“ObAccessException_ENGINE_DOWN” : WebGate Certificate expired

One of our client environments had OAM setup since couple of years and we saw the below error all of a sudden and all the authentication/authorization requests of a specific access gate has stopped working.

2012/09/17@19:11:15.602601    16038    1000059    CONNECTIVITY    DEBUG3    0x00000201    /export/t3array/build6/Oblix/coreidport/palantir/netlib/src/obmessagechannel.cpp:601    “Received NMP STS negotiation ”    _seqno^0    _opcode^0    _opcodeStr^ServerDiagnosticEvent    Message^sts=cert    
2012/09/17@19:11:15.992267    16038    68    CONN_MGMT    ERROR    0x00001C08    /export/t3array/build6/Oblix/coreidport/palantir/aaa_client/src/watcher_thread.cpp:84    “NAP initialization failed”    
2012/09/17@19:11:15.992220    16038    1000059    CONNECTIVITY    DEBUG3    0x00000201    /export/t3array/build6/Oblix/coreidport/palantir/netlib/src/obmessagechannel.cpp:480    “handleSTSmessage returns false”    _seqno^0    _opcode^0    Message^sts=cert    
2012/09/17@19:11:15.998052    16038    79    CONN_MGMT    DEBUG3    0x00000201    /export/t3array/build6/Oblix/coreidport/palantir/aaa_client/src/aaa_service_client.cpp:989    “Connection checked out”    return^NULL    
2012/09/17@19:11:15.998133    16038    79    CONN_MGMT    DEBUG3    0x00000201    /export/t3array/build6/Oblix/coreidport/palantir/aaa_client/src/aaa_service_client.cpp:2449    “Connections exhausted”    
2012/09/17@19:11:15.998223    16038    79    CONFIG    DEBUG2    0x00000201    /export/t3array/build6/Oblix/coreidport/palantir/access_api/src/obconfig.cpp:864    “Client configuration not updated”    
2012/09/17@19:11:15.998253    16038    79    CONFIG    INFO    0x0000182C    /export/t3array/build6/Oblix/coreidport/palantir/access_api/src/obconfig.cpp:865    “ObAccessException_ENGINE_DOWN”    raw_code^301    

Of this exception block, ObAccessException_ENGINE_DOWN gives a clue that certificate is expired.

Simple check for finding certificate expiry is to convert pem format to der format and open the der certificate in windows and one can easily make out its validity.

Solution:

  1. Create a new certificate request using openssl tool located at Access SDK install ./openssl req -config openssl.cnf -newkey rsa:1024 -keyout aaa_key.pem -out aaa_req.pem.
  2. Get the certificate request aaa_req.pem signed by 3rd party CA.
  3. Rename the signed certificate as say aaa_cert.pem.
  4. Verify if the chain certificate is valid or not. If it is also expired, get it signed. It is expired in my case and hence I name it here as aaa_chain.pem.
  5. The 3 certificate files that needs to be replaced in Access Gate are aaa_cert.pem, aaa_key.pem and aaa_chain.pem (remains unchanged in my case). Place these files at $ACCESS_SDK/oblix/config
  6. Note that password.xml is required in OAM 10g version only if security mode is Simple. This xml contains hashed value of certificate passphrase. This file is not required in my case since it is Cert security mode and OAM 10g. However password.xml is required for both Cert/Simple in OAM 11g.

After placing the certificate as mentioned in 5th step, verify that webgate is working fine.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment: