Wednesday, February 9, 2011

Certificate X509 Authentication in OAM 11g

From Brian:  I'm adding this excellent post by Matt to our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

Continuing on the OAM 11g theme, here's an overview of setting up X.509 Authentication in OAM 11g and contrasting it to OAM 10g.

OAM 11g as you already know is hosted on WebLogic. The Credential Collection modules are also on the app tier, which is a departure from OAM 10g model where credentials are collected at the web tier. This essentially means that you have to configure the OAM managed server to prompt for client certificates to perform OAM authentication in 11g, where in 10g you had to configure the web server to prompt the certs. I'll give you a quick overview of how this is done. I'm going to assume some level of understanding in creating the JKS and having certificates issued.

Assuming you are still using the Demo Identity and Trust stores, I recommend creating your own "Custom" stores. I used OpenSSL to create a Certificate Authority (CA), where I issued a server cert for the WebLogic server with FQDN of the server as the CN. I also issued a couple of client certificates to represent the end users. In the WebLogic console of the IAM domain, edit the settings of oam_server1 (assuming you kept default naming) to use the JKS of the domain for identity and trust.




In the SSL tab, I like to disable the Hostname Verification module. The important part is setting Two-Way SSL to "Client Certs Requested but not Enforced".



Restart oam_server1 to have these changes take effect.

Now browse to your OAM Console and under Authentication Modules, create the mapping of the Certificate attribute with the LDAP attribute. I disabled cert validation and put in a dummy OCSP to satisfy the application checking for valid URL.



Now you can use the existing X509Auth Scheme (as is) in authentication policies. Import the CA cert into your trusted authority store on your browser and your client certs in your personal store and test away. You can come into the app over HTTP. You'll be redirected to the HTTPS port of the credential collector and then back to HTTP.

The things I question about this implementation are having to go directly to the app tier for cred collection. Many customers don't want this tier exposed to the outside. Another concern is that once you turn on the certs optional setting, you get the cert prompt even if you're doing UN/P authentication.

24 comments:

  1. Matt -

    In your setup, did you have to create a policy for the "/oam" url? When I test this out in my environment I am getting an error, "An incorrect Username or Password was specified" before I am prompted for a certificate.

    Brad

    ReplyDelete
  2. Brad,

    No, there were no policies against /oam in my env. I don't run the credential collector through the proxy, but rather, direct from client to app tier. Are you using an attribute other than CN? I saw the same error message if the attributes don't align. I couldn't get the mail attribute to work either. mkc

    ReplyDelete
  3. Matt:

    We are implementing x509 authentication on OAM 11g. Before X509 implementation, we need to implement SSL on OAM(weblogic and OAM). Please advise

    Sudheer

    ReplyDelete
  4. Sudheer,

    You have the option of setting up the OAM managed server (WebLogic) as described here, or on a web tier proxying for the OAM managed server. You need to have the client certificate presented at the time of the redirect to the credential collector.

    ReplyDelete
  5. Thank You Matt...!!

    Inorder to implement x509 authentication with OAM 11g. We need only follwoing componenets needs to be configured?or need other compoenents also.


    Oracle Access Manager
    Oracle Authorization Policy Manager

    Please advise

    Regards
    Sudheer

    ReplyDelete
  6. Sudheer,

    You only need OAM. Assuming you're running 11.1.1.5, Authorization Policy Manager (APM) has converged into OES 11g, which focuses on authorization.

    Matt

    ReplyDelete
  7. Hi Brian,

    When we do certificate authentication X509 module only maps a certificate to a user in LDAP. But I am looking for a way to match the public key stored in LDAP server with the public key passed from user browser as sometime the user certificate does not have any mapping field. Is it something configurable or do we need to write a custom plugin.

    Sasi

    ReplyDelete
  8. Matt,

    We want to setup smart card authentication with OAM 11g and i was told by Oracle Support that i just need to configure x509 based authentication and the user's certificate will be read from the smart card (CAC )? Can you please give some insights on this? Our environment has webtier and backend weblogic servers, so i assume i would need to install webgate on webtier?

    ReplyDelete
  9. Sasi,

    You may be better off trying to use the LDAPX509IdentityAsserter provider in WebLogic.

    Matt

    ReplyDelete
  10. Ali,

    You will need a PEP (WebGate) somewhere. I recommend putting it on the WebTier. The request for a resource that requires CAC will be redirected to the X.509 credential collector. At that point, you will need to configure the server to prompted the client for the CAC certificate. Cred collector will parse the cert and compare the attributes.

    ReplyDelete
  11. Thanks Matt.

    Could you point me to steps for " At that point, you will need to configure the server to prompted the client for the CAC certificate."

    The procedure for PEP will be on the online documentation right?

    ReplyDelete
  12. Yes, start with http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/webgate.htm#CACEAEIE.

    ReplyDelete
  13. Matt -

    Have you done any additional work with this? I am trying to determine what other attributes from a cert I can use. Specifically, I am hoping to use something under Subject Alt Name.

    Thanks,
    Brad

    ReplyDelete
  14. Brad, is Cert.Subj Alt Name the same as email in your case?

    ReplyDelete
  15. Matt -

    We have a couple of attributes under Subj Alt Name that I'd like to potentially use. Were you able to get mail to work? I am noticing in my logs that the address is getting prepended with some additional characters, "AILADDRESS=brad.tumy@..." ...but the characters seem to be truncated. CN works fine and doesn't add any additional characters onto the value. Curious about your experience.

    Thanks,
    Brad

    ReplyDelete
  16. Brad, Now that you mention it, I do remember having problems trying to map to email attribute in 11.1.1.3. I switched to CN and haven't engaged it since.

    ReplyDelete
  17. Matt,

    We have implemented SSO with cert authentication using webgate 10g on Apache. Now we are moving to another data center and there we have to use an F5 LB infront of Apache. Will this need a change in the way authentication is working with webgate? Or the setup as is will work?

    ReplyDelete
  18. @Brad Tumy

    I've been configuring X509 authentication with OAM 11.1.1.3 over the past few days.

    I had some issues with User resolution (logged as could not find user) which led me to decompile the associated Java archives.

    According to the source, SubjectAltName is not supported. The following are valid as values for the X509 Cert Attribute field:

    - subject.dn (the entire subject DN)
    - issuer.dn (the entire issuer DN)
    - certificate (the ASN.1 certificate binary, interpreted as a String using platform encoding)
    - subject.<> (replace <> with a DN component name)
    - issuer.<> (replace <> as above)

    When specifying the DN component name, use uppercase letters. For instance, use subject.CN for the Subject common name component.

    Clearly, I can't make any claims as to how this has changed in newer releases (> 11.1.1.3).

    PS. The pre-pended values you are seeing are because the Subject DN doesn't contain a "SubjectAltName" component and as such the DN string search is starting from a negative index (-1) returned by the Java String.indexOf() method.

    ReplyDelete
  19. @Brad

    I had some similar issues.

    I decompiled the Java files provided with OAM 11.1.1.3.

    SubjectAltName is not a valid value in the X509 Cert Attribute field.

    Fortunately for you, your X509 issuer appears to be using the legacy SubjectDN EmailAddress attribute, so you should be able to use 'subject.EMAILADDRESS'

    FYI, the following are valid values for X509 Cert Attribute field:

    - subject.dn
    - issuer.dn
    - certificate
    - subject.<> (where <> is a DN component name, like DNQ or CN)
    - issuer.<> (as above).

    Make sure you use upper case with the component names (actually.

    Don't use 'certificate' as the implementation uses a Java String interpretation of the certificates ASN.1 encoded binary value. The particular conversion uses the platform character encoding rather than base64, so the value won't make sense if used in a heterogeneous environment.

    All this is with the 11.1.1.3 code, so this may have changed with newer releases.

    ReplyDelete
  20. Anyone knows what is the valid values for x509 Cert Attribute in 11.1.1.5? Our environment is 11.1.1.5, and we would like to use email to mapping oim user with certificate.

    ReplyDelete
  21. For those who aren't in the know, the converted String value of the Subject DN used by OAM is logged if you turn ODL levels up to TRACE. It will be printed in the diagnostics log.

    In 11.1.1.3 on RHEL5, conversion of the dnQualifier AVA to a String value results in ?=.

    I know that the standard Java libraries (I'm using 6u23) support conversion of the dnQualifier OID (I've written sample code), so OAM may (must?) be using a different set of classes for conversion of the X500/X509 AttributeTypes.

    Anyone know if this is the case?

    ReplyDelete
  22. We've been struggling with this problem with OAM for some time now-

    The "CertificateAuthFallback" parameter in 10g SSO provided the ability to fallback to FORM-based authentication if the user had no certificate.

    Is this same functionality available in 11g OAM? If not, is it possible to develop a custom module to provide it?

    ReplyDelete
  23. I have read someones had decompiled the java files for OAM X509 mapper in 11.1.1.3.
    I'd need to do the same to 11.1.1.5 and i do not know what are those files. can anyone tell me those in 11.1.1.5 or in 11.1.1.3?
    i try to get subjectAltName.OTHER_NAME work for CAC as claimed in 11.1.1.5 doc.

    ReplyDelete
  24. Zonggan: You shouldn't need to decompile the code. If the information you need isn't in the docs please open an SR and we'll get someone to properly document it!

    ReplyDelete

Note: Only a member of this blog may post a comment.