Application configuration for OAM Integration

When you use the Oracle Access Manager Identity Asserter, all web.xml files in the application EAR file must specify CLIENT-CERT in the element auth-method for the appropriate realm.

You can add comma separated values here when you want applications accessed directly over the WebLogic Server host:port to be authenticated by the container. For instance:

<auth-method>CLIENT-CERT,FORM</auth-method>.

The auth-method can use BASIC, FORM, or CLIENT-CERT values. While these look like similar values in Oracle Access Manager, the auth-method specified in web.xml files are used by Oracle WebLogic Server (not Oracle Access Manager). Continue reading “Application configuration for OAM Integration”

How do you hide the format override field on the check-in page for some users using Profiles and Rules?

Create a Profile Rule using a “rule activation condition” with a defined Side Effect per the below
steps:

  1. Open the Configuration Manager admin applet.
  2. Select the Rules tab.
  3. Select the Add button.
  4. Enter a desired name and description.
  5. Select the check-box for “Is global rule with priority” and set its desired priority number.
  6. Select the check-box for “Use rule activation condition”.
  7. Select the Edit button.
  8. Add a condition with a desired name (ex. “1”).
  9. Select from the condition’s General tab, the checkboxes for Use action of “Check in New” and “Check in Selected”.
  10. Select from the condition’s Clauses tab, Field of “Type”, Operator of “Matches”, and Value of
    “<desired dDocType>”.
  11. Select from the Clauses tab, the Add button.
  12. Enter from the condition’s Side Effects tab, paste the following. The conditional statement can be any of the IDOC security checks: userHasRole, userHasAccessToAccount, or userHasGroupPrivilege,or other function suitable for the purpose. This example allows only users with the admin role to set the override format.
    <$if not userHasRole("admin")$>
       <$IsOverrideFormat=false$>
    <$endif$>
  13. Select the Side Effect’s tab OK button.
  14. Select the Rule’s OK button.

Identity and Trust Keystores

When you configure SSL, you must decide how identity and trust will be stored. Although one keystore can be used for both identity and trust, Oracle recommends using separate keystores for both identity and trust because the identity keystore (private key/digital certificate pairs) and the trust keystore (trusted CA certificates) may have different security requirements. For example: Continue reading “Identity and Trust Keystores”

How WebLogic Server Locates Trust

WebLogic Server uses the following algorithm when it loads its trusted CA certificates:

  1. If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore command-line argument, load the trusted CA certificates from that keystore.
  2. Else if the keystore is specified in the configuration file (config.xml), load trusted CA certificates from the specified keystore. If the server is configured with DemoTrust, trusted CA certificates will be loaded from the WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
  3. Else if the trusted CA file is specified in the configuration file (config.xml), load trusted CA certificates from that file (this is only for compatibility with 6.x SSL configurations).
  4. Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.

how to read cwallet.sso file

$MW_HOME/oracle_common/bin/orapki wallet display -wallet ~/cwallet.sso

Sample:

[oracle@wcsoa bin]$ ./orapki wallet display -wallet /webdata/Oracle/admin/wcsoadomain/aserver/wcsoadomain/config/fmwconfig/bootstrap/cwallet.sso
Oracle PKI Tool : Version 11.1.1.7.0
Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.

Requested Certificates:
User Certificates:
Oracle Secret Store entries:
BOOTSTRAP_JPS@#3#@bootstrap_9m1kYn8KpxCStfqBmSxQFhIXQHs=
fks@#3#@current.key
fks@#3#@master.key.0
fks@#3#@master.key.0.base64
IntegrityChecker@#3#@kss
Trusted Certificates:
Subject:        OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject:        CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject:        OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Get weblogic server plugin version

strings mod_wl.so | grep -i wlsplugins

Sample response:

WLSPLUGINS_11.1.1.7.0_SOLARIS.X64_130212.0859
WLSPLUGINS_11.1.1.7.0_SOLARIS.X64_130212.0859
WebLogic Server Plugin version 1.1 <WLSPLUGINS_11.1.1.7.0_SOLARIS.X64_130212.0859>