Wednesday, August 29, 2012

Oracle Access Manager 11.1.1.5 - 11.1.2 and OCSP


If you are reading this post, and are interested in OCSP and Oracle Access Manager (OAM), you probably work in some capacity for the U.S. Government.  If I was a betting man, and I am, you are probably trying to figure out how to enable OCSP to work with the ocsp.disa.mil OCSP responder for x509 authentication (aka PKI authentication, smart-card, two-factor, etc). Well the sad truth is OAM does NOT work with the DoD implementation of OCSP. You can open a ticket with Oracle support, argue with them back and forth on the issue, but in the end you will get no where. The issue is the DoD implementation use the Direct Trust Model which eliminate the need for a self-sighed OCSP certificate....which is exactly what the configurations require in order to operate on OAM. In a nut shell you are going to have to find another way to implement revocation checking for your user base. My personal recommendation would be to call axway.com and purchase there Vaildator Server and drop that module into OHS and use two-proxy authentication between Weblogic & OHS. This will check the users before they get into the system and still adhered to the letter of the STIG requirements. Your other option is to write a custom Java plug-in-in, but that can get nasty because of the limit support you have to import supporting JAR files for your code.  Avoid the head-aches...call axway and get the Server Validator for 11g OHS and get the stamp of JITIC approval for your implementation.
Posted by boilerup at 1:44 PM

5 comments:

  1. Are you kidding me? I'm JUST NOW trying to configure OAM to do OCSP validation of CAC cards. So this is still the case? If so, I'm going to have to rip Oracle a new one since they said it will do what I need it to.

    ReplyDelete

  2. Please review defect 14598168 on this. It keeps getting bounced around and no one is working on it. I was in a sales meeting with them yesterday and even they are recommending customer use Axway on the OHS front-end to do OCSP checking for revoked certificates based upon my feedback. The licensing cost for Server Validator isn’t bad, 2K per production VM, but still…they advertise it to work and it clearly DOES NOT. What is worse getting them to respond to a support related issue with OAM takes an act of god with the CIO complaining directly to the highest Oracle representative. I found an issue today where JSP web reports in Forms/Reports 11.1.2 does NOT work. How does something so simple pass Q/A?

    ReplyDelete
    Replies

    1. I just talked to Oracle Support and they are saying they are "working on it".. "OAM 11gr2 11.1.2 bp02 Summer 2013..."

      I cant use Axway's stuff on my Solaris box because it doesnt work with WL 11g. They said it will be out Q1 2013. LOL.

      Sometimes I just feel like backhanding Oracle.

      BTW, thanks for the reply.

      -Alex

      Delete

  3. Currently we are having this issue while implementing at federal customer. Can you please name the software from Axway? Is it difficult to implement?

    ReplyDelete

  4. Any/all,

    Any clue if the Axway solution supports the DOD OCSP server AND the 3 DOD External CA servers? My client is required to support DOD & ECA Client Certificates. We wrote a Java Plug In for Oracle SSO 10g, but we are now being forced to migrate to Oracle Access Manager. I'm familiarizing myself with OAM at the moment, hoping to somehow migrate the Plug In to OAM.

    Any info on Axway would be greatly appreciated.

    ReplyDelete

Subscribe to: Post Comments (Atom)