My Oracle Support Banner

How to Use OpenSSL to Configure a Certificate Authority to do OCSP Verification During OAM x509 Authentication (Doc ID 2092201.1)

Last updated on MAY 18, 2023

Applies to:

Oracle Access Manager - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Goal

Existing MOS note <note:1368211.1> is an excellent resource for configuring OAM for x509 authentication, however, it does not deal with certificate validation. This note will use many of the same concepts from note <note:1368211.1> but will add the configuration and verification of end-user certificates via an openssl OCSP server during the login process. 

Additional updates to this note may be made in the future to address the use of multiple OCSP responders.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution
 Part 1 - Create CA, Generate Certificates, and Verify Certificate Status Within OCSP
 Create the Certificate Authority (CA) and its Required Files
 Create the OAM Server Certificate
 Create the OAM Server and Trust Keystores
 Create the OCSP Responder Signing Certificate
 Create End-User Certificates
 Configuration Checkpoint
 Start the OCSP Server
 Verify the Status of the End-User Certificates from the Command-Line
 Part 2 - Reconfigure OAM to do OCSP Certificate Validation
 Import the OCSP and Root CA Certificates Into the Keystores
 Reconfigure OAM to Enable OCSP Validation 
 Reconfigure OAM Authentication Modules to do OCSP Validation
 Reconfigure the WebLogic Managed Server to use SSL mode
 Restart the OAM and AdminServer Managed Servers
 Part 3 - Import End-User Certificates into the Browser and Test
 Import Certificates Into Browser
 Authenticate With the "validcert" Certificate
 Authenticate With the "revokedcert" Certificate
 Part 4 - Troubleshooting
 Some common error messages and potential resolution to the problems that may be encountered when setting up OCSP validation.
 How to dump out the contents of a certificate
 How to dump out the contents of a keystore
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.