Wednesday, August 29, 2012
Oracle Access Manager 22.214.171.124 - 11.1.2 and OCSP
If you are reading this post, and are interested in OCSP and Oracle Access Manager (OAM), you probably work in some capacity for the U.S. Government. If I was a betting man, and I am, you are probably trying to figure out how to enable OCSP to work with the ocsp.disa.mil OCSP responder for x509 authentication (aka PKI authentication, smart-card, two-factor, etc). Well the sad truth is OAM does NOT work with the DoD implementation of OCSP. You can open a ticket with Oracle support, argue with them back and forth on the issue, but in the end you will get no where. The issue is the DoD implementation use the Direct Trust Model which eliminate the need for a self-sighed OCSP certificate....which is exactly what the configurations require in order to operate on OAM. In a nut shell you are going to have to find another way to implement revocation checking for your user base. My personal recommendation would be to call axway.com and purchase there Vaildator Server and drop that module into OHS and use two-proxy authentication between Weblogic & OHS. This will check the users before they get into the system and still adhered to the letter of the STIG requirements. Your other option is to write a custom Java plug-in-in, but that can get nasty because of the limit support you have to import supporting JAR files for your code. Avoid the head-aches...call axway and get the Server Validator for 11g OHS and get the stamp of JITIC approval for your implementation.
Posted by boilerup at 1:44 PM