Introduction While working on today's research project I also needed to test with curl. Sadly in my environment curl was built with NSS support which caused me...
Introduction While working on today's research project I also needed to test with curl. Sadly in my environment curl was built with NSS support which caused me some grief. I had never used NSS-enabled apps before and didn't know how to deal with their certificate and private key database. I do now. I installed the NSS command line tools via yum ("yum install nss-tools"). Main Article This is how I created the certificate database and imported the CA's certificate, marking it...
Introduction While working on today's research project I also needed to test with curl. Sadly in my environment curl was built with NSS support which caused me some grief. I had never used NSS-enabled...
Today's adventure was a question about limiting SSL connections. The customer's problem statement was along the lines of I want to make SSL connections, using...
Today's adventure was a question about limiting SSL connections. The customer's problem statement was along the lines of I want to make SSL connections, using client certificate auth (i.e. two-way ssl) and have the server accept only one certificate. Can I put the one cert I want in the "trusted CA list" to do that? I thought the answer was "no, that's not how you do that" but I wasn't 100% sure so off I went on a research project... I checked the relevant RFC (2246 for TLS)...
Today's adventure was a question about limiting SSL connections. The customer's problem statement was along the lines of I want to make SSL connections, using client certificate auth (i.e....
Back in April I posted a shell script I wrote to implement a dead simple Certificate Authority for testing purposes. I recently revisited that script because I...
Back in April I posted a shell script I wrote to implement a dead simple Certificate Authority for testing purposes. I recently revisited that script because I needed JKS files in addition to the PEM format files it created. Without further ado my new and improved script is available right after the break. #!/bin/bash # a very simple cert authority # now with JKS support! # # Copyright 2011 Oracle # christopher.johnson@oracle.com # # License agreement: # ------------------ #...
Back in April I posted a shell script I wrote to implement a dead simple Certificate Authority for testing purposes. I recently revisited that script because I needed JKS files in addition to the PEM...
I’ve recently helped a customer who wanted to integrate a home-built SAML Identity Provider with a Weblogic Service Provider. After exchanging metadata and...
I’ve recently helped a customer who wanted to integrate a home-built SAML Identity Provider with a Weblogic Service Provider. After exchanging metadata and going through all the necessary configuration on both sides, they came across this error in Weblogic server logs: ####<Aug 15, 2011 4:55:19 PM EDT> <Debug> <SecurityAtn> <server.customer.com> <server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>>...
I’ve recently helped a customer who wanted to integrate a home-built SAML Identity Provider with a Weblogic Service Provider. After exchanging metadata and going through all the...
Introduction Wanted to share an experience I encountered recently configuring the OAM Console. This is specific to OAM 11.1.1.5(PS1). This post is part of a...
Introduction Wanted to share an experience I encountered recently configuring the OAM Console. This is specific to OAM 11.1.1.5(PS1). This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy located here. The Issue When you first install OAM 11g one of the first things a customer will do is to setup a new data store. But first let’s take a look at the default configuration. If you take a look at the ‘UserIdentityStore1’ data...
Introduction Wanted to share an experience I encountered recently configuring the OAM Console. This is specific to OAM 11.1.1.5(PS1). This post is part of a larger series on Oracle Access Manager 11g...
The idea of the User/Role API is to abstract developers from the identity store where users and groups are kept. A developer can basically interact with any...
The idea of the User/Role API is to abstract developers from the identity store where users and groups are kept. A developer can basically interact with any identity provider supported by Weblogic server using the same methods. The javadoc can be found here: http://download.oracle.com/docs/cd/E15523_01/apirefs.1111/e14658/toc.htm In this post I want to alert you about two caveats: 1) User/Role API is able to query data from only one provider. If you want to query multiple...
The idea of the User/Role API is to abstract developers from the identity store where users and groups are kept. A developer can basically interact with any identity provider supported by Weblogic...
Introduction Notifications are one of the multiple features that were improved in OIM 11g release. The previous limitation of sending text based emails...
Introduction Notifications are one of the multiple features that were improved in OIM 11g release. The previous limitation of sending text based emails (out-of-the-box emails) only is gone. Out-of-the-box templates for events like 'Reset Password', 'Create User Self Service', 'User Deleted' are available and custom templates can be defined and used to send notifications out of OIM. OIM provides a notification framework based on events, notification templates and template...
Introduction Notifications are one of the multiple features that were improved in OIM 11g release. The previous limitation of sending text based emails (out-of-the-box emails) only is...
Introduction Every time I talk to someone about Kerberos I need to take a few minutes to go through the concepts. This post is intended to just write down what...
Introduction Every time I talk to someone about Kerberos I need to take a few minutes to go through the concepts. This post is intended to just write down what I usually say and draw with a white board. Main Article If you want to know more about Kerberos there's a metric ton of info out there on the internet. I'll leave it to you to go read up. For those of you that are experts on Kerberos please note that I'm going to simplify some stuff and gloss over a few important...
Introduction Every time I talk to someone about Kerberos I need to take a few minutes to go through the concepts. This post is intended to just write down what I usually say and draw with a white...
Introduction In this post I discuss the available options to work with OWSM (Oracle Web Services Manager) policies in JDeveloper and Enterprise Manager. OWSM is...
Introduction In this post I discuss the available options to work with OWSM (Oracle Web Services Manager) policies in JDeveloper and Enterprise Manager. OWSM is a component available along with the Oracle SOA Suite and provides policy enforcement point (PEP) agents for SOAP-based messages. Typically, a service policy is attached to a service endpoint to enforce some pre-defined rules (like enforcing a SAML token, Kerberos token, message confidentiality, SSL, etc). And a...
Introduction In this post I discuss the available options to work with OWSM (Oracle Web Services Manager) policies in JDeveloper and Enterprise Manager. OWSM is a component available along with...
