In todays’s post I am going to cover issue encountered recently on Oracle Access Manager 11g with WebGate 10g in SIMPLE mode configured with OHS 11g.
First for those who are new to OAM, Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To know more about OAM 11g and its components, you can check my book at Amazon
a) OPEN – Communication between WebGate and OAM is in clear text
b) SIMPLE – Communication between WebGate and OAM is secured (SSL) but using Oracle signed certificates
c) CERT – Communication between WebGate and OAM is secured (SSL) but using recognised certificate signing authority (like verisign)
To change OAM/WebGate communication mode, check my post here
When WebGate is installed and configured in SIMPLE or CERT mode , for SSL communication between WebGate and OAM 11g (using OAP with SSL) certificates are generated and stored in OAM Server (at $DOMAIN_HOME/output/[WebGate_ID]) and Web Server (at $WEB_GATE_HOME/oblix/config/simple/aaa_cert.pem and aaa_key.pem)
_________
Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935 #01116526#01116568# 011ACCESS_GATE#011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir/ webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011
Message from OHS Host at Aug 30 09:34:07 … Oblix: 2013/08/30@09:34:07.384935#01116526 #01116568#011ACCESS_GATE #011FATAL#0110x0000181C #011/scratch/alnguyen /Oblix/10143hf/palantir /webgate2/src/ apache2entry_web_gate.cpp :434#011 “Oracle AccessGate API is not initialized.”#011raw_code^204#011
________
Note: This error is generic and means for some reason WebGate is unable to initialize with OAM Server.
In OAM Logs $DOMAIN_HOME/servers/[OAM_SERVER]/logs , I noticed messages like
______
29-Aug-2013 20:07:15 oracle.security.am.engines.common.adapters.OAMLoggerImpl severe SEVERE: Simple Mode HandShake: Mismatch in Client Response. expectedResponse: eb8d218676b5f81a5b8fb4a52902157c clientResponse: ef1560bd753f98a4e164440960852573
______
I then looked at SSL certificates at WebGate and noticed certificate was expired .
Fix: You can regenerate SSL certificates for WebGate in SIMPLE mode by re-configuring WebGate ($WEBGATE_HOME/oblix/tools/configureWebGate/ configureWebGate -i [WebGate_Install_Dir] -t WebGate). More on re-configure 10g WebGate here
Note: During WebGate configuration, it will prompt for WebGate Password (if WebGate is password protected) and Global Passphrase.
Note: If your OAM Server is using JDK 1.6.24+ (higher than JDK 1.6.24) then there is BUG in SSL certificate generation in SIMPLE mode which is fixed in WebGate 10.1.4.3 BP 11A or higher (Apply latest WebGate Bundle Patch for 10.1.4.3 i.e. BP13 17231077)
To find out your WebGate version click here and to apply patches in OAM (including WebGate) click here
References/Related