Introduction

I started this OAM Wegate Guide Journey back in August of 2023. At that point I envisioned a 6-part series with the following topics …

I have covered all these topics but the last one, “Changing Simple to Cert mode”.

Moving forward the name of Blog 6 has changed as well as andning a 7th+ Blog called …

  • Part 6 Changing The Oracle Access Manager Protocol (OAP) Communication Mode To OPEN
  • Part 7 Changing The Oracle Access Manager Protocol (OAP) Communication Mode To CERT

Oracle Access Protocol (OAP) Channel

This communication modes leverages the “Transport” (TCP) network layer to route and load balance requests. The below communication modes are applicable for the OAM Server 12.2.x and the certified OAM 11.1.2.3.x and Higher WebGates.

Communication Modes

Open
  • Un-encrypted communication. In Open mode, there is no authentication or encryption between the WebGate and OAM Server.
  • The WebGate does not ask for proof of the OAM Server’s identity and the OAM Server accepts connections from all WebGates.

 

Pros

Cons

Observations
  • Easy to implement
  • Easier to manage
  • Quick staging
  • Minimal downtime

 
  • Least secure as compared to the SSL options
  • Needs artifact copying from OAM Server to each WebGate

 
  • It does not show password values
  • It shows:
  • Agent id and configuration
  • Usernames
  • Full user LDAP Distinguished Names (DN’s)
  • Protection policies for specific requested resources
  • Authentication scheme details (the challenge redirect URL, associated authentication level, etc.), any response headers
  • The unencrypted session token (these are encrypted before being put into the session cookie in the browser session)

 

 

Steps To Move To Open Mode

Phase I Adding Details to Access Manager Settings

1. In a new browser session, access and login to the OAM Console

http(s)://<WLS_ADMIN_SERVER_FQDN:PORT/oamconsole

2. In the Oracle Access Management Console, click Configuration at the top right of the window.

3. From the launch Pad Select the Server Instances

4. Select Search

5. Select appropriate Server Instance

6. In the Proxy section change the Proxy mode to OPEN

7. Click Apply Note at this point the WebGates will cease to communicate with the OAM server

8. Select OK

9. Select Yes to Confirm

Phase II Updating WebGate to Use Open Mode

1. In the Oracle Access Management Console, click Application Security at the top right of the window.

2. In the Launch Pad tab, click Agents.

3. Define the criteria and select Search.

4. Open the desired agent registration.

5. On the agent’s registration page, locate the Security options and click “Open”.

6. Click Apply to submit the changes.

This will create new updated Agent artifacts in the output directory. (<OAM_DOMAIN_HOME>/output/<AGENT_NAME>)
• aaa_cert.pem
• aaa_key.pem
• cwallet.sso
• cwallet.sso.lck
• ObAccessClient.xml
• password.xml
• wallet (Directory)

7. Since this is OPEN Mode, the only file needed is the newly generated ObAccessClient.xml. Copy this file from <OAM_DOMAIN_HOME>/output/<AGENT_NAME> to each respective WebGate instance.

Example of a 12.2.1.4.0 OHS WebGate

a. Copy the updated Agent Artifact files “ObAccessClient.xml” …

From: <OAM_HOME>/output/AGENT_NAME

To:

Staging Location
<WEBTIER_DOMAIN_HOME>/config/fmwconfig/components/OHS/<INSTANCE_NAME>/webgate/config/

Runtime (has instances in it)
<WEBTIER_DOMAIN_HOME>/config/fmwconfig/components/OHS/instances/<INSTANCE_NAME>/webgate/config/

b. It’s important to note that for OHS 12c, when updating the method used for communication with the OAM server it will be need to delete the cached ObAccessClient.xml file from the <WEBTIER_DOMAIN_HOME>/servers/<ohs_instance_name>/cache directory, as otherwise the WebGate will continue trying to use the old security mode. Oracle Access Manager (OAM) After Changing the Oracle Access Protocol (OAP) Communication Mode To CERT, Accessing A Protected Resource Fails “HTTP-500 Internal Server Error (Doc ID 2990211.1)

  • Delete/Rename the ObAccessClinet.ml file that resides in the <WEBTIER_DOMAIN_HOME>/servers/<ohs_instance_name>/cache directory.

8. Restart the WebServer.

Wrap up

  • Oracle Access Protocol (OAP) Over Rest communication mode it the prefeered mode and is only available with the 12.2.1.4.x OAM Server 12.2.1.4.x and Higher; and the OAM 12.2.1.4.x and Higher WebGates. It is the default when registering a WebGate/Agent.
  • Oracle Access Protocol (OAP) Channel communication mode (OPEN, SIMPLE, CERT) leverages the “Transport” (TCP) network layer to route and load balance requests. The below communication modes are applicable for the OAM Server 12.2.x and the certified OAM 11.1.2.3.x and Higher WebGates.
  • The Transport Layer Security (TLS), the OAM managed server is tied to the JDK it uses; which defines the TLS version. The Back Channel, any traffic that goes directly between the OAM Server and the Webgate. The Front Channel, any communication between the OAM server and WebGate that happens though the users browsers. (TLS 1.2/1.3).

Related Articles: