Product:
Oracle Identity Manager (OIM) - Version 11.1.2.3Symptoms:
After upgrading jdk version to latest Security Eexceptions were seen in the SOA server logs post approving access request in OIM.
Error message:
oracle.fabric.common.PolicyEnforcementException:
FailedAuthentication : The security token cannot be authenticated.
Supplemental Detail at
oracle.fabric.common.AbstractSecurityInterceptor.processResult(AbstractSecurityInterceptor.java:180)
at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:95)
Caused by: oracle.wsm.security.SecurityException: WSM-00138
: The path to the
certificate is invalid.
oracle.wsm.security.policy.scenario.processor.Wss11X509TokenProcessor.verifyRequest(Wss11X509TokenProcessor.java:1166)
Cause:
Latest JDK has more security limitations i.e. it only supports SHA2 singing algorithm and at the other hand OIM default keystore isn't SHA2 so it has led to trigger above exceptions.
Solution:
OIM default keystore needs to be migrated to SHA2 using below steps:
List the details of existing keystore:
-------------------------------------
cd $JAVA_HOME/jre/bin/
./keytool -list –v –keystore <DOMAIN_HOME>/config/fmwconfig /default-keytore.jks
-storepass <kestore-password>
Delete the existing “xell” and “xeltrusted” alias :
-------------------------------------------------
$JAVA_HOME/jre/bin/keytool -delete
-alias xeltrusted
-keystore <DOMAIN_HOME>/config/fmwconfig /default-keytore.jks
-storepass <kestore-password>
$JAVA_HOME/jre/bin/keytool -delete
-alias xell
-keystore <DOMAIN_HOME>/config/fmwconfig /default-keytore.jks
-storepass <kestore-password>
Generate a new keypair :
----------------------
$JAVA_HOME/jre/bin/keytool -genkeypair
-keystore <DOMAIN_HOME>/config/fmwconfig/default-keytore.jks
-keyalg RSA
-sigalg SHA256withRSA
-keypass <kestore-password>
-storepass <kestore-password>
-alias xell
-dname "CN=myhost, OU=Identity, O=My Corporation,C=US" -keysize 2048
Export self-signed certificate of keystore:
------------------------------------------
$JAVA_HOME/jre/bin/keytool -exportcert
-keystore <DOMAIN_HOME>/config/fmwconfig /default-keytore.jks -v
-alias xell
-storepass <kestore-password> -rfc
-file /tmp/cert.cer
Import the above exported certificate in same keystore with “xeltrusted” alias only:
-----------------------------------------------------------------------------------
$JAVA_HOME/jre/bin/keytool -importcert
-keystore <DOMAIN_HOME>/config/fmwconfig /default-keytore.jks
-alias xeltrusted
-file /tmp/cert.cer
-storepass <kestore-password> -noprompt
Post Migration Steps:
Now you need to update private key i.e. xell (<kestore-password>) password in CSF using the EM console.
Note: If same password is used for generating the new key i.e. “xell” which is used for default keystore before this change, then you can skip this.
- Login to EM console.
- In Oracle Enterprise Manager, expand WebLogic Domain.
- Right-click the domain name, and select Security, Credentials. The Credentials page is displayed.
- In the Credential column, expand the “oim” map.Under “oim” map, we are having two CSF keys named as “xell”.
- Select “xell” CSF key and click the “Edit” option. Update the password field here with the password provided against <kestore-password> placeholder.
- Restart OIM servers.
I hope this solution will definitely help you to fix the issue.
Thank you for referring my blog, please post your comments for any queries/suggestions..Have a nice time :-)
