My Oracle Support Banner

Oracle Manager (OAM) Is it Possible To Have X509 Authentication Via An OHS Proxy (Doc ID 1375426.1)

Last updated on SEPTEMBER 13, 2023

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Goal

In the process of configuring an OAM X509 Authentication Scheme. Reading through the the OAM 11g 11.1.1.5 Administration Guide we noticed that OAM 11g has been significantly redesigned in this particular area.

According to the documentation, the only supported option is to have the web browser client connect directly to the OAM Access Server Managed Server which will be configured for 2-way SSL, having the OAM Access Server Managed Server prompt the user for their certificate.

From a technical aspect this is ok for us, but we suspect our government security officer will not find this solution acceptable, since it does not traverse through a secure proxy server.

In the OAM 10g product you could configure a reverse proxy server to prompt the user for their certificate, and then the proxy server would transmit the certificate information to the OAM server on the back-end for authentication.

We do not see any information in the current documentation for OAM 11g that indicates if this approach is valid.

To further clarify...
There is no SSL termination in this scenario ... our F5 load balancer is passing the request straight through without terminating the SSL at the load balancer.
What we are looking to do is similar to what you would do with OAM 10g to do X509 Authentication.

The OHS Web Server would serve as a proxy. The OHS Web Server would have a virtual host configured on a specific port configured for 2-way SSL. When the user hits this port, the OHS Server would prompt the user for their certificate. Using configuration parameters in the Virtual Host(SSLOptions +ExportCertData), the proxy server would then set header variables containing the certificate and other information, which would then be sent to the "Credential Collector ... the WebGate in the case of OAM 10g). So basically the OHS proxy would prompt for the cert, validate it, and send the information back to OAM.

Questions:
==============
Is this functionality currently available in the OAM 11g product? If not is this functionality planned for a future OAM 11g releases?


Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.