My Oracle Support Banner

Available Solutions To Address The Expiring (March 2024) Out Of The Box Certificates Used By Oracle Access Manager (OAM) (Doc ID 2943611.1)

Last updated on FEBRUARY 21, 2024

Applies to:

Oracle Access Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Goal

Oracle Access Manager (OAM) installations that use the Out of the Box CA Signing Certificate, which expires in March 2024. If no action is taken, interruptions in service will be experienced.

The scope of this article is to provide details to help avoid this potential issue.

CertificateAlias within the keystoreExpiration DateUsage
OAM assertion certificate assertion-cert
assertion-key
March 22, 2024 Used to secure the identity propagation from the OAM Webgate to the WebLogic Server via OAM_IDENTITY_ASSERTION using the WLS OAMIdentityAsserter provider, and also to sign the identity assertions created in authN and authZ application domain policies.
OAM SIMPLE Mode CA certificate oam.ca
oam.ca.sha256
March 28, 2024 Used for WebGate ➡ OAM server communication where the security mode is set to SIMPLE.
OAM SIMPLE Mode key oam.simple.cert.keyalias
oam.simple.cert.keyalias.sha256
March 22, 2024 Used for WebGate ➡ OAM server communication where the security mode is set to SIMPLE.
OAM SIMPLE Mode certificate oam.simple.cert
oam.simple.cert.sha256
March 22, 2024 Used for WebGate ➡ OAM server communication where the security mode is set to SIMPLE.
AdminServer certificate adminserver March 22, 2024 Unused - was reserved for future features that were never implemented (11g only).
OAM Server Root certificate oam.server.cert March 22, 2024 Unused - was reserved for future features that were never implemented (11g only).
OAM Server certificate oam_server1 March 22, 2024 Unused - was reserved for future features that were never implemented (11g only).
ComponentCertificate Usage
MDC The primary and clone data centers use the ASDK for session retrieval via the agents created during MDC installation. If the ASDK uses SIMPLE Mode communication then the certificates will be used for OAP/NAP communication.
WebGate_IDM Agent

Usually created during OAM/OIM integration by the idmConfigTool.sh and OIGOAMIntegration.sh scripts to create an agent that is used to protect the various IDM consoles (such as /identity, /oamconsole, /oaa, etc...) as well as other IDM resources related to OAuth, Federation, etc... with an OAM WebGate.

This issue will affect the Oracle Access Manager (OAM) installations that use this Out of Box certificate.

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
 I. Identify
 II. Remediation
 Oracle Access Manager (OAM) Server To WebGate Commincation
 Option A - High-Level Steps To Configure OAP over REST
 Option B - High-Level Steps SIMPLE Mode to CERT mode
 Option C - High-Level Steps If Already in CERT Mode
 Option D - High-Level Steps SIMPLE Mode to OPEN mode
 Multi Data Center (MDC) SIMPLE Mode Communication
 Configuring MDC to use the CERT Communication Mode
 Oracle Identity Governance (OIG) Integration With Oracle Access Manager (OAM) SIMPLE Mode Communication
 Access Software Developers Kit (ASDK) Custom Code Using SIMPLE Mode Communication
 OAM Identity Asserter
 Support Provided Script
 Coherence
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.