3 Managing Common Services and Certificate Validation
This chapter contains the following sections:
3.1 Configuration Options in Oracle Access Management Console
Figure 3-1 shows the Configuration options defined in the new Oracle Access Management Console. You can access these settings by clicking Configuration at the top of the Console.
Figure 3-1 Oracle Access Management Configuration Options

Description of "Figure 3-1 Oracle Access Management Configuration Options"
Table 3-1 describes the Configuration options. The items listed apply to all services in the suite.
Table 3-1 Configuration Options
Node | Description |
---|---|
Available Services |
See "Available Services of the Common Configuration Section". |
User Identity Stores |
See "Registering and Managing User Identity Stores" in Managing Data Sources. |
Administration |
|
Certificate Validation |
Provides access to the certificate revocation list and OCSP/CDP settings. |
Server Instances |
Provides access to all registered OAM Server instances. |
Settings > Common Settings |
Provides configurations that apply to all Oracle Access Management services including Session properties, Oracle Coherence, Auditing, and Default and System Identity Stores. See: "Common Settings". |
Settings > Access Manager |
Provides access to Access Manager operation configurations. |
Settings > Federation |
Provides access to configurations for Oracle Access Management Identity Federation. See Managing Identity Federation Partners, Managing Settings for Identity Federation and Managing Federation Schemes and Policies. |
3.2 Available Services of the Common Configuration Section
Available Services shows the Available Services page of the Common Configuration section, which provides the status of services, and controls to enable or disable a service. Initially, only Access Manager services are enabled.
Oracle Access Management Administrators must enable a service in the Oracle Access Management Console to use the related functionality. The exception to this is Identity Context, which is enabled by default and does not have any controls to disable it.
A green check mark in the Status field beside the service name indicates the service is enabled. A red circle with a cross through it indicates that the corresponding service is disabled.
Table 3-2 Common Services
Service | Description |
---|---|
Access Manager |
Access Manager functionality is enabled by default. Access Manager Service is required to set SSO policies, configure Access Manager, as well as Common Configuration, and when REST Services are enabled. Default: Enabled No other services are required for Access Manager and Common Configuration. |
Adaptive Authentication Service |
Required for adaptive authentication functionality. Default: Enabled See Also: Managing the Adaptive Authentication Service and Oracle Mobile Authenticator. |
OAuth and OpenIDConnect Service |
Enable this service to activate issuance of standard OAuth tokens and support OpenId Connect flows. Default: Enabled See Also: Managing the Oracle Access Management OAuth Service and OpenIDConnect. |
Identity Federation |
Must be enabled to manage the federation partners. Default: Disabled Note: The Access Manager service must also be enabled because Identity Federation is another authentication module. See Also: Managing Oracle Access Management Identity Federation. |
3.2.1 Enabling or Disabling Available Services
The WebLogic AdminServer and OAM Server must be running to enable or disable an available service.
(For details. see Starting and Stopping Servers in Your Deployment).
- From the Oracle Access Management Console Launch Pad, click Available Services under Configuration.
- Click Enable beside the desired service name (or confirm that the Status check mark is green).
- Click Disable beside the desired service name (or confirm that the Status check mark is red).
3.3 Common Settings
Common Settings apply to all services within the suite.
Figure 3-3 shows the named sections on the Common Settings page, which can be expanded to reveal related elements and values.
Figure 3-3 Common Settings Page (Collapsed View)

Description of "Figure 3-3 Common Settings Page (Collapsed View)"
Oracle Access Management Administrators can control and specify parameters used by the entire suite, not just a single service, as introduced in Table 3-3.
Table 3-3 Common Settings
Tab Name | Description |
---|---|
Session |
Session configuration refers to the process of managing the lifecycle requirements of a session. |
Audit Configuration |
Oracle Access Management supports auditing for a large number of administrative and run-time events, uniform logging and exception handling, and the diagnostics of all audit events. Oracle Access Management auditing configuration is recorded in See Also: "Using the Oracle Access Management Console for Audit Configuration". |
Default and System Identity Stores |
This section identifies the default identity and system stores, which can be one in the same (or different). |
See Also:
Details for other operations common to all OAM components:
The following sections have more information.
3.3.1 Managing Common Settings
(For details. see Starting and Stopping Servers in Your Deployment.)
-
At the top of the Console, click Configuration.
-
In the Configuration Launch Pad, select Common Settings from the View menu in the Settings section.
-
Session:
-
On the Common Settings page, expand the Session section.
-
Click the arrow keys beside each list to increase or decrease session lifecycle settings as needed:
- Session Lifetime (minutes)
- Idle Timeout (minutes)
- Maximum Number of Sessions per User
-
Click Apply to submit your changes.
-
See Also: Maintaining Access Manager Sessions.
-
-
Audit Configuration:
-
Expand the Audit Configuration section.
