Certificate X509 Authentication in OAM 11g

From Brian:  I'm adding this excellent post by Matt to our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

Continuing on the OAM 11g theme, here's an overview of setting up X.509 Authentication in OAM 11g and contrasting it to OAM 10g.

OAM 11g as you already know is hosted on WebLogic. The Credential Collection modules are also on the app tier, which is a departure from OAM 10g model where credentials are collected at the web tier. This essentially means that you have to configure the OAM managed server to prompt for client certificates to perform OAM authentication in 11g, where in 10g you had to configure the web server to prompt the certs. I'll give you a quick overview of how this is done. I'm going to assume some level of understanding in creating the JKS and having certificates issued.

Assuming you are still using the Demo Identity and Trust stores, I recommend creating your own "Custom" stores. I used OpenSSL to create a Certificate Authority (CA), where I issued a server cert for the WebLogic server with FQDN of the server as the CN. I also issued a couple of client certificates to represent the end users. In the WebLogic console of the IAM domain, edit the settings of oam_server1 (assuming you kept default naming) to use the JKS of the domain for identity and trust.




In the SSL tab, I like to disable the Hostname Verification module. The important part is setting Two-Way SSL to "Client Certs Requested but not Enforced".



Restart oam_server1 to have these changes take effect.

Now browse to your OAM Console and under Authentication Modules, create the mapping of the Certificate attribute with the LDAP attribute. I disabled cert validation and put in a dummy OCSP to satisfy the application checking for valid URL.



Now you can use the existing X509Auth Scheme (as is) in authentication policies. Import the CA cert into your trusted authority store on your browser and your client certs in your personal store and test away. You can come into the app over HTTP. You'll be redirected to the HTTPS port of the credential collector and then back to HTTP.

The things I question about this implementation are having to go directly to the app tier for cred collection. Many customers don't want this tier exposed to the outside. Another concern is that once you turn on the certs optional setting, you get the cert prompt even if you're doing UN/P authentication.