Available Solutions To Address The Expiring (March 2024) Out Of The Box Certificates Used By Oracle Access Manager (OAM)
(Doc ID 2943611.1)
Last updated on JUNE 13, 2024
Applies to:
Oracle Access Manager - Version 11.1.2.3.0 and later Information in this document applies to any platform.
Goal
Oracle Access Manager (OAM) installations that use the Out of the Box CA Signing Certificate, which expires in March 2024. If no action is taken, interruptions in service will be experienced.
The scope of this article is to provide details to help avoid this potential issue.
The following certificates are known to be affected by the upcoming March 2024 expiration date
Certificate
Alias within the keystore
Expiration Date
Usage
OAM assertion certificate
assertion-cert assertion-key
March 22, 2024
Used to secure the identity propagation from the OAM WebGate to the WebLogic Server via OAM_IDENTITY_ASSERTION using the WLS OAMIdentityAsserter provider, and also to sign the identity assertions created in authN and authZ application domain policies.
OAM SIMPLE Mode CA certificate
oam.ca oam.ca.sha256
March 28, 2024
Used for WebGate ➡ OAM server communication where the security mode is set to SIMPLE.
Used for WebGate ➡ OAM server communication where the security mode is set to SIMPLE.
OAM SIMPLE Mode certificate
oam.simple.cert oam.simple.cert.sha256
March 22, 2024
Used for WebGate ➡ OAM server communication where the security mode is set to SIMPLE.
AdminServer certificate
adminserver
March 22, 2024
Unused - was reserved for future features that were never implemented (11g only).
OAM Server Root certificate
oam.server.cert
March 22, 2024
Unused - was reserved for future features that were never implemented (11g only).
OAM Server certificate
oam_server1
March 22, 2024
Unused - was reserved for future features that were never implemented (11g only).
Components that make use of the above certificates, and will be affected:
Component
Certificate Usage
MDC
The primary and clone data centers use the ASDK for session retrieval via the agents created during MDC installation. If the ASDK uses SIMPLE Mode communication then the certificates will be used for OAP/NAP communication.
WebGate_IDM Agent
Usually created during OAM/OIM integration by the idmConfigTool.sh and OIGOAMIntegration.sh scripts to create an agent that is used to protect the various IDM consoles (such as /identity, /oamconsole, /oaa, etc...) as well as other IDM resources related to OAuth, Federation, etc... with an OAM WebGate.
This issue will affect the Oracle Access Manager (OAM) installations that use this Out of Box certificate.
SIMPLE Mode for the Oracle Access Protocol (OAP) communication has will be deprecated as of March 2024
SIMPLE Mode certificates cannot be renewed or regenerated
Oracle Access Manager (OAM), including the OAM 11g/12c server, that use the WebGates it is certified against, that use SIMPLE Mode communication are affected. For more information on WebGate certifications refer to KM Note "Oracle Access Manager (OAM) WebGate (WG) Resource Guide (Doc ID 2884819.1)"
Solution
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
