Forum Discussion
Christoph_Fris1
Nimbostratus
NimbostratusAPM integration with Oracle Access Manager
Hello together,
it would be interesting how many of you have implemented the APM modul together with Oracle Access Manager.
Which Firmware version are you using on the F5?
Which Patchlevel ...
Cirrus
Cirrus
CirrusWhich Mode do you use? Open/Simple/Cert?
Because we're using the Simple Mode and faced some issues regarding the certs from OAM side and F5 Side, both systems need the same ones in order to get communication working.
Here are the steps, which we received from F5 Support when we faced this issue: In simple mode the certificates need to be identical on both sides. Since the certs were most likely manipulated with the Keytool utility that comes with the JDK installation, I suspect the cert was already installed on bigip at /config/aaa/oam////oblix/config/simple/ before applying the workaround.
1. So please delete /config/aaa/oam// directory on bigip and perform "bigstart restart eam".
2. Please compare aaa_key.pem ,aaa_cert.pem, aaa_chain.pem, password.xml, ObAccessClient.xml files on BIG-IP and OAM server using "openssl x509" command . If they are not same, manually copy the following files to the corresponding location,
cp aaa_key.pem /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/simple/
cp aaa_cert.pem /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/simple/
cp aaa_chain.pem /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/simple/
cp password.xml /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/
cp ObAccessClient.xml /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/lib/
3. There is another comparability issue reported if the OAM server used is OAM11G.
The default simple root certificate in 10G and 11G are different. So when configuring 10G agent (webgate) with OAM 11G server the webgate and access server root certificates will not match and will cause the communication to fail. For simple mode of communication OAM 11G is shipped with a root certificate and private key in a DER format (cacert.der,cakey.der) while in 10G release it was in PEM format cacert.pem, cakey.pem This issue will not appear if using 11G webgate as it's having the same simple mode root certificate as the one of the access server 11G.
Solution : change root certificate and private key in DER format from OAM server to PEM format
Steps:
1. Convert cacert.der located on the OAM server at OAM-Domain-Home/config/fmwconfig to PEM format using the command:
openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem 2. Copy the generated cacert.pem to the webgate instance directory for example: "C:\Program Files\NetPoint\WebComponent\access\oblix\tools\openssl\simpleCA\cacert.pem" on the WebGate machine.
3. Restarted the web server.
But after changing that there was also a different Bug (CBC Protection Bug - Oracle Docs 13387353) - so you have to set some extra Java properties
EXTRA_JAVA_PROPERTIES="-Djsse.enableCBCProtection=false ${EXTRA_JAVA_PROPERTIES}"
export EXTRA_JAVA_PROPERTIES
Hope this will help you, but also i'm not sure if it is the same bug, maybe you should also contact your F5 Support.
Cheers, Christoph