Tuesday, October 18, 2016

OAM/EBS - Enable SSL in OAM 11g

Recently, implemented an SSL on OAM ( Access Manager), which was integrated to an EBS 12.2 instance.
Altough, the documentation seems a little bit confusing, and altough, there are multiple ways for enabling SSL in OAM 11g, I preferred to accomplish it in the following way;

  • First a created an Oracle wallet by sourcing the OAM envrionment file and using owm. (I prefer creating wallet, because we get used to it.)
  • Then, I created a certificate request using the wallet I created. (I use the details that my customer delivered to me for inputs)
  • After creating certificate request, I exported it and send it to customer for getting the server, root and intermediate (if it is available) certificate.
  • I imported the customer's certificates to Wallet , once I got them. (not that, the certificate format should be base 64 , x.509 format, .cer files...)
  • Later on, I converted the wallet to a JKS (java keystore), as  FMW uses JKS.. Example: source oam env and run -> 
    • $MW_HOME/oracle_common/bin/orapki wallet pkcs12_to_jks -wallet ./mywallet -pwd welcome1 -jksKeyStoreLoc ./mywalletK.jks -jksKeyStorepwd  welcome1  -jksTrustStoreLoc ./mywallettrust.jks -jksTrustStorepwd welcome1
  • After then I jumped into the weblogic console and did all SSL configurations needed there;
    • Select Environment->Servers and click on the OAM managed server
    • Then Select the Keystores tab
    • Select Keystore -> Change
    • Select Custom Identity and Custome Trust from the drop down list and click Save
    • Enter the relevant information in the Keystores page:
    • Custom Identity Keystore : full path of the .jks file
    • Custom Identity Keystore : JKS  (UPPERCASE)
    • Custom Identity Keystore Passphrase : welcome1
    • Confirm Custom Identity Keystore Passphrase : welcome1
    • Custom Trust Keystore : full path of the trust store .jks file
    • Custom Trust Keystore Type : JKS (UPPERCASE)
    • Custom Trust Keystore Passphrase : welcome1
    • Confirm Custom Trust Keystore Passphrase : welcome1
    • Click Save
    • After then select the SSL tab and enter the following
    • Private Key Alias : alias of the server cert gathered from the jks that was created earlier using keytool, it was orakey in my case
    • Private Key Password : welcome1
    • Confirm Private Key Password: welcome1
    • Click Save
    • Again, Select Environment -> Servers and click on the OAM managed server
    • Select the General;
    • Check SSL Listen Port Enabled
    • Change SSL Listen Port according to your env:  in my case; 14443 (use netstat to ensure that it is free)
    • Click 'Save'
  • Then opened the oamconsole using adminserver:adminport/oamconsole and did the OAM Server port change (OAM port - ssl port) and OAM Server host change (https) as documented in "https://docs.oracle.com/cd/E52734_01/oim/IDMIG/idm_ssl.htm#IDMIG32029" , Section 4.2 Configuring SSL on Servers in the OAM Domain -- note that, if you don't dothat, EBS login will still be redirected to the non-ssl OAM login page
  • Lastly, restart the OAM managed server and Admin Server (just in case, remember, it is the OAM Admin server that redirects to OAM managed server during the EBS login)
  • You may need to reregister EBS using txkrun.pl , but it should be necessary. Just in case, keep that in mind.

No comments :

Post a Comment

If you will ask a question, please don't comment here..

For your questions, please create an issue into my forum.

Forum Link: http://ermanarslan.blogspot.com.tr/p/forum.html

Register and create an issue in the related category.
I will support you from there.