_cert.pem generated by openSSL |
aaa_cert.pem generated by your CA |
N/A |
|
During OAM Server configuration, secure the private key with a Global passphrase or PEM format details, depending on which mode you are using. Before an OAM Server or Webgate can use a private key, it must have the correct passphrase. |
Global passphrase stored in a nominally encrypted file:
|
PEM format:
|
N/A |
|
During OAM Agent or OAM Server registration, the communication mode is propagated to the Oracle Access Management Console. |
Same passphrase for each Webgate and OAM Server instance. |
Different passphrase for each Webgate and OAM Server instance. |
N/A |
|
The certificate request for the Webgate generates the certificate request file, which you must send to a root CA that is trusted by the OAM Sever. The root CA returns the Webgate certificates, which can then be installed either during or after Webgate installation. |
cacert.pem The certificate request, signed by the Oracle-provided openSSL Certificate Authority |
aaa_req.pem The certificate request, signed by the your Certificate Authority |
N/A |
|
Encrypt the private key using the DES Algorithm. For example: openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass: passphrase -des
|
N/A |
X |
N/A |
|
Agent Key Password |
N/A |
Enter a password during agent registration in Cert Security mode (see Table 15-1). |
N/A |
|
During Agent registration, ObAccessClient.xml is generated in: $DOMAIN_HOME/output/$Agent_Name/ |
ObAccessClient.xml Copy to:
|
ObAccessClient.xml Copy to:
|
ObAccessClient.xml Copy to:
|
|
During Agent registration, password.xml is generated in: $DOMAIN_HOME/output/$Agent_Name/ See Also: Securing Communication |
password.xml Copy to:
|
password.xml Copy to:
|
N/A |
|
During Agent registration, aaa_key.pem is generated in: $DOMAIN_HOME/output/$Agent_Name/ See Also: Securing Communication |
aaa_key.pem Copy to:
|
aaa_key.pem Copy to:
|
N/A |
You can the configure settings of Common OAM Proxy Page for Secure Server Communications.
Table 13-7 describes the settings required for Simple or Cert mode configurations.
Table 13-7 Server Common OAM Proxy Secure Communication Settings
| Mode | Description |
|---|---|
|
Simple Mode Configuration |
The global passphrase for communication using OAM-signed X.509 certificates. This is set during initial OAM Server installation. Administrators can edit this passphrase and then reconfigure all existing OAM Agents to use it, as described in"Viewing or Editing Simple or Cert Settings for OAM Proxy". |
|
Cert Mode Configuration |
Details required for the Key KEYSTOREStore where the Cert mode X.509 certificates signed by an outside Certificate Authority reside:
Note: These are set during initial OAM Server installation. The certificates can be imported using the import certificate utility or the keytool shipped with JDK. Administrators can edit the alias and password and then reconfigure all existing OAM Agents to use them, as described in"Viewing or Editing Simple or Cert Settings for OAM Proxy". |
Administrators can use view or edit Simple or Cert mode settings for the common OAM Proxy.
To view or edit:
64-bit WebGates now support SHA2 (256,384 & 512 bit) certificates.
Run the following command to configure a 64-bit WebGate in cert mode.
<Oracle Middleware Home>/oracle_common/bin/orapki wallet add -wallet $DOMAIN_HOME/output/$Agent_Name/cwallet.sso -trusted_cert -cert <Root CA path .i.e. aaa_chain.pem> -auto_login_only
If using a simple mode WebGate, you can improve the response time of the OAM login page by changing the aaaTimeoutThreshold time parameter in the WebGate profile from -1 to 10.
For detailed information about the AAA Timeout Threshold configuration element, see Table 15-3 in Registering and Managing OAM 11g Agents.
Sign In
Thank you for your feedback!