OIF 11g: Questions about Maintenance and Expiry of Signing And Encryption Certificates (Doc ID 1991933.1) To BottomTo Bottom
In this Document
Goal
Solution
References
This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
APPLIES TO:
Oracle Identity Federation - Version 11.1.1.5.0 and later
Information in this document applies to any platform.
GOAL
Oracle Identity Federation (OIF) 11.1.1.x has been configured as Identity Provider (IdP) or Service Provider (SP).
OIF has been configured with signing and encryption certificates for messages sent to peer providers. OIF has also been configured to accept signed [and encrypted] messages from peer providers.
This document answers a few common questions about maintenance of the OIF and peer provider signing / encryption certificates.
1. How to renew the OIF signing and/or encryption certificates when they expire?
2. The certificate used by OIF used for signing/encrypting SAML assertions is soon to expire.
A renewed certificate has been obtained and imported into a JKS store.
Is there a way to make OIF work with either of the certificates i.e. both the old and the new one?
3. A new wallet/keystore has been configured in the OIF Security and Trust settings. The old wallet has not been removed.
It is expected to see both new and old encryption certificates in the OIF IdP metadata at http(s)://OIFHOSTNAME.DOMAIN:OIFPORT/fed/idp/metadata for <md:KeyDescriptor use="encryption">.
But only the new certificate is shown in the OIF metadata.
For <md:KeyDescriptor use="signing"> both old and new certificates are included.
Why is this?
4. A peer provider's signing and/or encryption certificate has expired. Will this cause OIF to generate errors or Single Sign-On (SSO) to fail?
5. If a peer provider signing or encryption certificate is soon to expire or has expired, will OIF provide a warning? Is there a way to monitor peer provider certificate expiration through OIF?
6. A peer provider has replaced an expiring or expired signing and/or encyption certificate. How to configure OIF with the new peer provider certificate(s)?
7. How to configure OIF to validate peer provider signing or encryption certificates before use?
8. Does OIF validate certificates using a Certificate Revocation List (CRL)? How?
SOLUTION
1. To replace an expiring signing or encryption certificate in OIF 11.1.1.x, create a new Java keystore or Oracle Wallet containing a new, valid certificate.
Oracle FusionMiddleWare (FMW) 11g offers either Oracle Wallet Manager (owm) or keytool to manage certificate stores.
References:
Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Cross-Suite
Fusion Middleware Administrator's Guide
H Oracle Wallet Manager and orapki
Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Security for Oracle Fusion Middleware
Fusion Middleware Securing Oracle WebLogic Server
Using the Keytool Utility
Generate a certificate request using the appropriate tool (keytool or owm) and submit it to a Certificate Authority for the server certificate to be issued.
Then import the server certificate into the keystore/wallet.
After that the keystore/wallet is ready to be configured in OIF.
Follow the instructions here to configure OIF with the new keystore/wallet:
Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Identity Management
Fusion Middleware Administrator's Guide for Oracle Identity Federation
5.10.1 Security and Trust - Wallet
The following document also provides useful information about replacing the OIF certificates: How To Renew Default Signed Certificate With Self Signed Certificate In OIF (Doc ID 1434548.1).
After the new encryption and signing certificates have been configured in OIF, the OIF metadata must be re-generated and supplied it to all peer providers for them to use.
There is the option to keep the old certificates/wallet until all peer providers have updated their configuration with the new OIF metadata.
When all peer providers are using the new metadata, click Remove Old Wallet in EM Console to remove the old OIF certificates.
2. If OIF has been configured with new signing and encryptions certificates, will OIF work with either of the certificates i.e. both the old and the new one?
Yes, the old certificate(s) will continue to be used by OIF until "Remove old wallet" is selected.
3. Until "Remove old wallet" is selected in OIF Administration Security and Trust, OIF will provide both both old and new signing certificates in the metadata.
However only the new encryption certificate will be supplied in the OIF metadata.
Peer Providers/Partners only need to know about a single encryption certificate to send encrypted data to OIF. So the OIF IdP metadata only lists the new encryption certificate. The old certificate is no longer necessary.
The OIF server itself is still using the two encryption certificates to decrypt encrypted messages and therefore will be able to decrypt data encrypted with the new encryption certificate as well as the old encryption certificate.
4. OIF will not object to expired peer provider certificates unless OIF is configured to validate certificates before use.
See 7. below.
If certificate validation is configured and OIF cannot validate the signing or encryption certificate for an authentication request or response then SSO will fail.
5. OIF will not provide any warning if a peer provider signing or encryption certificate is soon to expire or has expired. It is the responsibility of the SP to ensure that their certificates are valid.
However OIF will produce an error if a peer provider certificate is expired and OIF is configured for certificate validation (see 7. below).
6. To configure OIF with new peer provider certificates, obtain the new metadata file from the peer provider which contains the renewed certificates. Upload the new metadata file in the OIF Administration -> Federations section. OIF will detect that a provider already exist with the same ID and will replace the existing metadata with the new metadata.
7. To configure OIF 11g to validate certificates, check the "Certificate Validation" checkbox in OIF Administration -> Security and Trust settings.
Note also that if Certificate Validation is configured, the root Certificate Authority (CA) certificate and any subCA certificates for chained certificates must be loaded into the OIF Trust Store.
8. OIF will execute certificate validation for the peer provider signing and encryption certificates IF "Enable Certificate Validation" is checked in OIF Configuration Security and Trust -> Trusted CAs and CRLs section.
If this option is checked then the OIF administrator must upload the root CA certificates for the peer provider signing and encryption certificates in the Trusted CAs list.
If a CRL is also configured then OIF will check the revocation status of certificates using the configured CRL(s).
More detail and more advanced configuration options are provided at the following location:
Oracle Fusion Middleware Online Documentation Library, 11g Release 1 (11.1.1.5) / Identity Management
Fusion Middleware Administrator's Guide for Oracle Identity Federation
6.22 Certificate Path Validation
See also:
OIF 11g: Unable To Load Metadata Files. Error "The Signing Certificate Could Not Be Validated" (Doc ID 1908582.1)
OIF Generates 500 Error When Validating Incoming Message Signature - Reference Validation With URI Failed (Doc ID 1637895.1)
Identity Federation SSO Fails With "Signature verification failed for provider ID ..." (Doc ID 2032605.1)
REFERENCES
NOTE:2032605.1 - Identity Federation SSO Fails With "Signature verification failed for provider ID ..."
NOTE:1908582.1 - OIF 11g: Unable To Load Metadata Files. Error "The Signing Certificate Could Not Be Validated"
NOTE:1637895.1 - OIF Generates 500 Error When Validating Incoming Message Signature - Reference Validation With URI Failed
No comments:
Post a Comment