Configuring OAM 11g server in CERT mode

Contents
Introduction............................................................................................................. 1
Configuration of server for CERT mode...................................................................1
Retrieving the password of .oamkeystore............................................................1
Importing the PEM certificates.............................................................................1
Generating the private key using JDK keytool......................................................2
Configuration of agent in CERT mode......................................................................3

Introduction
This document describes the configuration steps required for configuring the agent
in CERT mode with OAM 11g server with PEM certificates.

Configuration of server for CERT mode

The SSL certificates used in CERT mode need to be imported in JCEKS keystore of
OAM 11g server. This keystore is at
$WLS_OAM_DOMAIN_HOME/config/fmwconfig/.oamkeystore. You will need to
retrieve the password of .oamkeystore. ($WLS_OAM_DOMAIN_HOME is the WLS
domain directory where OAM Admin server is installed.)
Retrieving the password of .oamkeystore
Ensure that Admin Server is up.
Navigate to directory $ORACLE_IDM/common/bin ($ORACLE_IDM is the OAM
11g installation base directoy.)
Execute wlst.sh
In the WLST shell, enter the command connect(). You will be prompted for
admin server host, port and credentials for connection.
After successful connection to Admin server, enter the command
domainRuntime()
After this, enter command listCred(map="OAM_STORE",key="jks")
The password of .oamkeystore will be printed. Note this password as this will
be required to import the certificates.
Importing the PEM certificates
If you already have the signed certificates by your CA in PEM format, use the
importcert tool shipped with OAM 11g. The tool is at
$ORACLE_IDM/oam/server/tools. Unzip importcert.zip. The README file
bundled provides instructions for importing the certificates in the keystore.

Once, the certificates are imported you need to specify the Keystore Alias
(specified in the above step) and Keystore alias password (specified in the
above step) in oam proxy section for global properties in OAM 11g Admin
Console (Double click on server instances OAM proxy tab).
Restart oam server.

Generating the private key using JDK keytool

You can generate the private-public key pair and get it signed from your CA
using keytool bundled with JDK. Following are the steps for using the keytool
(Syntax is for JDK6. You can refer the keytool documentation for your JDK
version).
Retrieve the .oamkeystore password as mentioned above.
Trust the CA certificate of the client in the server keystore.
keytool -importcert -alias {alias_name} -file {CA certificate file} -trustcacerts
-keypass {alias_password } -storepass {.oamkeystore password} -keystore
{.oamkeystore file path}
-storetype "JCEKS"
Generate a key pair in keystore
keytool -genkeypair -dname "cn=user_name, ou=organizationalunit,
c=country" -alias {private_key_aliasname} -keypass
{private_key_aliaspassword} -keystore {.oamkeystore file path} -storepass
{.oamkeystore password} -validity 180 -keyalg RSA -sigalg SHA1withRSA
-storetype "JCEKS"
Create a certificate request
keytool -certreq -alias {private_key_aliasname} -file certreq.csr -keystore
{.oamkeystore file path} -keypass {private_key_aliaspassword} -storepass
{.oamkeystore password} -storetype "JCEKS"
Send the certificate request to CA. After receiving the CA signed certificate
import it in the .oamkeystore.
keytool -importcert -file {CA signed certificate} -alias {key_aliasname}
-keypass {key_aliaspassword} -storepass {.oamkeystore password} -keystore
{.oamkeystore file path}
-storetype "JCEKS"
You need to specify the Ssl Server Certificate Alias (specified in the above
step as key_aliasname) and Ssl Server Certificate Passphrase (specified in the
above step as key_aliaspassword) in oam proxy section of System
Configuration in OAM 11g Admin Console. For this, you will need to select the
CERT mode in OAM proxy section.
Restart oam server.

Configuration of agent in CERT mode

(This section will be changed.)
When registering the agent using RREG tool or from Admin Console, specify the
agent mode as CERT. If an existing agent needs to migrate to CERT mode, update
the mode of the agent through Admin Console.
Install the PEM certificates using the configureWebGate tool for configuring CERT
mode. The utility is at WebGate_install_dir/access/oblix/tools/configureWebGate. Run
configureWebGate without any parameters to get the list of supported parameters.
Use the below command to launch the tool:
configureWebGate.exe -i { WebGate_install_dir/access } t WebGate
Enter the mode 3 (CERT). After this, you will be prompted to request a certificate or
install the certificates. Select option 1 for creating a new certificate request. Select
option 2 if you want to install the existing certificates.The tool will prompt for the
required details for generating the certificates or installing the existing certificates.
Enter the agent id, password, OAM proxy host, port, path of existing certificates. The
WebGate passphrase specified is password used for encrypting the private key of
WebGate (this can be any string).
Restart the agent.