OpenAM SAML configuration error "Missing signature algorithm"

ERROR: QuerySignatureUtil.verify: Null SigAlg query parameter.

libSAML2:07/05/2018 06:38:12:713 PM EDT: Thread[http-bio-127.0.0.1-8443-exec-3,5,main]: TransactionId[c6d8f6a3-a9e1-4820-a30b-38350fc47d11-51806]

ERROR: UtilProxySAMLAuthenticator.authenticate: authn request verification failed.

com.sun.identity.saml2.common.SAML2Exception: Missing signature algorithm.

When coding make sure following.

Create your AuthN request making sure that when you create the signature to combine all 3 parameter elements and then sign it:


String authnrequest = "SAMLRequest=" + encodedRequestMessage
                                        + "&RelayState=" + URLEncoder.encode(relayURL, "UTF-8")
                                        + "&SigAlg=" + URLEncoder.encode(sigAlg, "UTF-8");
java.security.Signature signature = java.security.Signature.getInstance("SHA1withRSA");
signature.initSign(privateKey);
signature.update(authnrequest.getBytes(Charset.forName("UTF-8")));
byte[] signatureByteArray = signature.sign();
String signatureBase64encodedString = Base64.encodeBytes(signatureByteArray, Base64.DONT_BREAK_LINES);
return idpUrlREDIRECT + "?"
       + authnrequest
      + "&Signature="
      + URLEncoder.encode(signatureBase64encodedString, "UTF-8");



The resulting AuthN request should look something like the following:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                   AssertionConsumerServiceURL="http://localhost:8084/DBAuthentication/samllogin"
                   Destination="https://ssoidp.lb.com:443/openam/SSORedirect/metaAlias/idp"
                   ID="ckimokpjjjongadnnkfbophokmmhdfhilckkknac"
                   IssueInstant="2018-09-05T15:15:48.936Z"
                   ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                   ProviderName="http://localhost:8084/DBAuth/sp"
                   Version="2.0">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8084/DBAuth/sp</saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
 <samlp:RequestedAuthnContext Comparison="exact">
   <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

OpenAM ERROR: IDPSSOFederate.doSSOFederate: Unable to get AuthnRequest from cache, sending error response ---

The cache is cleared every 10 minutes by default, but you may want to consider increasing this interval if you keep seeing the following error in the Federation debug log

AM / OpenAM 13.x console: navigate to: Configure > Global Services > SAMLv2 Service Configuration > Cache cleanup interval and enter the number of seconds that you want the AuthnRequest to remain in the cache. Once this time elapses, the cache is cleared.



./ssoadm set-attr-defs -s sunFAMSAML2Configuration -t global -u [adminID] -f [passwordfile] -a CacheCleanupInterval=[seconds]

OpenAM mod auth mellon multi domain multi server Apachi setup

The Apache Server document could be updated to clarify a few things with regards to load balanced web sites and multiple web virtual hosts.

For load balanced sites that use host specific key/certificate pairs then there needs to be a metadata file for each web server with a unique EntityID, because of the different certs

For web servers providing multiple web vhosts a global mellon.conf doesn’t work for all of the sites. Each vhost that needs to use SAML auth will need their own mellon.conf that specifies the site specific MellonSPMetadataFile and Endpoint URL

My setup:
Load Balanced Web Servers
web1-co-dmz
web2-co-dmz

Web Virtual Hosts, configured on each web server
vhost1.com
vhost2.com

Multi-Domain Certificate that includes both names. Each server has its own private key certificate pair.
For the EntityIDs I used the following:
entityID="https://vhost1.com_web1”
entityID="https://vhost1.com_web2”
entityID="https://vhost2.com_web1”
entityID="https://vhost2.com_web2"

I wound up creating two mellon.conf files in /etc/httpd/conf/saml2 on each web server.
web1-co-dmz:/etc/httpd/saml2/https_vhost2.com_web1.xml
web1-co-dmz:/etc/httpd/saml2/https_vhost1.com_web1.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost2.com_web2.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost1.com_web2.xml

I then added an Include to each web vhost configuration, example:
vhost1.v-vhost.conf: Include saml2/www_mellon.conf
vhost2.com-vhost.conf: Include saml2/data_mellon.conf

I hope that helps

forgerock OPENAM passing attribute to SP bug

When SP need  additional attribute and you add these attribute to SP metadata in OpenAM console. all the existing attribute values got overwritten. So to fix this you have add all the attribute that SP required to SP metadata configuration by following below steps

go to SP metadata and select "Assertion Processing" and add required attributes to "Attribute Mapper"

like

mail=mail
uid=uid

SAML response Difference between IDP and SP initiated SSO

Difference between 2 request is in BOLD letter

DIP Initiated SSO
An IdP Initiated SSO flow is a Federation SSO operation that was started from the IdP Security Domain, by the IdP Federation server creating a Federation SSO Response and redirecting the user to the SP with the response message and an optional operational state:

The Federation SSO Response varies depending on the protocol used:
SAML 2.0: SAMLResponse with Assertion
SAML 1.1: Response with Assertion
WS-Fed: Response with Assertion
OpenID 2.0: OpenID 2.0 Response
The optional operation state in this flow will convey the URL where the user should be redirected after the Federation SSO is complete at the SP. If missing, the SP will need to determine where the user should be redirected. This information is conveyed differently depending on the protocol:
SAML 2.0: RelayState parameter
SAML 1.1: TARGET parameter
WS-Fed: wctx parameter
OpenID 2.0: this protocol does not support IdP Initiated SSO flow.


SP Initiated SSO
An SP Initiated SSO flow is a Federation SSO operation that was started from the SP Security Domain, by the SP Federation server creating a Federation Authentication Request and redirecting the user to the IdP with the message and some short string representing the operation state:

The Federation Authentication Request varies depending on the protocol used:
SAML 2.0: AuthnRequest
SAML 1.1: a URL with a parameter representing the SP
WS-Fed: a URL with a wtrealm parameter representing the SP and other optional parameters
OpenID 2.0: OpenID 2.0 Request
The operation state (what the user was doing before the Federation SSO operation started) is conveyed in the message sent to the IdP with the user, not as the whole state, but instead as a pointer to the state in the SP Server's runtime storage. This information is conveyed differently depending on the protocol:
SAML 2.0: RelayState parameter
SAML 1.1: TARGET parameter
WS-Fed: wctx parameter
OpenID 2.0: openid.return_to parameter which is an SP URL where the user will be redirected after authentication at the IdP, which is generated at runtime by the SP, and as such can contain a query parameter referencing an operational state

OpenDJ: Two Products in One(HTTP/HTTPS REST-based)

OpenDJ is both a full-fledged LDAP / LDAPS server, AND an HTTP / HTTPS REST-based server. This is an important distinction, because each can be run separately, or in tandem.


 IAM Stack can runs both LDAP and HTTP/REST on the same server. It is possible to set up REST Gateways and other more custom configurations to further separate the two.


Here's where it gets interesting:

REST is not enabled by default
REST uses its own logger and connection handler
REST uses its own separate configuration file
REST presents only a "window" of OpenDJ schema data

The last point is important. The REST interface represents potential attribute data. In other words, it CAN respond to data queries for all data available in the directory. By default, it does not. Nor, is it aware of custom schema extensions by default.


When setting up OpenDJ, first get all DJ / LDAP components working correctly, then add HTTP support later. 

why Setting the Time Service (NTP Client) is important and its alternate

In IAM stack Time synchronization is a key component of a smooth IAM service. Not configuring it can cause replication issues. To synchronize the IAM Stack, we can use the subnet router, which can be configured as an NTP server.

to retrive public SSL certificate openssl command

To retrieve public SSL certificate you can use a command similar to:

echo | openssl s_client -connect orasystemsusa.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

manual log rotation process

OS level command to rotate logfiles.

Please find below the logrotate file for the web policy agents in PROD environment:

/var/log/httpd/*log {

    missingok

    notifempty

    sharedscripts

    delaycompress

    postrotate

        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true

    endscript

}

OVD heap size increase oracle

Controlling the Maximum Heap Size Allocated to the Oracle Virtual Directory Server

The -Xmx parameter in the opmn.xml file controls the maximum heap size allocated to the Oracle Virtual Directory server. The default value is -Xmx256m. Edit this parameter as needed to increase or decrease the maximum heap size allocated to the Oracle Virtual Directory server. The opmn.xml file is located in the ORACLE_INSTANCE/config/OPMN/opmn/ directory.
The following example shows the -Xmx parameter set to -Xmx2048m, which allocates 2 GB of heap size to the Oracle Virtual Directory Server:

<ias-component id="OVD_COMPONENT_NAME">
            <process-type id="OVD" module-id="OVD">
               <module-data>
                  <category id="start-options">
                     <data id="java-options" value="-server -Xms512m -Xmx2048m                               
-Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml 
-Dvde.soTimeoutBackend=120"/>
                     <data id="java-classpath" value="$ORACLE_
HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/>
                  </category>
               </module-data>
               <stop timeout="120"/>
            </process-type>
         </ias-component>

killing database sessions

select s.inst_id, s.sid, s.serial#, p.spid, s.username
     , s.schemaname, s.program, s.terminal, s.osuser
  from Gv$session s
  join Gv$process p
    on s.paddr = p.addr
   and s.inst_id = p.inst_id
 where s.type != 'BACKGROUND'
and s.username='yourusername'

alter system kill session 'sid,serial#' immediate;

OAAM value to get more than 3 OTP password

login to OAAM console

click on Attribute

search for Rule "Maximum Devices Per User"

change Rule Status to "Disable".

Save the changes.

Now at you should be able to get more than 3(default) OTP password.