-
In the Audit Configuration section, enter appropriate details for your environment:
- Maximum (Log) Directory Size
- Maximum (Log) File Size
- Filter Enabled
- Filter preset (select from the list to define verbosity of audit data)
- Audit Configuration Table: Use Add (+) or Delete (x) buttons to specify users.
-
Click Apply to submit the Audit Configuration (or close the page without applying changes).
-
See Also: Auditing Administrative and Run-time Events.
-
-
Default Store and System Stores:
-
Expand the Default and System Identity Stores section.
-
Click the name of the System Store (or Default Store) to display the configuration page.
-
See About using the System Store for User Identities for more information.
-
3.4 Certificate Validation and Revocation
The Certificate Validation module is used by the Security Token Service to validate X.509 tokens and to verify whether or not the certificates have been revoked.
It supports the following options:
-
A Certificate Revocation List (CRL) is a list of certificates (identified by serial numbers) that have been revoked. Revoked certificates are listed with a reason, an issue date, and the issuing entity. (In addition, each list contains a proposed date for the next release.) Entities presenting these (revoked) certificates should no longer be trusted. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for the particular user. For more information, see Enabling the Certificate Revocation List Functionality
-
The Online Certificate Status Protocol (OCSP) was developed as an alternative to CRLs. OCSP specifies how the client application that requests information on a certificate's status will obtain it from the server that responds to the request. An OCSP responder can return a signed response signifying that the certificate specified in the request is either good, revoked or unknown. If the OCSP cannot process the request, it returns an error code. For more information, see "Enabling OCSP Certificate Validation" and Additional OCSP Configurations
-
A CRL Distribution Point extension (CDP extensions) contains information regarding the location of Certificate Revocation Lists (CRLs) and OCSP servers. You o use the Administration Console to define these points. For more information, see Enabling CRL Distribution Point Extensions
3.4.1 Enabling the Certificate Revocation List Functionality
Users with Oracle Access Management Administrator credentials can use the following procedure to enable the CRL functionality and import a current Certificate Authority Certificate Revocation List (CA CRL). Before beginning, you should have your CA CRL ready to import.
To enable:
Note:
To search for CRLs in the table, enable Query by Example from the View drop-down. Enter filter strings in the header fields displayed and hit Enter.
3.4.2 Enabling OCSP Certificate Validation
Users with Oracle Access Management Administrator credentials can use the following procedure to enable the OCSP. Before you begin, you should have the URL of the OCSP service ready to import.
To enable:
-
Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.
The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.
-
Click the OCSP/CDP tab.
-
Enable OCSP.
-
Enter the URL of the OCSP Service.
-
Enter the Subject DN of the OCSP Service.
-
Save this configuration.
Figure 3-5 illustrates how to add an OCSP URL using the Administration Console. See "WLST configureOAMOSCSPCertValidation" for details on how to do this using the WLST command.
-
-
Proceed to "Enabling CRL Distribution Point Extensions".
3.4.3 Enabling CRL Distribution Point Extensions
Users with Oracle Access Management Administrator credentials can use the following procedure to add CRL distribution points in issued certificates.
To enable:
-
Under the Configuration section of the Oracle Access Management Console, click Certificate Validation.
The Certificate Revocation List page is displayed. Confirm that the Enabled box is checked.
-
Open the OCSP/CDP tab.
-
Enable CDP.
-
Save this configuration.
Figure 3-5 illustrates this.
-
3.4.4 Additional OCSP Configurations
Support for HTTP Proxy and multiple OCSP Responder configurations are added in Oracle Access Manager.
The following example illustrates the current Certificate Validation Module configuration.
Certificate Validation Module Configuration
<Setting Name="CertValidationModule" Type="htf:map"> <Setting Name="certpathvalidationocspcertsubject" Type="xsd:string"></Setting> <Setting Name="certpathvalidationocspurl" Type="xsd:string"></Setting> <Setting Name="certvalidationcrlstorelocation" Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/ domains/base_domain/config/fmwconfig/amcrl.jar</Setting> <Setting Name="defaulttrustcastorelocation" Type="xsd:string">/scratch/maymaria/installed/wlsHome/user_projects/ domains/base_domain/config/fmwconfig/amtruststore</Setting> <Setting Name="defaulttrustcastoretype" Type="xsd:string">jks</Setting> <Setting Name="certpathvalidationcdpenabled" Type="xsd:boolean">false</Setting> <Setting Name="certpathvalidationcrlenabled" Type="xsd:boolean">false</Setting> <Setting Name="certpathvalidationocspenabled" Type="xsd:boolean">false</Setting> </Setting>
The following sections contain configuration information for these new features.
3.4.4.1 Configuring Multiple OCSP Responders
To support multiple OCSP Responders, the three lines of configuration from the following example of Multiple OCSP Responder Configuration must be added to the top of the Certificate Validation Module configuration section (illustrated in the following example).
