Qn1:
The default certificate in your OIF environment is expiring. You would like to renew the certificate with a self signed certificate. What is the procedure?
Qn2:
How could you restore to the previous cert in case the cert renewal is failing?
The default certificate in your OIF environment is expiring. You would like to renew the certificate with a self signed certificate. What is the procedure?
Qn2:
How could you restore to the previous cert in case the cert renewal is failing?
SOLUTION
An1:
Instructions as below:
1. Follow this note to generate a new self signed wallet:
How To Generate A Wallet Containing A Self Signed Certificate Using ORAPKI (Doc ID 560982.1).
2. Once you have a new wallet, then follow the instruction below to update signing wallet:
Instructions as below:
1. Follow this note to generate a new self signed wallet:
How To Generate A Wallet Containing A Self Signed Certificate Using ORAPKI (Doc ID 560982.1).
2. Once you have a new wallet, then follow the instruction below to update signing wallet:
8.3 Managing Signing and Encryption Wallets
3. Once updated in the OIF,
An2:
Back up the entire configuration directory to be safe:
<Domain_Home>/config i.e. /refresh/home/Oracle/Middleware/user-projects/domains/IDMDomain/config
4. If OIF fails to start after the step 3, and you see following error message:
[HTTP:101216]Servlet: "spmanager" failed to preload on startup in Web application: "/fed".
java.lang.RuntimeException: The server could not initialize properly: oracle.security.fed.sec.util.KeySourceException: Invalid/unsupported key store or incorrect password. Please verify that the password is correct and the store is a valid PKCS#12 PFX wallet or Java KeyStore file.
java.lang.RuntimeException: The server could not initialize properly: oracle.security.fed.sec.util.KeySourceException: Invalid/unsupported key store or incorrect password. Please verify that the password is correct and the store is a valid PKCS#12 PFX wallet or Java KeyStore file.
This could be due to OIF issue if password is different between keystore and key. If you are sure that your keystore is valid, then issue is probably with the password.
To change the password stored in the CSF, go to ORACLE_HOME/common/bin
a. Run ./wlst.sh or wlst.cmd (based on the OS)
b. Enter connect() to connect to weblogic Admin Server
c. Run listCred(map="OIF", key="jcepwdsign"). This should print out the password already in the system
d. Run
updateCred(map="OIF",key="jcepwdsign",user="UniqueUserNameCredential",password="welcome1")
e. Run
updateCred(map="OIF",key="jcepwdenc",user="UniqueUserNameCredential",password="welcome1")
f. Restart Managed Server
5. If the JKS file that you generated using keytool did not get updated, refer to Doc ID 1088993.1 has a section for "How to create self-signed certificates and configure keystore".
6. After the new wallet loaded successfully, you should get a confirmation for wallet update. If not, you may running into bug 9470286. See Doc ID 1099743.1 for solution.
To change the password stored in the CSF, go to ORACLE_HOME/common/bin
a. Run ./wlst.sh or wlst.cmd (based on the OS)
b. Enter connect() to connect to weblogic Admin Server
c. Run listCred(map="OIF", key="jcepwdsign"). This should print out the password already in the system
d. Run
updateCred(map="OIF",key="jcepwdsign",user="UniqueUserNameCredential",password="welcome1")
e. Run
updateCred(map="OIF",key="jcepwdenc",user="UniqueUserNameCredential",password="welcome1")
f. Restart Managed Server
5. If the JKS file that you generated using keytool did not get updated, refer to Doc ID 1088993.1 has a section for "How to create self-signed certificates and configure keystore".
6. After the new wallet loaded successfully, you should get a confirmation for wallet update. If not, you may running into bug 9470286. See Doc ID 1099743.1 for solution.
REFERENCES
NOTE:1088993.1 - WebLogic Server Support Pattern: Troubleshooting SSL Configuration and Node Manager Issues
NOTE:1099743.1 - Not Able To Update Wallet With OIF 11.1.1.0
NOTE:1420596.1 - OIF 11g : How To Renew Certificates for Oracle Identity Federation (OIF) 11g?
NOTE:560982.1 - How to Generate a Wallet Containing a Self Signed Certificate Using ORAPKI in Oracle Application Server and Fusion Middleware
No comments:
Post a Comment