OAAM property to enable OTP

To enable registration and preferences:

1. Log in to the OAAM Administration Console.
   
2. In the Navigation pane, double-click Properties under the Environment node. The Properties Search page is displayed.
   
3. Enter bharosa.uio.default.register.userinfo.enabled in the Name field and click Search.
   
4. Click to select the property in the Search Results section, change the value to true, and click Save.
   
5. Enter bharosa.uio.default.userpreferences.userinfo.enabled in the Name field and click Search.
   
6. Click to select the property in the Search Results section, change the value to true, and click Save.
   

changing log level at oaam to trace 32

To increase the level use below command
wlst.sh

 connect()

domainRuntime()

 setLogLevel(target='oaam_server_server1',logger='oracle.oaam',level='TRACE:32',persist="0",addLogger=1)

to roll back

wlst.sh

 connect()

domainRuntime()

 setLogLevel(target='oaam_server_server1',logger='oracle.oaam',level='TRACE:1',persist="0",addLogger=1)

Enforcing HSTS setting at OHS, Strict Transport Security (HSTS)

add below line to ssl.conf file

ssl.conf:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Generating and Signing selfsigned Cert

 Generating Keys

You can generate private and public certificate pairs by using the keytool command.
The following command creates an identity keystore (support.jks):

$JAVA_HOME/jre/bin/keytool -genkey
-alias support
-keyalg RSA
-keysize 1024
-dname "CN=localhost, OU=Identity, O=Oracle Corporation,C=US"
-keypass KEYSTORE_PASSWORD
-keystore support.jks
-storepass weblogic1

Signing the Certificates
Use the following keytool command to sign the certificates that you created:


$JAVA_HOME/jre/bin/keytool -selfcert -alias support
  -sigalg MD5withRSA -validity 2000 -keypass weblogic1
  -keystore support.jks
  -storepass KEYSTORE_PASSWORD

generating self signed certificate

 openssl req -newkey rsa:2048 -nodes -keyout signcert.key -x509 -days 365 -out sign.cer


./orapki wallet create -wallet /tmp/wallet -auto_login

./orapki wallet display -wallet /tmp/wallet

 ./orapki wallet add -wallet /tmp/wallet -dn "CN=Gms Signing Certificate" -keysize 2048 -self_signed -validity 1825 -pwd Welcome1

keytool -list -keystore /path/to/certificate

keytool -exportcert -alias certificatename.cert -file /tmp/certfilename -storepass password

OIF Fedlet error Cannot run program "keytool": error=2, No such file or directory

$JAVA_HOME/java -classpath WEB-INF/lib/opensso-sharedlib.jar:WEB-INF/lib/openfedlib.jar:install/lib/configurefedlet.jar oracle.security.fed.fedlet.install.ConfigureFedlet

Error
Cannot run program "keytool": error=2, No such file or directory


Solution:
I have resolved this error by specifying

export JAVA_OPTS="-d64"

along with other commands to export JAVA_HOME and PATH

change the communication to ssl

 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"



Martin: NameVirtualHost

Martin: NameVirtualHost *:7777<VirtualHost *:7777>    ServerName <servername>   Redirect / https:<servername>:443/</VirtualHost>


Click to add to Favorites How to Configure HTTP Strict Transport Security (HSTS) for Oracle HTTP Server 11g? To BottomTo Bottom

In this Document
Goal
Solution

APPLIES TO:

Oracle HTTP Server - Version 11.1.1.0.0 to 11.1.1.9.0 [Release Oracle11g]
Information in this document applies to any platform.
GOAL

How to configure HTTP Strict Transport Security (HSTS) for Oracle HTTP Server 11g?


SOLUTION

There is no official documentation from Oracle for this configuration, but you can add below parameters in $INSTANCE_HOME/config/OHS/ohs1/ssl.conf.

1. Add below line to VirtualHost in $INSTANCE_HOME/config/OHS/ohs1/ssl.conf file

<VirtualHost IPaddress:sslport>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>
2. Restart OHS

3. To test if HSTS has been configured, access OHS on ssl port and capture headers through "Live HTTP Headers extension" on Chrome (you can use the curl utility too)

GET / HTTP/1.1
Host: examplehost.exampledomain.com:4443
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Language: en
Content-Length: 11028
Content-Type: text/html
Date: Tue, 16 Sep 2014 10:29:44 GMT
ETag: "1600000002481e-2b14-4fdc5d4d121b8"
Keep-Alive: timeout=5, max=100
Last-Modified: Wed, 09 Jul 2014 17:13:47 GMT
Server: Oracle-Application-Server-11g
Strict-Transport-Security: max-age=31536000; includeSubDomains

How to Change password for OIM, MDS, SOAINFRA, OPSS, ORASDPM schema OIM 11g R2

How to Change password for OIM, MDS, SOAINFRA, OPSS, ORASDPM schema OIM 11g R2 from Oracle

SOLUTION

Description of each of the above schema could be found in the following Document

http://docs.oracle.com/cd/E27559_01/core.1112/e28516/meta.htm

Password change for the following schema can be performed in the following ways.

