Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized

In todays’s post I am going to cover issue encountered recently on Oracle Access Manager 11g with WebGate 10g in SIMPLE mode configured with OHS 11g.

First for those who are new to OAM, Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To know more about OAM 11g and its components, you can check my book at Amazon

  • WebGate communicates directly with OAM server’s proxy port (5575) in OAM 11g (or Access System in OAM 10g) using Oracle Access Protocol (OAP).
  • WebGate communicates with OAM server in one of three modes

a) OPEN – Communication between WebGate and OAM is in clear text
b) SIMPLE –  Communication between WebGate and OAM is secured (SSL) but using Oracle signed certificates
c) CERT –  Communication between WebGate and OAM is secured (SSL) but using recognised certificate signing authority (like verisign)

To change OAM/WebGate communication mode, check my post here

 

When WebGate is installed and configured in SIMPLE or CERT mode , for SSL communication between WebGate and OAM 11g (using OAP with SSL) certificates are generated and stored in OAM Server (at $DOMAIN_HOME/output/[WebGate_ID]) and Web Server (at $WEB_GATE_HOME/oblix/config/simple/aaa_cert.pem and aaa_key.pem)

  • If your WebGate version is 10g and mode is SIMPLE then validity of certificate at WebGate side is just 1 Year
  • To view certificate validity at WebGate side, open aaa_cert.pem (you can change extension to CER and open it on windows to see certify valid till date )

 

  • During WebGate configuration, this certificate is generated using configuration file $WEBGATE_HOME/oblix/tools/openssl/ openssl.cnf and openssl_silent.cnf  (default_days = 365) which defines validity period as 1 year
Now coming to actual issue  – Exactly after 1 year of OAM setup (OAM 11g with 10g WebGate in SIMPLE mode) , OHS servers started reporting following errors  (OHS 11g logs are at $ORACLE_INSTANCE/diagnostics/OHS/ohs1/)

_________

Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935 #01116526#01116568# 011ACCESS_GATE#011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir/ webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011

Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935#01116526 #01116568#011ACCESS_GATE #011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir /webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate  API is not initialized.”#011raw_code^204#011

________

 

Note: This error is generic and means for some reason WebGate is unable to initialize with OAM Server.

 

In OAM Logs $DOMAIN_HOME/servers/[OAM_SERVER]/logs , I noticed messages like

______

29-Aug-2013 20:07:15 oracle.security.am.engines.common.adapters.OAMLoggerImpl severe SEVERE: Simple Mode HandShake: Mismatch in Client Response. expectedResponse: eb8d218676b5f81a5b8fb4a52902157c clientResponse: ef1560bd753f98a4e164440960852573

______

I then looked at SSL certificates at WebGate and noticed certificate was expired .

Fix: You can regenerate SSL certificates for WebGate in SIMPLE mode by re-configuring WebGate ($WEBGATE_HOME/oblix/tools/configureWebGate/ configureWebGate -i [WebGate_Install_Dir] -t WebGate). More on re-configure 10g WebGate here

Note: During WebGate configuration, it will prompt for WebGate Password (if WebGate is password protected) and Global Passphrase.

  • If you don’t remember WebGate Password then you can reset if from OAM console (/oamconsole)
  • If you don’t remember Global Passphrase then you can retrieve it by running  WLST  displaySimpleModeGloablPassphrase()

 

Note: If your OAM Server is using JDK 1.6.24+ (higher than JDK 1.6.24) then there is BUG in SSL certificate generation in SIMPLE mode which is fixed in WebGate 10.1.4.3 BP 11A or higher (Apply latest WebGate Bundle Patch for 10.1.4.3 i.e. BP13 17231077)

To find out your WebGate version click here and to apply patches in OAM (including WebGate) click here

 

References/Related

About the Author Masroof Ahmad

Leave a Comment:

2 comments
Add Your Reply