Multiple OCSP Reponder Configuration
<Setting Name="CertValidationModule" Type="htf:map"> <Setting Name="certpathvalidationocspurltocamap" Type="htf:map"> <Setting Name="<url_value>" Type="xsd:string"> <ocsp_responder_subject></Setting> </Setting> <Setting Name="useJDKOCSP" Type="xsd:string">false</Setting> ... </Setting>
Configure the first and second lines to enable multiple OCSP responders.
-
Set
certpathvalidationocspenabled
to true. -
Update the
certpathvalidationocspurltocamap
configuration. It is of type Map, the key is the OCSP Responder URL (URL Encoded) and the value is the OCSP Responder's Certificate subject.<Setting Name="certpathvalidationocspurltocamap" Type="htf:map"> <Setting Name=" http%3A%2F%2Flocalhost%3A9797" Type="xsd:string"> emailAddress=sagar@pspl.com,CN=ps2436,OU=OBLIX-QA,O=PSPL, L=PUNE,ST=MAHA,C=MY</Setting> </Setting>
-
(Optionally) set values for
certpathvalidationocspcertsubject
andcertpathvalidationocspurl
.
The Responder URLs will be fetched first from the AuthorityInformationAccess extension of the user's X.509 certificate and second from Modules/Plugin (CertValidation). The Responder Subjects will be fetched first from the defined configuration map and second from the Module/Plugin (CertValidation) configuration. In cases where these configurations are not found, the OCSP validation will fail.
Configure the third line to provide backward compatibility for those who want to use JDK OCSP validation rather than the new OAM OCSP Checker. By default, the JDK OCSP Checker is enabled. When configuring the OAM OCSP Checker using the WLST command, the flag is set to false. For more information on the WLST command, see WLST configureOAMOSCSPCertValidation.
Depending on the Certificate Validation Module configuration there are three different options as documented in Table 3-4.
Table 3-4 OCSP Responder Configuration Options
Configuration | OCSP Configuration (certpathvalidationocspenabled) | CRL Configuration (certpathvalidationcrlenabled) | JDK/OAM OCSP Configuration (useJDKOCSP) |
---|---|---|---|
No OCSP Checking Simple certificate validation is performed during OAM X-509 authentication |
False |
False |
False |
OAM OCSP X-509 authentication performs certificate validation with OCSP checking using the new OAM OCSP Checker. |
True |
True/False (does not matter) |
False |
JDK OCSP X-509 authentication performs certificate validation with OCSP checking using the JDK OCSP Checker. |
True |
True |
True |
To enable OCSP validation to be done using one configured responder URL, set the certpathvalidationcrlenabled
and certpathvalidationocspenabled
properties to true and set values for the certpathvalidationocspcertsubject
and certpathvalidationocspurl
properties. If these properties are not set, OCSP validation will be done using the responder URL defined within the user certificate's AIA Extension. If no URL is defined, OCSP validation will fail.
3.5 WLST updateHTTPProxyConfig
The Oracle Access Manager OCSP checker can perform authentication against OCSP responders that are outside an enterprise's intranet through HTTP Proxy.
Use the updateHTTPProxyConfig
WLST command to configure the OAM OCSP checker to use HTTP proxy.
Description
Adds or updates proxy information.
Syntax
updateHTTPProxyConfig(proxyHost, proxyPort, conTimeOut)
Argument | Definition |
---|---|
proxyHost |
Mandatory. The host name of the proxy. |
proxyPort |
Mandatory. The port number of the proxy. |
conTimeOut |
Mandatory. The connection timeout in milliseconds. |
Example
updateHTTPProxyConfig(proxyHost="hostname.example.com", proxyPort="8888", conTimeOut="600")
3.6 WLST configureOAMOSCSPCertValidation
You can use the configureOAMOSCSPCertValidation online command to update the OAM OCSP configuration.
It includes the following:
-
Updating or adding an OCSP responder URL and subject details to the "certpathvalidationocspurltocamap"
-
Clearing the newly added configuration; for example, "certpathvalidationocspurltocamap"
-
Setting or unsetting the "useJDKOCSP" flag to enable or disable JDK OCSP
Description
Updates the OAM OCSP configuration by adding/modifying the OCSP responder URL and subject details in the certpathvalidationocspurltocamap property and enabling/disabling the use of the JDK OCSP Checker.
Syntax
configureOAMOCSPCertValidation(url, subject, clear (optional), display (optional), useJDKOCSP (optional))
Argument | Definition |
---|---|
url |
Mandatory. Takes as a value the valid URL. |
subject |
Mandatory. Takes the details being modified. |
clear |
Optional. Takes a value of true or false. |
display |
Optional. Takes a value of true or false. |
useJDKOCSP |
Optional. Takes a value of true or false. |
Examples
The following example enables the OAM OCSP and sets the Responder URL and subject.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="cert-subject-detail")
The following example enables the OAM OCSP and updates the Responder URL and subject.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="details changed/updated")
The following example disables and clears the OAM OCSP.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="subject-detail", clear="true")
The following example enables/disables the JDK OCSP.
configureOAMOCSPCertValidation(url="http://sample:9898", subject="details changed/updated", useJDKOCSP="true")