1. Stop all the Managed servers and Application Server.
2. Take a back up of the entire domain and take the backup of the database.
3. Start the Application Server
4. Change the xxxx_OPSS user password.
   1. Execute the following to change the password for xxxx_OPSS:
   2. SQL> alter user xxxx_OPSS identified by <new_pwd_here>;
   3. SQL>commit;
   4. Invoke wlst (oracle_common\common\bin).
   5. Run "modifyBootStrapCredential". See Oracle Fusion Middleware Application Security Guide 11g Release 1 (11.1.1) Chapter 10 Managing the Credential Store - 10.5.4 modifyBootStrapCredentia            modifyBootStrapCredential(jpsConfigFile='<DOMAIN_NAME>/config/fmwconfig/jps-config.xml', username='<xxxx>_OPSS', password='newpassword')
5. Run the setDomainenv.sh under the domain  bin folder ( ./setDomainEnv.sh)
6. Invoke the following command:
   1.  bin/java weblogic.security.Encrypt
   2.  password: <newpassword>
   3. {AES}JHyrhOMB5hVRuDU/pV0qX86qz98ZV0xWXBSEAANA4Gs=
7. Edit the <DOMAIN_NAME>\Config\jdbc\OPSSdbs.xml file:
8. Replace the current encrypted password with the newly encrypted password value e.g.
      {AES}JHyrhOMB5hVRuDU/pV0qX86qz98ZV0xWXBSEAANA4Gs=
9. Save the file.
10. Login to Weblogic Console, Navigate to Services->Data Sources
11. Click on opss-DBDS->Connection Pool and enter the new password set to xxxx_opss in step 4.2 Save
12. Restart Application Server but do not start managed servers.
13. Connect to the database with sqlplus as system user
    1. 1. Execute the following to change the password of xxx_OIM:
       2. SQL> alter user xxx_OIM identified by <new_pwd_here>;
       3. SQL>commit
       4. Execute the following to change the password for xxx_MDS:
       5. SQL> alter user xxx_MDS identified by <new_pwd_here>;
       6. SQL>commit;
       7. Execute the following to change the password for xxx_SOAINFR
       8. SQL> alter user xxx_SOAINFRA identified by new_pwd_here>;
       9. SQL>commit
       10. Execute the following to change the password for xxx_ORASDPM:
       11. SQL> alter user xxx_ORASDPM identified by <new_pwd_here>;
       12. SQL>commit;
14. Check that the passwords have been changed, by trying to login to the database with sqlplus and the four users and the new passwords
15. Open a browser and connect to WebLogic console
16. Navigate to Services->Data Sources
    1. click on oimJMSStoreDS->Connection Pool and enter the new password set to xxx_OIM in step 13.2 above
    2. Click on oimOperationsDB->Connection Pool and enter the new password set to xxx_OIM in step 13.2 above
    3. Click on ApplicationDB->Connection Pool and enter the new password set to xxx_OIM in step 13.2 above
    4. Click on mds-oim->Connection Pool and enter the new password set to xxx_MDS in step 13.5 above
    5. Click on mds-owsm->Connection Pool and enter the new password set to xxx_MDS in step 13.5 above
    6. Click on mds-soa->Connection Pool and enter the new password set to xxx_MDS in step 13.5 above
    7. Click on EDNDataSource->Connection Pool and enter the new password set to xxx_SOAINFRA in step 13.8 above
    8. Click on EDNLocalTxDataSource->Connection Pool and enter the new password set to xxx_SOAINFRA in step 13.8 above
    9. Click on SOADataSource->Connection Pool and enter the new password set to xxx_SOAINFRA in step 13.8 above
    10. Click on SOALocalTxDataSource->Connection Pool and enter the new password set to xxx_SOAINFRA in step 13.8 above
    11. Click on OraSDPMDataSource->Connection Pool and enter the new password set to xxx_ORASDPM in step 13.11 above
17.  Change OIMAuthenticationProvider configuration:
18. In the WebLogic Administrative console, navigate to Security Realms, myrealm, and then Providers.
    1. Click OIMAuthenticationProvider
    2. Click Provider Specific.
    3. In the DBPassword field, enter the new Oracle Identity Manager database schema password
    4. Click Save to save the changes
19. Change domain credential store configuration:
    1. 19.1 Login to Enterprise Manager by using the following URL:
    2. http://ADMIN_SERVER:<PORT_NUMBER>/em
    3. 19.2 Navigate to Weblogic Domain, and then DOMAIN_NAME.
    4. 19.3 Right click navigate to Security, Credentials, and then oim.
    5. 19.4 Select OIMSchemaPassword, and click Edit.
20. In the Password field, enter the new password, and click OK
21. Restart the WLS AdminServer
22. Start the SOA/OIM managed server 

orapki certificate display

orapki cert display -cert certificate_location [-summary|-complete]

• The -cert parameter specifies the location of the certificate you want to display.
• You can use either the -summary or the -complete parameter to display the following information:
  • -summary displays the certificate and its expiration date
  • -complete displays additional certificate information, including the serial number and public key

OIF generating self signed certificate How To Generate A Wallet Containing A Self Signed Certificate Using ORAPKI

How To Generate A Wallet Containing A Self Signed Certificate Using ORAPKI from Oracle

SOLUTION

This self-signed certificate should be used for testing purposes only with Oracle Application Server (OAS 10.1.2 - 10.1.3)  or Fusion Middleware (FMW 11.1.1.X)

Before attempting this with ORAPKI for FMW 11.1.1.X or FMW 12.1.X, please read: Note 1218603.1 Understanding Wallets and Keystores in Fusion Middleware 11g/12c

• Important: This is not a substitute for the Oracle Documentation or comprehensive orapki options. This provides sample commands using orapki to create a basic wallet and certificate. If you need advanced options such as SHA2 or higher keysize, ensure to add in the -sign_alg sha256 and/or -keysize 2048 parameters. See the Oracle Documentation for your version for options available on your version.

