B Upgrade Scenarios for OAM
An upgraded OAM environment can result in the following cases:
-
If WebGate is upgraded and the OAM Server is not, then SSL communication between them uses TLSv1 with MD5 certificates.
-
If OAM Server is upgraded and WebGate is not, then SSL communication between them fails, as the OAM Server rejects MD5 certificates and doesn't support TLSv1. In this case, you need to modify the Java security policy to enable TLSv1, TLSv1.1 and MD5.
-
If both OAM Server and WebGate are upgraded, edit the WebGate profile and copy the WebGate artifacts to the WebGate config folder. SSL communication between the OAM Server and WebGates will use TLSv1.2 with SHA-2 certificates.
WebGates
12c (12.2.1.4.0) WebGates that employ version 4 of the OAP protocol will continue to work with OAM 14c (14.1.2.1.0). However, these WebGates must be upgraded to leverage the full capability of 14c (14.1.2.1.0). To upgrade the WebGates:
-
Stop the WebGates (OHS/OTD)
-
Upgrade WebGate binaries to 14c (14.1.2.1.0)
-
Edit WebGate profile and register the updated profile
-
Copy the WebGate artifacts to the WebGate config folder
-
Start the WebGates (OHS/OTD)
Multi-Data Center
If an upgrade results in a 14c (14.1.2.1.0) Primary server and a 12c (12.2.1.4.0) Clone server (or vice versa), then SSL communication between the servers fails. To enable communication between these servers, modify the java.security policy to enable TLSv1, TLSv1.1, and MD5 as suggested above.
Federation
For scenarios that involve Service Provider (SP) or Identity Provider (IDP) registration, the certificates used may undergo the same limitations as that for Client Certificates listed above.
Note that federation agreements will break if the Token Signing Certificate is changed. As a result, the 12c (12.2.1.4.0) security posture is carried forward after upgrading, which may require enabling the legacy algorithms (TLSv1, TLSv1.1, and MD5), as described above. The use of SHA-2 certificates is supported.
OIC
Similar to Federation, changing the OAuth Token Signing Certificate breaks existing trust relationships. As a result, the 12c (12.2.1.4.0) security posture is carried forward after upgrading, which may require enabling the legacy algorithms (TLSv1, TLSv1.1, and MD5), as described above. The use of SHA-2 certificates is supported.