Setup OAM 11G Webgate for OHS in "CERT" mode
"CERT" mode is similar to "SIMPLE" mode but, in cert mode, the trusted authority is not Oracle but an external CA.
I assume that you already have an OHS running in your environment. If webgate is not already installed, install the webgate first. You could check my other blog on setting up the webgate.
After the OHS is installed with webgate setup completed, follow the rest of blog for setting up the "CERT" mode.
1. Generate the KEY and CSR
The first step is to generate the private key and Certificate Signing Request (CSR) for OAM server.
openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8 –nodes –config /usr/local/groundwork/common/openssl/openssl.cnf
I assume that you already have an OHS running in your environment. If webgate is not already installed, install the webgate first. You could check my other blog on setting up the webgate.
After the OHS is installed with webgate setup completed, follow the rest of blog for setting up the "CERT" mode.
1. Generate the KEY and CSR
The first step is to generate the private key and Certificate Signing Request (CSR) for OAM server.
openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8 –nodes –config /usr/local/groundwork/common/openssl/openssl.cnf
You could use a different openssl.cnf if available. The key name "aaa_key.pem" and the CSR name "aaa_req.pem" are not optional. They have to be exactly like this.
The above command will present you a series of questions for CSR. fill them out for your requirements.
Generating a 2048 bit RSA private key
...........................................+++
......................................................................................................................................................................+++
writing new private key to 'aaa_key.pem'
-----
You are about to be asked to enter information
that will be incorporated
into your certificate request.
What you are about to enter is what is called
a Distinguished Name or a DN.
There are quite a few fields but you can leave
some blank
For some fields there will be a default value,
If you enter '.', the field will be left
blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NY
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default
Company Ltd]:Example.com
Organizational Unit Name (eg, section) []:example.com
Common Name (eg, your name or your server's
hostname) []:*.example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Oracle123
An optional company name []:
The above command will generate 2 files.
aaa_req.pem
aaa_key.pem
Submit the aaa_req.pem to the external Certificate Authority (CA).
Note: You could also create your own CA internally. In that case, you will be able to submit the request to your own CA.Check my other blog on setting up the local CA.
The CA will return you 2 files.
user Certificate in base64 format, aaa_cert.pem
CA root chain cert in base64 format, aaa_chain.pem.
2. Encrypt the private key
Encrypt the key generated n the first step.
openssl rsa -in aaa_key.pem -passin pass:Oracle123
-out aaa_key.pem -passout pass:Oracle123 -des
3. Retrieve the OAM keystore alias and password
To import the certificate to the OAM store, you will need the keystore password, follow the steps below to retrieve the password.
cd
$FMW/Oracle_OIM1/common/bin
./wlst.sh
Connect()
domainRuntime()
wls:/OAMDomain/domainRuntime>
listCred(map="OAM_STORE",key="jks")
Already in Domain Runtime Tree
[Name : jks, Description : null,
expiry Date : null]
PASSWORD:m7699agvgdtqnbetb64t6r0skj
Note the password above, you are going to need it in the next step.
4. Import the CA chain and the User Cert to OAM keystore
To import user certificate, you will first need to convert the cert and key from base64 format to DER format. OAM keystore accept the user cert in DER format only. This step is not needed for trusted chain cert.
4.1 Convert the user key and cert to DER format
open the aaa_key.pem
Delete everything except all the content between
-----BEGIN CERTIFICATE-----
Cert
-----END CERTIFICATE-----
( Do not delete the line that says BEGIN CERTIFICATE and END CERTIFICATE)
openssl pkcs8 -topk8 -nocrypt -in
aaa_key.pem -inform PEM -out aaa_key.der - outform DER
Enter pass phrase for aaa_key.pem:
Oracle123
Do the same for aaa_cert.pem
openssl x509 -in aaa_cert.pem -inform PEM
-out aaa_cert.der -outform DER
4.2 Import the CA chain certificate
CA Cert:
keytool -importcert -file
./aaa_chain.pem -trustcacerts -storepass m7699agvgdtqnbetb64t6r0skj -keystore $OAMDOMAIN/config/fmwconfig/.oamkeystore
-storetype JCEKS
Note: Use the keytool from the java installation in use for OAM managed server.
User Certificate
java -cp importcert.jar
oracle.security.am.common.tools.importcerts.CertificateImport -keystore
$OAMDOMAIN/config/fmwconfig/.oamkeystore
-privatekeyfile /home/oracle/cert/aaa_key.der signedcertfile
/home/oracle/cert/aaa_cert.der -alias dev.certmode -storetype JCEKS
Enter Store Password:
Enter alias password: Oracle123
Certificates imported to $OAMDOMAIN/config/fmwconfig/.oamkeystore
Note the alias used here, you will need to use it in the next step.
5. Add certificate details to OAM server
Login to OAM à
System Configuration à
Access Manager à
Access Manager Settings à
In the settings above, Enter the "PEM KeSstore Alias" that you used at the time of cert import in the step 4.2. The password is the password used earlier at the for the key.
6. Set OAM to CERT mode
OAMà System Configuration à Server Instancesà oam_server1
Set the mode to "CERT"
Restart OAM
7. Generate the WebGate artifacts
Go to OAM, register/re-register the webgate in cert mode. During registration, use the password ( Oracle123) that was used earlier when CSR was generated.
This will generate the artifacts on OAM server under the directory
$OAMDOMAIN/output/<webgate name>
cwallet.sso
ObAccessClient.xml
password.xml
Copy these files from OAM server to OHS web server using scp or sftp
8. WebGate Certificates
On the web server, generate the CSR
openssl req -new -keyout aaa_key.pem -out aaa_req.pem
-utf8 –nodes –config /usr/local/groundwork/common/openssl/openssl.cnf
Submit the CSR to CA
Receive the user certificate aaa_cert.pem and trust chain certificate aaa_chain.pem
Encrypt the private key
openssl rsa -in
aaa_key.pem -passin pass:Oracle123 -out aaa_key.pem -passout pass:Oracle123
-des
9. Copy the files on WebGate server.
Copy the following files to the directory OHSINSTANCE/config/OHS/ohs4/webgate/config
aaa_key.pem
aaa_cert.pem
aaa_chain.pem
Note that these files are the result of CSR on WebGate server
Copy the following files that you SFTPed from OAm server.
cwallet.sso
ObAccessClient.xml
password.xml
Restart the OHS server.
--Have fun.
When you configure, OAM and WebGate communications in Cert mode, after then when we access the link("http") the it should re-direct to "https" rite? Please confirm.
ReplyDeleteThe communication between Webgate and OAM does not affect the communication between client and web server. It will continue to work the way it was configured.
ReplyDelete