Thursday, 27 July 2017

How to enable signature login in OIM 11g

Signature login in OIM 11g does not work because of the conflict of certificates (OIM and Remote Manager) in default-keystore. Follow steps below to re-generate remote manager certificate and update default-keystore. Post these updates, signature login will work as expected.

Re-generate the remote manager certificate
------------------------------------------
NOTE: Please use the passwords for keystore and key entry that you entered during Remote manager installation.

1. Backup the existing default-keystore.jks, xlserver.cert and xell.csr in $REMOTE_MANAGER/config directory

2. Using a shell, navigate to the $REMOTE_MANAGER/config directory

3. Generate a new keystore with a private key entry $JAVA_HOME/bin/keytool -genkey -alias xell -keyalg RSA -keysize 1024 -dname "CN=<COMMON_NAME>, OU=<OU>, O=<Org>, L=City, ST=NY, C=US" -validity 3650 -keypass <keypass> -keystore default-keystore.jks -storepass <storepass> -storetype jks -provider sun.security.provider.Sun

4. Generate a certificate request
"C:\Program Files\Java\jdk1.6.0_43\bin\keytool.exe" -certreq -alias xell -file xell.csr -keypass <keypass> -keystore default-keystore.jks -storepass <storepass> -storetype jks -provider sun.security.provider.Sun

5. Export and import the certificate as a trusted entry "C:\Program Files\Java\jdk1.6.0_43\bin\keytool.exe" -export -alias xell -file xlremote.cert -keypass <keypass> -keystore default-keystore.jks -storepass <storepass> -storetype jks -provider sun.security.provider.Sun

"C:\Program Files\Java\jdk1.6.0_43\bin\keytool.exe" -import -trustcacerts -alias xeltrusted -noprompt -keystore default-keystore.jks -file xlremote.cert -storepass <storepass>

Re-establish the trust relation between OIM server and Remote Manager
---------------------------------------------------------------------

1. In the OIM server default-keystore.jks, located at $DOMAIN_HOME/config/fmwconfig/default-keystore.jks, remove the existing key entry for the remote manager. In your case, you need to remove the "rm_trusted_cert" alias from the OIM server's default-keystore.jks

$JAVA_HOME/bin/keytool -delete alias rm_trusted_cert -keystore default-keystore.jks -storepass <SERVER-KEYSTORE-PASSWORD>

2. Re-import the remote manager certificate, exported earlier in the file xlremote.cert in the server keystore

keytool -import -trustcacerts -alias rm_trusted_cert -noprompt -keystore default-keystore.jks -file <ABSOLUTE_PATH_OF_CERT> -storepass <storepass>


Validation
----------

1. Test OIM server signature login works properly


2. Test that OIM server <-> Remote manager communication and functionality works properly
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)