In todays’s post I am going to cover issue encountered recently on Oracle Access Manager 11g with WebGate 10g in SIMPLE mode configured with OHS 11g.
First for those who are new to OAM, Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To know more about OAM 11g and its components, you can check my book at Amazon
- WebGate communicates directly with OAM server’s proxy port (5575) in OAM 11g (or Access System in OAM 10g) using Oracle Access Protocol (OAP).
- WebGate communicates with OAM server in one of three modes
a) OPEN – Communication between WebGate and OAM is in clear text
b) SIMPLE – Communication between WebGate and OAM is secured (SSL) but using Oracle signed certificates
c) CERT – Communication between WebGate and OAM is secured (SSL) but using recognised certificate signing authority (like verisign)
To change OAM/WebGate communication mode, check my post here
When WebGate is installed and configured in SIMPLE or CERT mode , for SSL communication between WebGate and OAM 11g (using OAP with SSL) certificates are generated and stored in OAM Server (at $DOMAIN_HOME/output/[WebGate_ID]) and Web Server (at $WEB_GATE_HOME/oblix/config/simple/aaa_cert.pem and aaa_key.pem)
- If your WebGate version is 10g and mode is SIMPLE then validity of certificate at WebGate side is just 1 Year
- To view certificate validity at WebGate side, open aaa_cert.pem (you can change extension to CER and open it on windows to see certify valid till date )
![]( "SSL_certificate_validity_webgate")
- During WebGate configuration, this certificate is generated using configuration file $WEBGATE_HOME/oblix/tools/openssl/ openssl.cnf and openssl_silent.cnf (default_days = 365) which defines validity period as 1 year
_________
Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935 #01116526#01116568# 011ACCESS_GATE#011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir/ webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011
Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935#01116526 #01116568#011ACCESS_GATE #011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir /webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011
________
Note: This error is generic and means for some reason WebGate is unable to initialize with OAM Server.
In OAM Logs $DOMAIN_HOME/servers/[OAM_SERVER]/logs , I noticed messages like
______
29-Aug-2013 20:07:15 oracle.security.am.engines.common.adapters.OAMLoggerImpl severe SEVERE: Simple Mode HandShake: Mismatch in Client Response. expectedResponse: eb8d218676b5f81a5b8fb4a52902157c clientResponse: ef1560bd753f98a4e164440960852573
______
I then looked at SSL certificates at WebGate and noticed certificate was expired .
Fix: You can regenerate SSL certificates for WebGate in SIMPLE mode by re-configuring WebGate ($WEBGATE_HOME/oblix/tools/configureWebGate/ configureWebGate -i [WebGate_Install_Dir] -t WebGate). More on re-configure 10g WebGate here
Note: During WebGate configuration, it will prompt for WebGate Password (if WebGate is password protected) and Global Passphrase.
- If you don’t remember WebGate Password then you can reset if from OAM console (/oamconsole)
- If you don’t remember Global Passphrase then you can retrieve it by running WLST displaySimpleModeGloablPassphrase()
Note: If your OAM Server is using JDK 1.6.24+ (higher than JDK 1.6.24) then there is BUG in SSL certificate generation in SIMPLE mode which is fixed in WebGate 10.1.4.3 BP 11A or higher (Apply latest WebGate Bundle Patch for 10.1.4.3 i.e. BP13 17231077)
To find out your WebGate version click here and to apply patches in OAM (including WebGate) click here
References/Related
- Configuration of Webgate 10g with OAM 11g Server Fails For SIMPLE Communication Mode (Doc ID 1453208.1)
- Password.xml missing
- ORABOT certificate expired/li>
- Why OAM will fail in 2010
Related Posts for Access Manager
- Integration Steps – 10g AS with OAM (COREid)
- OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
- Oblix COREid and Oracle Identity Management
- Installing Oracle Access Manager (Oblix COREid / Netpoint)
- Oracle Access Manager (Oblix COREid) 10.1.4.2 Upgrade
- Access Manager: WebGate Request Flow
- Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
- Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
- Install Oracle Access Manager (OAM) 10.1.4.3 Identity Server, WebPass, Policy Manager, Access Server, WebGate
- Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
- OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
- OAM 10.1.4.3 Installation Part II – Indentity Server Installation
- OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
- Oracle Access Manager Installation Part III : Install WebPass
- OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
- OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
- Password Policy in Oracle Access Manager #OAM
- Changes in Oracle Access Manager 11g R1 (11.1.1.3)
- Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
- How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
- Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
- Part IX : Install OAM Agent – 11g WebGate with OAM 11g
- How to integrate OAM 11g with OID 11g for User/Identity Store
- How to install Bundle Patch (BP) on OAM 11.1.1.3 – BP02 (10368022) OAM 11.1.1.3.2
- Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
- OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
- How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
- OAM WebGate Registration RREG – Resource URL format is not valid
- Blank Screen on OAM 10g Identity Server Console : /identity/oblix
- Oracle 10g/11g webgate software download location
- How to find Webgate 10g/11g Version and Patches Applied
- OAM integration with OIF : Authentication Engine or Service Provider
- OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
- OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication
- Forgot Password link on OAM Login Page
- OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
- How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
- OAM 10g WebGate installation failed with Sorry Invalid User or Invalid Group
- Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized