How to Use OpenSSL to Configure a Certificate Authority to do OCSP Verification During OAM x509 Authentication
(Doc ID 2092201.1)
Last updated on MARCH 10, 2020
Applies to:Oracle Access Manager - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
Existing MOS note <note:1368211.1> is an excellent resource for configuring OAM for x509 authentication, however, it does not deal with certificate validation. This note will use many of the same concepts from note <note:1368211.1> but will add the configuration and verification of end-user certificates via an openssl OCSP server during the login process.
Additional updates to this note may be made in the future to address the use of multiple OCSP responders.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|Part 1 - Create CA, Generate Certificates, and Verify Certificate Status Within OCSP|
|Create the Certificate Authority (CA) and its Required Files|
|Create the OAM Server Certificate|
|Create the OAM Server and Trust Keystores|
|Create the OCSP Responder Signing Certificate|
|Create End-User Certificates|
|Start the OCSP Server|
|Verify the Status of the End-User Certificates from the Command-Line|
|Part 2 - Reconfigure OAM to do OCSP Certificate Validation|
|Import the OCSP and Root CA Certificates Into the Keystores|
|Reconfigure OAM to Enable OCSP Validation|
|Reconfigure OAM Authentication Modules to do OCSP Validation|
|Reconfigure the WebLogic Managed Server to use SSL mode|
|Restart the OAM and AdminServer Managed Servers|
|Part 3 - Import End-User Certificates into the Browser and Test|
|Import Certificates Into Browser|
|Authenticate With the "validcert" Certificate|
|Authenticate With the "revokedcert" Certificate|
|Part 4 - Troubleshooting|
|Some common error messages and potential resolution to the problems that may be encountered when setting up OCSP validation.|
|How to dump out the contents of a certificate|
|How to dump out the contents of a keystore|