Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized

In todays’s post I am going to cover issue encountered recently on Oracle Access Manager 11g with WebGate 10g in SIMPLE mode configured with OHS 11g.

First for those who are new to OAM, Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To know more about OAM 11g and its components, you can check my book at Amazon

  • WebGate communicates directly with OAM server’s proxy port (5575) in OAM 11g (or Access System in OAM 10g) using Oracle Access Protocol (OAP).
  • WebGate communicates with OAM server in one of three modes

a) OPEN – Communication between WebGate and OAM is in clear text
b) SIMPLE –  Communication between WebGate and OAM is secured (SSL) but using Oracle signed certificates
c) CERT –  Communication between WebGate and OAM is secured (SSL) but using recognised certificate signing authority (like verisign)

To change OAM/WebGate communication mode, check my post here

 

When WebGate is installed and configured in SIMPLE or CERT mode , for SSL communication between WebGate and OAM 11g (using OAP with SSL) certificates are generated and stored in OAM Server (at $DOMAIN_HOME/output/[WebGate_ID]) and Web Server (at $WEB_GATE_HOME/oblix/config/simple/aaa_cert.pem and aaa_key.pem)

  • If your WebGate version is 10g and mode is SIMPLE then validity of certificate at WebGate side is just 1 Year
  • To view certificate validity at WebGate side, open aaa_cert.pem (you can change extension to CER and open it on windows to see certify valid till date )

 

  • During WebGate configuration, this certificate is generated using configuration file $WEBGATE_HOME/oblix/tools/openssl/ openssl.cnf and openssl_silent.cnf  (default_days = 365) which defines validity period as 1 year
Now coming to actual issue  – Exactly after 1 year of OAM setup (OAM 11g with 10g WebGate in SIMPLE mode) , OHS servers started reporting following errors  (OHS 11g logs are at $ORACLE_INSTANCE/diagnostics/OHS/ohs1/)

_________

Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935 #01116526#01116568# 011ACCESS_GATE#011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir/ webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011

Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935#01116526 #01116568#011ACCESS_GATE #011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir /webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate  API is not initialized.”#011raw_code^204#011

________

 

Note: This error is generic and means for some reason WebGate is unable to initialize with OAM Server.

 

In OAM Logs $DOMAIN_HOME/servers/[OAM_SERVER]/logs , I noticed messages like

______

29-Aug-2013 20:07:15 oracle.security.am.engines.common.adapters.OAMLoggerImpl severe SEVERE: Simple Mode HandShake: Mismatch in Client Response. expectedResponse: eb8d218676b5f81a5b8fb4a52902157c clientResponse: ef1560bd753f98a4e164440960852573

______

I then looked at SSL certificates at WebGate and noticed certificate was expired .

Fix: You can regenerate SSL certificates for WebGate in SIMPLE mode by re-configuring WebGate ($WEBGATE_HOME/oblix/tools/configureWebGate/ configureWebGate -i [WebGate_Install_Dir] -t WebGate). More on re-configure 10g WebGate here

Note: During WebGate configuration, it will prompt for WebGate Password (if WebGate is password protected) and Global Passphrase.

  • If you don’t remember WebGate Password then you can reset if from OAM console (/oamconsole)
  • If you don’t remember Global Passphrase then you can retrieve it by running  WLST  displaySimpleModeGloablPassphrase()

 

Note: If your OAM Server is using JDK 1.6.24+ (higher than JDK 1.6.24) then there is BUG in SSL certificate generation in SIMPLE mode which is fixed in WebGate 10.1.4.3 BP 11A or higher (Apply latest WebGate Bundle Patch for 10.1.4.3 i.e. BP13 17231077)

To find out your WebGate version click here and to apply patches in OAM (including WebGate) click here

 

References/Related

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

2 comments
» Troubleshooting : 11g WebGate with OHS 11g integrated with OAM 11g : OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized Online Apps DBA: One Stop Shop for Apps DBA’s says October 7, 2013

[…] is not initialized Posted in October 7th, 2013 byAtul Kumar in oam I discussed about issue Oracle AccessGate API is not initialized with OAM 11g with WebGate 10g where CERTIFICATES expired . In this post I am going to cover similar […]

Reply
» How to view SSL certificate (PEM file) using openssl ? Online Apps DBA: One Stop Shop for Apps DBA’s says November 28, 2013

[…] file) using openssl ? Posted in November 28th, 2013 byAtul Kumar in ssl I discussed about certificates in 10g WebGate expiry after 365 days and fix is to re-configure WebGate that will generate new certificate for one year (To change […]

Reply
Add Your Reply

Not found