We discussed the expiration of this cert already in this post. I never thought i would see this problem again. Ahhh, was i wrong. When upgrading from COREid 7 to OAM 10, the 10.1.4.0.1 upgrade drops the old (now expired) root CA over the updated ones.
If you keep the faith and keep going the 10.1.4.3 patch set replaces it with the new one that is good until 2024.
Showing posts with label Simple Mode. Show all posts
Showing posts with label Simple Mode. Show all posts
Thursday, November 25, 2010
Wednesday, April 28, 2010
Will your OAM installation fail in July 2010?
Is your OAM installation setup in simple mode? Then chances are your installation is going to break on July 25, 2010. You may have heard a faint ticking every time you got near one of your OAM machines, but never had a chance to figure out where this impending failure was going to come from. As you know,
according to Mayan Calendar, in 2012in simple mode OAM generates certificates for you using the simpleCA root CA (tools\openssl\simpleCA). This root certificate is also used to complete the chain of trust when establishing SSL connections.
But did you know that root CA certificates expire? The OAM certificate expires Jul 25 18:03:57 2010 GMT after which your OAM components will no longer be able to communicate with each other
How do I fix this?
Luckily the fix is extremely easy.
If you have an account for support.oracle.com, log in and search for ID 811105.1, which will instruct you to download a new cacert.pem and place it in all your simpleCA folders. Don't forget to include any AccessSDK installations, and make sure the new cacert.pem has the correct permissions.
If you don't have an account with support.oracle.com, then the release notes (bug 8556756) for OAM have instructions for extending the life of the Simple mode certificate. Once extended you can copy the new cacert.pem everywhere that it's needed and restart all components.
How do I know if I am affected?
You can browse to tools\openssl and use the openssl command to check the expiration date of the certificate.
openssl.exe x509 -in simpleCA\cacert.pem -noout -enddate
notAfter=Jul 25 18:03:57 2010 GMT
Oracle says the expiration date is July 5th, 2010 in their release notes. What is the real date?
Yes it does say that and we're not sure why. Feel free to update your cacert.pem prior to July 5th - no need to wait until the last minute.
What errors might I see if I did nothing?
WebGate protected pages will say they can't contact the access server.
You may see webgate errors like
2010/07/26@18:03:00.718000 3728 3240 CONN_MGMT ERROR 0x00001C08 \Oblix\coreid\palantir\aaa_client\src\watcher_thread.cpp:84 "NAP initialization failed"
2010/07/26@18:03:00.718000 3728 3256 CONFIG INFO 0x0000182C \Oblix\coreid\palantir\access_api\src\obconfig.cpp:865 "ObAccessException_ENGINE_DOWN" raw_code^301
or if your certificate permissions are wrong
2010/07/26@18:04:59.796000 3712 300 ACCESS_SDK FATAL 0x0000181C \Oblix\coreid\palantir\access_api\src\obconfig.cpp:422 "ObAccessException_NOT_INITIALIZED" raw_code^204
2010/07/26@18:04:59.796000 3712 300 ACCESS_GATE FATAL 0x00001520 \Oblix\coreid\palantir\webgate2\src\iisentry_web_gate.cpp:183 "Exception thrown during WebGate initialization" Error^Oracle AccessGate API is not initialized.
Sunday, April 16, 2006
Simple Mode Cert Regeneration (Access)
When simple mode certificates are going to expire, they need to be regenerated so the component(s) that have the old certificates may still communicate with other COREid components. The method for regenerating certificates varies between the COREid Access and Identity Systems. The Access Server, WebGate and AccessGate components all use the configuration tool relevant to their install. These are as follows:
configureAAAServer reconfig "c:\Program Files\coreid\access"
WebGate
configureWebGate -i "c:\Program Files\coreid\WebComponent\access" -t WebGate -R
AccessGate
configureAccessGate -i "c:\Program Files\coreid\WebComponent\access" -t AccessGate -RRestart the COREid component to get it to bind to TCP/IP port with the new certificate.
See Also: Simple Mode Cert Regeneration (Identity)
- <coreid_install_dir>\oblix\tools\configureAAAServer
- <coreid_install_dir>\oblix\tools\configureWebGate
- <coreid_install_dir>\oblix\tools\configureAccessGate
configureAAAServer reconfig "c:\Program Files\coreid\access"
WebGate
configureWebGate -i "c:\Program Files\coreid\WebComponent\access" -t WebGate -R
AccessGate
configureAccessGate -i "c:\Program Files\coreid\WebComponent\access" -t AccessGate -RRestart the COREid component to get it to bind to TCP/IP port with the new certificate.
See Also: Simple Mode Cert Regeneration (Identity)
Simple Mode Cert Regeneration (Identity)
When simple mode certificates are going to expire, they need to be regenerated so the component(s) that have the old certificates may still communicate with other COREid components. The method for regenerating certificates varies between the COREid Access and Identity Systems. The Identity Server and WebPass (and Access Manager too) have a utility called gencert. The gencert utility is located in:
<coreid_install_dir>\oblix\tools\gencert
to use the tool to regenerate certificates, execute gencert as follows:
gencert.exe "c:\Program Files\COREid\identity"OR
gencert.exe "c:\Program Files\COREid\WebComponent\identity"
Restart the COREid component to get it to bind to TCP/IP port with the new certificate.
See also: Certificate Expiration Dates #2
to use the tool to regenerate certificates, execute gencert as follows:
gencert.exe "c:\Program Files\COREid\identity"OR
gencert.exe "c:\Program Files\COREid\WebComponent\identity"
Restart the COREid component to get it to bind to TCP/IP port with the new certificate.
See also: Certificate Expiration Dates #2
Tuesday, April 4, 2006
Simple Mode Certificate Duration
By default Oracle COREid simple mode certificates are issued for 1 year (365 days) by default. If you would prefer a different expiration time you can change the setting that controls the certificate's duration. There are two files that control the duration, each is used depending on the certificate (re)generation situation. I think it is best to just change both files to cover your bases.
Change this to the desired number and regenerate your simple mode certificate.
<coreid_install_dir>/oblix/tools/openssl/openssl.cnf - <coreid_install_dir>
/oblix/tools/openssl/openssl_silent.cnf
default_days = 365 # Duration to certify for
|
Change this to the desired number and regenerate your simple mode certificate.
Wednesday, March 29, 2006
Certificate Expiration Dates
have you ever had a certificate expire and COREid components stop functioning on you. Once you figured out that it was a certificate you were like, "oh-oh, there might be a few more expiring in the next few minutes, hours, days, etc." This is one of those things that us mere mortals re-learn how to do once a year and then promptly re-forget immediately afterwards.
The openssl tool installed alongside each COREid component can be used to determine the valid dates for a certificate. The following example examines a self signed COREid certificate ("simple mode") . The same example holds true for all COREid components: Identity Server, Access Server, WebPass, WebGate and Access Manager (frequently installed alongside WebGate).
The openssl tool installed alongside each COREid component can be used to determine the valid dates for a certificate. The following example examines a self signed COREid certificate ("simple mode") . The same example holds true for all COREid components: Identity Server, Access Server, WebPass, WebGate and Access Manager (frequently installed alongside WebGate).
C:\>cd \Program Files\COREid\WebComponent\access\oblix\tools\openssl
C:\>openssl x509 -in ..\..\config\simple\aaa_cert.pem -noout -dates
notBefore=Mar 28 22:23:15 2005 GMT
notAfter=Mar 28 22:23:15 2006 GMT
Subscribe to:
Posts (Atom)