Extending the Domain with Oracle Access Manager 11g 11-19

11.11.1 Creating an Empty Trust Store File Named oamclient-truststore.jks

To create this file, you use a tool called keytool that comes with the JDK Java Development Kit. Before running any of the following commands, ensure that the JDK is in your path. For example export JAVA_HOME=MW_HOMEjrockit_160_24_D1.1.2-4 export PATH=JAVA_HOMEbin:PATH

1. First, execute the command:

keytool -genkey -alias alias_name -keystore PathName_to_Keystore -storetype JKS The command prompts you for a keystore password. This password MUST be same as the global pass phrase used in the Oracle Access Manager server. The command also prompts for information about the user and organization. Enter relevant information. Example: keytool -genkey -alias oam -keystore oamclient-truststore.jks -storetype JKS Sample output: Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: John Doe What is the name of your organizational unit? [Unknown]: MAA What is the name of your organization? [Unknown]: Oracle What is the name of your City or Locality? [Unknown]: Redwood Shores What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=John Doe, OU=MAA, O=Oracle, L=Redwood Shores, ST=CA, C=US correct? [no]: yes Enter key password for oam RETURN if same as keystore password: Re-enter new password: 2. Then execute the command: keytool -delete -alias alias_name -keystore oamclient-truststore.jks -storetype JKS For example: keytool -delete -alias oam -keystore oamclient-truststore.jks -storetype JKS The command prompts for the keystore password you entered previously.

11.11.2 Importing the CA Certificate into the Trust Store

Oracle Access Manager 11g comes with a self-signed Certificate Authority that is used in Simple mode to issue certificates for the Access Client. This certificate must be added to the keystore you just created. 11-20 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management The certificate resides in the file cacert.der, which is located in the directory IAM_ ORACLE_HOME oamserverconfig. Execute the following command to import a PEMDER format CA certificate into the trust store. On Linux and UNIX-based systems, type: keytool -importcert -file IAM_ORACLE_HOMEoamserverconfigcacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS On Windows, type: keytool -import -file IAM_ORACLE_HOME\oam\server\config\cacert.der -trustcacerts -keystore PathName_to_keystore -storetype JKS Enter keystore password when prompted. Example: keytool -importcert -file IAM_ORACLE_HOMEoamserverconfigcacert.der -trustcacerts -keystore oamclient-truststore.jks -storetype JKS Sample output: Enter keystore password: Owner: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, O=Oblix, Inc., L=Cupertino, ST=California, C=US Issuer: CN=NetPoint Simple Security CA - Not for General Use, OU=NetPoint, O=Oblix, Inc., L=Cupertino, ST=California, C=US Serial number: 0 Valid from: Wed Apr 01 05:57:22 PDT 2009 until: Thu Mar 28 05:57:22 PDT 2024 Certificate fingerprints: MD5: 05:F4:8C:84:85:37:DB:E3:66:87:EF:39:E0:E6:B2:3F SHA1: 97:B0:F8:19:7D:0E:22:6B:40:2A:73:73:1B:27:B2:7B:8D:64:82:21 Signature algorithm name: MD5withRSA Version: 1 Trust this certificate? [no]: yes Certificate was added to keystore

11.11.3 Setting up Keystore with the SSL Certificate and Private Key file of the Access Client