The steps below show how to create a Wallet, and a Self-Signed certificate using orapki:

1. Create the Wallet:

For OAS:

$ORACLE_HOME/bin/orapki wallet create -wallet <path_to_where_wallet_will_be_created> -pwd <wallet_pwd> -auto_login

For example:

$ORACLE_HOME/bin/orapki wallet create -wallet /oracle/app/product/oracle/russ/orapki/ -pwd Welcome1 -auto_login

For FMW:

Note the commands below show $MIDDLEWARE_HOME. $MIDDLEWARE_HOME should be used for FMW 11.1.X. If using FMW 12.1.X , use $ORACLE_HOME instead

To create a Password Protected Wallet(ewallet.p12 and cwallet.sso):

$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet <path> -auto_login

For example:

>$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet /fmw11g/instances/webtier/wallet -auto_login
    Enter password: **********
    Enter password again: **********

To create an Auto-Login Wallet (cwallet.sso only):

$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet <path> -auto_login_only

For example:

$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet create -wallet /fmw11g/instances/webtier/wallet -auto_login_only

This generates an Auto-Login Wallet in the desired location. It currently contains no user certificate.



2. Create a Self Signed Certificate:

For OAS:

$ORACLE_HOME/bin/orapki wallet add -wallet <path_to_where_wallet_was_created_above> -dn '<certificate_DN_you_require> -keysize 1024 -self_signed -validity <days> -pwd <wallet_pwd>

For example:

$ORACLE_HOME/bin/orapki wallet add -wallet /oracle/app/product/oracle/russ/orapki/ -dn 'CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB' -keysize 1024 -self_signed -validity 365 -pwd Welcome1

For FMW:

$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet wallet_location -dn user_dn -keysize 512|1024|2048|4096 -self_signed [-pwd][-auto_login_only]

For example:

For a Password Protected Wallet:

$MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet /fmw11g/instances/webtier/wallet -dn 'CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB' -keysize 1024 -self_signed -validity 365 -pwd Welcome1

 For an Auto-Login Wallet:

 $MIDDLEWARE_HOME/oracle_common/bin/orapki wallet add -wallet /fmw11g/instances/webtier/wallet -dn 'CN=server.uk.oracle.com, OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB' -keysize 1024 -self_signed -validity 365 -auto_login_only

Note: On Windows use double quotes for the -dn option i.e: -dn "CN=server.uk.oracle.com,
OU=Support, O=Oracle, L=Reading, ST=Berkshire, C=GB"

If you open the Wallet in Wallet Manager, you will see it says Certificate: Ready, and also contains the Trusted Certificate.

This Wallet is ready to use with Application Server or Fusion Middleware for testing purposes.

REFERENCES

NOTE:1281035.1 - Master Note for SSL Configuration in Oracle Application Server 10g (10.1.2 - 10.1.3)
NOTE:1628909.1 - Master Note for SSL Configuration in Fusion Middleware 12c (12.1.x)
NOTE:1218695.1 - Master Note for SSL Configuration in Fusion Middleware 11g
NOTE:341904.1 - Configuring HTTP Server to Use SSL in Oracle Application Server 10g (10.1.2 - 10.1.3)
NOTE:342155.1 - Configuring Web Cache with SSL in Oracle Application Server 10G Release 2 (10.1.2.X.X)

updating wallet password using wlst

  To change the password stored in the CSF, go to ORACLE_HOME/common/bin
  a. Run ./wlst.sh or wlst.cmd (based on the OS)
  b. Enter connect() to connect to weblogic Admin Server
  c. Run listCred(map="OIF", key="jcepwdsign"). This should print out the password already in the system
  d. Run
      updateCred(map="OIF",key="jcepwdsign",user="UniqueUserNameCredential",password="welcome1")
  e. Run
      updateCred(map="OIF",key="jcepwdenc",user="UniqueUserNameCredential",password="welcome1")
  f. Restart Managed Server

renewing OIF self signed certificate

Qn1:
The default certificate in your OIF environment is expiring. You would like to renew the certificate with a self signed certificate. What is the procedure?


Qn2:
How could you restore to the previous cert in case the cert renewal is failing?

SOLUTION

An1:
Instructions as below:

1. Follow this note to generate a new self signed wallet:
How To Generate A Wallet Containing A Self Signed Certificate Using ORAPKI (Doc ID 560982.1).

2. Once you have a new wallet, then follow the instruction below to update signing wallet:

http://docs.oracle.com/cd/E16340_01/oim.1111/e13400/advtopics.htm#BEIHDHDD

8.3 Managing Signing and Encryption Wallets

3. Once updated in the OIF, 
An2:
Back up the entire configuration directory to be safe:
<Domain_Home>/config i.e. /refresh/home/Oracle/Middleware/user-projects/domains/IDMDomain/config

4. If OIF fails to start after the step 3, and you see following error message:

[HTTP:101216]Servlet: "spmanager" failed to preload on startup in Web application: "/fed".
java.lang.RuntimeException: The server could not initialize properly: oracle.security.fed.sec.util.KeySourceException: Invalid/unsupported key store or incorrect password. Please verify that the password is correct and the store is a valid PKCS#12 PFX wallet or Java KeyStore file.

This could be due to OIF issue if password is different between keystore and key. If you are sure that your keystore is valid, then issue is probably with the password.

  To change the password stored in the CSF, go to ORACLE_HOME/common/bin
  a. Run ./wlst.sh or wlst.cmd (based on the OS)
  b. Enter connect() to connect to weblogic Admin Server
  c. Run listCred(map="OIF", key="jcepwdsign"). This should print out the password already in the system
  d. Run
      updateCred(map="OIF",key="jcepwdsign",user="UniqueUserNameCredential",password="welcome1")
  e. Run
      updateCred(map="OIF",key="jcepwdenc",user="UniqueUserNameCredential",password="welcome1")
  f. Restart Managed Server

5. If the JKS file that you generated using keytool did not get updated, refer to Doc ID 1088993.1 has a section for "How to create self-signed certificates and configure keystore".

6. After the new wallet loaded successfully, you should get a confirmation for wallet update. If not, you may running into bug 9470286. See Doc ID 1099743.1 for solution.

REFERENCES

NOTE:1088993.1 - WebLogic Server Support Pattern: Troubleshooting SSL Configuration and Node Manager Issues
NOTE:1099743.1 - Not Able To Update Wallet With OIF 11.1.1.0
NOTE:1420596.1 - OIF 11g : How To Renew Certificates for Oracle Identity Federation (OIF) 11g?
NOTE:560982.1 - How to Generate a Wallet Containing a Self Signed Certificate Using ORAPKI in Oracle Application Server and Fusion Middleware

oam and admin server enabling logging to 32

OAM SERVER TRACE 32 INSTRUCTIONS

How to increase the logging for the {odl-handler} to Trace:32, which would then add more details in the {oam managed server}-diagnostic.log file.

To set this up
1)run the /em console
2) Expand the Farm_base_domain
3) Expand Identity and Access
4) Expand OAM
5) Right click on oam_server
6) Click on Logs -> Log Configuration
7) On the Log Files tab, click on odl-handler to select it
8) Click Edit Configuration
9) Change the Logging Level to TRACE:32 //note the log level already set
10) Click OK
11) Click Close
12) On the Log Levels tab, click the triangle next to Root Logger to expand the list of loggers, then click the triangle next to "oracle", find both "oracle.oam" and "oracle.security" and use the pull down menu next to each one to change it to TRACE:32 (FINEST)
13) Click Apply
14) Click Yes
15) Click Close

16) Rename the OAM Server Diagnostic log so we get a clean log. i.e. rename oam_server1-diagnostic.log to oam_server1-diagnostic1.log
17) Restart the OAM Managed server and allow it to reach the Running state.
18) Set the Logging Level back to previous and apply

======================================================================

ADMIN SERVER TRACE 32 INSTRUCTIONS

How to increase the logging for the {odl-handler} to Trace:32, which would then add more details in the {admin server}-diagnostic.log file.

To set this up
1)run the /em console
2) Expand the Farm_base_domain
3) Expand Weblogic Domain
4) Expand base_domain
5) Right click on AdminServer
6) Click on Logs -> Log Configuration
7) On the Log Files tab, click on odl-handler to select it
8) Click Edit Configuration
9) Change the Logging Level to TRACE:32 //note the log level already set
10) Click OK
11) Click Close
12) On the Log Levels tab, use pull down menu next to Root Logger to change it to TRACE:32 (FINEST)
13) Click Apply
14) Click Yes
15) Click Close

16) Rename the Admin Server Diagnostic log so we get a clean log. i.e. rename AdminServer-diagnostic.log to AdminServer-diagnostic1.log
17) Restart the OAM Managed Server and allow it to reach the Running state.
18) Set the Logging Level back to previous and apply

OIF 11g: Questions about Maintenance and Expiry of Signing And Encryption Certificates (Doc ID 1991933.1)

   
 OIF 11g: Questions about Maintenance and Expiry of Signing And Encryption Certificates (Doc ID 1991933.1)    To BottomTo Bottom  

In this Document
Goal
Solution
References

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
APPLIES TO:

Oracle Identity Federation - Version 11.1.1.5.0 and later
Information in this document applies to any platform.
GOAL

Oracle Identity Federation (OIF) 11.1.1.x has been configured as Identity Provider (IdP) or Service Provider (SP).

OIF has been configured with signing and encryption certificates for messages sent to peer providers. OIF has also been configured to accept signed [and encrypted] messages from peer providers.

This document answers a few common questions about maintenance of the OIF and peer provider signing / encryption certificates.


1. How to renew the OIF signing and/or encryption certificates when they expire?


2. The certificate used by OIF used for signing/encrypting SAML assertions is soon to expire.

A renewed certificate has been obtained and imported into a JKS store.

Is there a way to make OIF work with either of the certificates i.e. both the old and the new one?


3. A new wallet/keystore has been configured in the OIF Security and Trust settings. The old wallet has not been removed.

It is expected to see both new and old encryption certificates in the OIF IdP metadata at http(s)://OIFHOSTNAME.DOMAIN:OIFPORT/fed/idp/metadata for <md:KeyDescriptor use="encryption">.

But only the new certificate is shown in the OIF metadata.

For <md:KeyDescriptor use="signing"> both old and new certificates are included.

Why is this?


4. A peer provider's signing and/or encryption certificate has expired. Will this cause OIF to generate errors or Single Sign-On (SSO) to fail?

5. If a peer provider signing or encryption certificate is soon to expire or has expired, will OIF provide a warning? Is there a way to monitor peer provider certificate expiration through OIF?

6. A peer provider has replaced an expiring or expired signing and/or encyption certificate. How to configure OIF with the new peer provider certificate(s)?

7. How to configure OIF to validate peer provider signing or encryption certificates before use?

8. Does OIF validate certificates using a Certificate Revocation List (CRL)? How?






SOLUTION


1. To replace an expiring signing or encryption certificate in OIF 11.1.1.x, create a new Java keystore or Oracle Wallet containing a new, valid certificate.

Oracle FusionMiddleWare (FMW) 11g offers either Oracle Wallet Manager (owm) or keytool to manage certificate stores.

References:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Cross-Suite
Fusion Middleware Administrator's Guide
H Oracle Wallet Manager and orapki

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Security for Oracle Fusion Middleware
Fusion Middleware Securing Oracle WebLogic Server
Using the Keytool Utility


Generate a certificate request using the appropriate tool (keytool or owm) and submit it to a Certificate Authority for the server certificate to be issued.
Then import the server certificate into the keystore/wallet.
After that the keystore/wallet is ready to be configured in OIF.

Follow the instructions here to configure OIF with the new keystore/wallet:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Identity Management
Fusion Middleware Administrator's Guide for Oracle Identity Federation
5.10.1 Security and Trust - Wallet

The following document also provides useful information about replacing the OIF certificates: How To Renew Default Signed Certificate With Self Signed Certificate In OIF (Doc ID 1434548.1).

After the new encryption and signing certificates have been configured in OIF, the OIF metadata must be re-generated and supplied it to all peer providers for them to use.

There is the option to keep the old certificates/wallet until all peer providers have updated their configuration with the new OIF metadata.
When all peer providers are using the new metadata, click Remove Old Wallet in EM Console to remove the old OIF certificates.


2. If OIF has been configured with new signing and encryptions certificates, will OIF work with either of the certificates i.e. both the old and the new one?

Yes, the old certificate(s) will continue to be used by OIF until "Remove old wallet" is selected.


3. Until "Remove old wallet" is selected in OIF Administration Security and Trust, OIF will provide both both old and new signing certificates in the metadata.

However only the new encryption certificate will be supplied in the OIF metadata.

Peer Providers/Partners only need to know about a single encryption certificate to send encrypted data to OIF. So the OIF IdP metadata only lists the new encryption certificate. The old certificate is no longer necessary.

The OIF server itself is still using the two encryption certificates to decrypt encrypted messages and therefore will be able to decrypt data encrypted with the new encryption certificate as well as the old encryption certificate.


4. OIF will not object to expired peer provider certificates unless OIF is configured to validate certificates before use.

See 7. below.

If certificate validation is configured and OIF cannot validate the signing or encryption certificate for an authentication request or response then SSO will fail.


5. OIF will not provide any warning if a peer provider signing or encryption certificate is soon to expire or has expired. It is the responsibility of the SP to ensure that their certificates are valid.

However OIF will produce an error if a peer provider certificate is expired and OIF is configured for certificate validation (see 7. below).


6. To configure OIF with new peer provider certificates, obtain the new metadata file from the peer provider which contains the renewed certificates. Upload the new metadata file in the OIF Administration -> Federations section. OIF will detect that a provider already exist with the same ID and will replace the existing metadata with the new metadata.


7. To configure OIF 11g to validate certificates, check the "Certificate Validation" checkbox in OIF Administration -> Security and Trust settings.

Note also that if Certificate Validation is configured, the root Certificate Authority (CA) certificate and any subCA certificates for chained certificates must be loaded into the OIF Trust Store.


8. OIF will execute certificate validation for the peer provider signing and encryption certificates IF "Enable Certificate Validation" is checked in OIF Configuration Security and Trust -> Trusted CAs and CRLs section.

If this option is checked then the OIF administrator must upload the root CA certificates for the peer provider signing and encryption certificates in the Trusted CAs list.
If a CRL is also configured then OIF will check the revocation status of certificates using the configured CRL(s).

More detail and more advanced configuration options are provided at the following location:

Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Identity Management
Fusion Middleware Administrator's Guide for Oracle Identity Federation
6.22 Certificate Path Validation



See also:

OIF 11g: Unable To Load Metadata Files. Error "The Signing Certificate Could Not Be Validated" (Doc ID 1908582.1)

OIF Generates 500 Error When Validating Incoming Message Signature - Reference Validation With URI Failed (Doc ID 1637895.1)

Identity Federation SSO Fails With "Signature verification failed for provider ID ..." (Doc ID 2032605.1)


REFERENCES

NOTE:2032605.1 - Identity Federation SSO Fails With "Signature verification failed for provider ID ..."
NOTE:1908582.1 - OIF 11g: Unable To Load Metadata Files. Error "The Signing Certificate Could Not Be Validated"
NOTE:1637895.1 - OIF Generates 500 Error When Validating Incoming Message Signature - Reference Validation With URI Failed

database error recovering system datafile from local storage to shared storage

Error:

ORA­01157: cannot identify/lock data file 64 ­ see DBWR trace fileORA­01110: data file 64: '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf'ORA02002: error while writing to audit trailORA­00604: error occurred at recursive SQL level 1 ORA­01157: cannot identify/lock data file 64 ­ see DBWR trace fileORA­01110: data file 64: '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf'


Solution:

We followed the following set of steps to resolve the issue
RMAN> copy datafile '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf' to '+DATA';

using SQL PLUS rename the Datafile to the New location

SQL>alter database rename file '/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf'' to '+DATA/SYSTEM.xxx.zzzzzz';

­ open the DB
SQL> alter Database open;
­ remove the old file $ rm /u01/app/oracle/product/11.2.0.4/dbhome_1/dbs/path_to_your_datafiles_foldername_of_df_you_want.dbf


This is expected as it is RAC DB and it suppose to create the new Datafile on the shared disk no on the local node
when user add data file using
SQL> alter tablespace system add datafile 'FRA' SIZE 250M AUTOEXTEND ON NEXT 50M MAXSIZE UNLIMITED;
its add the datafile in the default OMG location db_create_file_dest


Extra commands used during troubleshooting.
use below commands to check the backup of currept file.


set pagesize 20000
set linesize 180
set pause off
set serveroutput on
set feedback on
set echo on
set numformat 999999999999999
alter session set nls_date_format = 'DD­MON­RRRR HH24:MI:SS';
Spool recover.lst select name,platform_name,open_mode,controlfile_type,log_mode,flashback_on,RESETLOGS_TIME,RESETLOGS_CHANGE# from v$database; select substr(name, 1, 50), status from v$datafile; select substr(name,1,50), recover, fuzzy, checkpoint_change#,RESETLOGS_TIME,RESETLOGS_CHANGE# from v$datafile_header; select * from v$backup; select name, open_mode, checkpoint_change#, ARCHIVE_CHANGE# from v$database; select GROUP#,THREAD#,SEQUENCE#,MEMBERS,ARCHIVED,STATUS,FIRST_CHANGE# from v$log; select GROUP#,substr(member,1,60) from v$logfile; select * from v$log_history; select * from v$recover_file; select * from v$recovery_log; select HXFIL File_num,substr(HXFNM,1,40) File_name,FHTYP Type,HXERR Validity, FHSCN SCN, FHTNM TABLESPACE_NAME,FHSTA status ,FHRBA_SEQ Sequence, FHTHR Thread from X$KCVFH; spool off

attribute AttributeAuthorityDescriptor and IDPSSODescriptor OIF

Migrating a Certificate in IdP Metadata

This article is for site administrators wishing to replace an old certificate with a new certificate in IdP metadata. Please read the overview Certificate Migration topic before continuing.
Handle the New Private Key Carefully!

The IdP private signing key must be handled with extreme care. Before generating a new private key, consult the IdP Key Handling topic for recommended practices.

In Federation metadata, all certificates in IdP metadata are contained in an <md:KeyDescriptor use="signing"> element. Such a certificate may be used for signing and/or TLS. Usually there are identical key descriptors contained in the <md:IDPSSODescriptor> element (used as a signing key) and the <md:AttributeAuthorityDescriptor> element (used as an TLS key), in which case both certificates are migrated out of metadata at the same time.

Implementation Requirements
This procedure ultimately requires two <md:KeyDescriptor use="signing"> elements to be bound to a single role descriptor in IdP metadata. Some SP software implementations will not consume such metadata (which is an implementation bug). Check with your federation partners before initiating the procedure below.

Regardless of the IdP implementation used, the general migration process is as follows.
Preconditions:

There is a single <md:KeyDescriptor use="signing"> element bound to each role descriptor in IdP metadata.

The IdP software is configured to use the corresponding private key as a signing key and/or TLS key.
Procedure:

Add a new <md:KeyDescriptor use="signing"> element to IdP metadata.

Wait for the newly updated metadata to propagate throughout the Federation.
Configure the IdP software to use the new key (instead of the old key) as the signing key and/or TLS key.

Remove the old <md:KeyDescriptor use="signing"> element from IdP metadata.
Procedural details:

At step 1, log into the Federation Manager, upload a new certificate, and bind that certificate to your metadata. Be sure to bind the certificate to each of the <md:IDPSSODescriptor> and <md:AttributeAuthorityDescriptor> elements. After doing so, your IdP's metadata will contain four (4) key descriptors, two of which are new.

Key Order in Metadata
When two verification keys are listed in IdP metadata, the old one is listed first. This is because the IdP is still signing with the old key as long as two keys are listed in metadata. This accommodates non-conforming SP implementations (such as EZProxy) that try the first key listed and then stop.

The configuration at step 3 depends on your particular IdP software implementation and how the key is used. Some implementations require separate configurations for signing and TLS. In particular, if your IdP supports artifact resolution or attribute query, it may require a separate TLS key configuration. Consult your software documentation for further instructions. (If you're using the Shibboleth IdP, refer to the next section.)

Finally, at step 4, remove the old key descriptors from metadata but leave the two newer key descriptors in the metadata. This completes the migration process.