OIF 11g: Questions about Maintenance and Expiry of Signing And Encryption Certificates

(Doc ID 1991933.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Identity Federation - Version and later
Information in this document applies to any platform.


Oracle Identity Federation (OIF) 11.1.1.x has been configured as Identity Provider (IdP) or Service Provider (SP).

OIF has been configured with signing and encryption certificates for messages sent to peer providers. OIF has also been configured to accept signed [and encrypted] messages from peer providers.

This document answers a few common questions about maintenance of the OIF and peer provider signing / encryption certificates.

1. How to renew the OIF signing and/or encryption certificates when they expire?

2. The certificate used by OIF used for signing/encrypting SAML assertions is soon to expire.

A renewed certificate has been obtained and imported into a JKS store.

Is there a way to make OIF work with either of the certificates i.e. both the old and the new one?

3. A new wallet/keystore has been configured in the OIF Security and Trust settings. The old wallet has not been removed.

It is expected to see both new and old encryption certificates in the OIF IdP metadata at http(s)://OIFHOSTNAME.DOMAIN:OIFPORT/fed/idp/metadata for <md:KeyDescriptor use="encryption">.

But only the new certificate is shown in the OIF metadata.

For <md:KeyDescriptor use="signing"> both old and new certificates are included.

Why is this?

4. A peer provider's signing and/or encryption certificate has expired. Will this cause OIF to generate errors or Single Sign-On (SSO) to fail?

5. If a peer provider signing or encryption certificate is soon to expire or has expired, will OIF provide a warning? Is there a way to monitor peer provider certificate expiration through OIF?

6. A peer provider has replaced an expiring or expired signing and/or encyption certificate. How to configure OIF with the new peer provider certificate(s)?

7. How to configure OIF to validate peer provider signing or encryption certificates before use?

8. Does OIF validate certificates using a Certificate Revocation List (CRL)? How?



Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms