OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication

Oracle Access Manager (OAM) Servers can run in one of three security modes OPEN, SIMPLE, or CERT

To know more about Oracle Access Manager 11g check my book on Amazon or for Integration of OAM with E-Business Suite (R12) for Single Sing-On check my eBook (co-author Neha Mittal)

WegGate is a Policy Enforcement Point (PEP) deployed with Web Server and communicates to OAM Servers (Policy Decision Point – PDP). WebGate communicates to OAM Access Server on proxy port (default value 5575) and default security mode OPEN.

  • OPEN : WebGate to OAM Access Server communication in clear text
  • SIMPLE : Secure communication between WebGate to OAM Access Server using self signed certificates provided by OAM Server
  • CERT : Secure communication between WebGate to OAM Access Server using certificates signed by Certificate Authority (CA)

 

To change OAM security mode from OPEN to SIMPLE or CERT or vice versa

  1. Change Security Mode for OAM Server using OAMConsole (System Configuration tab)
  2. Repeat step 1 for all OAM servers (in high availability deployment)
  3. Change security mode in OAM Agents (10g/11g Webgate, OSSO agent) registered with OAM server to same value as OAM Server security mode.

For complete steps click  here

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

10 comments
Shiva says February 12, 2013

after changing the security mode to simple from open, I am getting below error. I am sure, I have changed security mode of the agent. appreciate any help

[2013-02-11T17:48:11.264-05:00] [oam_server1] [ERROR] [OAM-04036] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 11d1def534ea1be0:5e1b1a24:13ccb70aadf:-8000-0000000000000013,0] [APP: oam_server] Channel security mode is different as specified in configuration Channel unsecure. Details: Channel Mode: open Minimum Server Mode: simple Agent Id: IAMSuiteAgent
[2013-02-11T17:48:11.264-05:00] [oam_server1] [NOTIFICATION] [OAM-04008] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: 11d1def534ea1be0:5e1b1a24:13ccb70aadf:-8000-0000000000000013,0] [APP: oam_server] Message sent to client. Message OpCode = 15 [NAPAuthnChallengeResponse], SeqNo = 0 Message = response=287bee37ddf15a5bd486cb52be602fbb st=ma%3d50%20mi%3d2%20sg%3d1%20sm%3d rt=0, Host : 127.0.0.1 Port : 52,036.
[2013-02-11T17:48:11.265-05:00] [oam_server1] [ERROR] [] [] [tid: PoolWatcher] [userId: ] [ecid: 11d1def534ea1be0:5e1b1a24:13ccb70aadf:-8000-0000000000000018,0] Error in receiving hashed server challenge

Reply
    Atul Kumar says February 12, 2013

    @Shiva,
    What is version of WebGAte ?

    Did you copy xml file generated after chnaging mode in Webgate/Agent from $DOMAIN_HOME/output/[webgtaename] to webgate instance directory on OHS server ?

    Reply
Shiva says February 12, 2013

Atul,

Thanks for your quick response. I don’t have any webgates configured. The error is for IAMSuiteAgent. Metadata ID 1376184.1 has solution for this.

Thanks,
Shiva

Reply
Atul Kumar says February 12, 2013

@Shiva,
Oh in that case 11gR1 does not support changing security model for IAMSuiteAgent, remove IAMSuiteAgent from WebLogic Authentication Providers under security relam and restart domain (take backup of $DOMAIN_HOME before deleting this)

Check this for authentication providers

http://onlineappsdba.com/index.php/2008/11/22/security-in-oracle-weblogic-realm-security-provider-authentication-authorization-users/

Reply
Shiva says February 12, 2013

it is supported in 11.1.1.6

Reply
Atul Kumar says February 12, 2013

@ Shiva,
11gR1 for OAM is 11.1.1.3 and 11.1.1.5 . There is no 11.1.1.6 for OAM. Yes, deletion of IAMSuiteAgent is supported in OAM.

Reply
Sudhir says September 9, 2013

We are receiving the below error while integrating OIM and OAM. We do not have any issues in test but having issues in our pilot. Any help is appreciated.

oracle.security.am.common.exceptions.NAPException: Error in receiving server challenge. ObAAAStatus: Major code: 24(Component_Lookup_Failed) Minor code: 2(NoCode)
at oracle.security.am.common.nap.ObMessageChannelWrapper.initNAP(ObMessageChannelWrapper.java:306)
at oracle.security.am.common.nap.ObMessageChannelWrapper.initialize(ObMessageChannelWrapper.java:190)
at oracle.security.am.common.nap.ObMessageChannelWrapper.(ObMessageChannelWrapper.java:126)
at oracle.security.am.common.aaaclient.ObAAAServiceClient.sendCacheFlushRequest(ObAAAServiceClient.java:2919)
at oracle.security.am.common.aaaclient.ObAAAServiceClient.SyncInfo(ObAAAServiceClient.java:2634)
at oracle.iam.sso.oam.impl.OAMNotificationProvider.sendNotification(OAMNotificationProvider.java:64)
at oracle.iam.sso.oam.impl.OAMNotificationProvider.sendUserStatusNotification(OAMNotificationProvider.java:99)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy453.sendUserStatusNotification(Unknown Source)
at com.principal.ovd.utilities.OVDUtility.updateOVDAttributes(OVDUtility.java:344)
at com.principal.ovd.utilities.OVDUtility.unlockAccount(OVDUtility.java:267)
at com.principal.oim.eventhandlers.ChangePasswordHandler.processRequest(ChangePasswordHandler.java:255)
at com.principal.oim.eventhandlers.ChangePasswordHandler.execute(ChangePasswordHandler.java:130)
at oracle.iam.platform.kernel.impl.OrchProcessData.runPreProcessEvents(OrchProcessData.java:970)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:706)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:268)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:806)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.process(OrchestrationEngineImpl.java:555)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:490)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.orchestrate(OrchestrationEngineImpl.java:408)
at sun.reflect.GeneratedMethodAccessor1993.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy257.orchestrate(Unknown Source)
at oracle.iam.identity.usermgmt.impl.UserManagerImpl.changePassword(UserManagerImpl.java:4645)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy412.changePassword(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManagerEJB.changePasswordx(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

Reply
    Atul Kumar says September 10, 2013

    @ SUdhir,
    At what stage of integration you encounter this error or what are you doing when you see this error?

    Reply
Sudhir says September 9, 2013

Forgot to mention the product versions, OIM 11gr2 and OAM 11gr2 PS1.

Reply
Prashanth says February 23, 2015

Hi Atul,

If change the OAM server mode from SIMPLE to OPEN,

Will the existing applications be affected.
Do they need to be re-configured again?

Regards,
Prashanth

Reply
Add Your Reply

Not found