How to export a certificate from OAM 11gR2 so that it can participate in a Circle of Trust


A new feature of OAM 11gR2 is that it can participate in a Circle of Trust for Identity Federation.  However, for the Circle of Trust to work, the Identity Provider will need to import the certificates that are used in OAM.  You do have the option of installing a certificate, if you want to go and purchase one, or for testing, just use the certificates that are already available to you in OAM.

The certificates are stored in a Java Keystore and on my test system, my keystore file was located at /home/oracle/Middleware/user_projects/domains/idm_domain/config/fmwconfig/.oamkeystore

You can determine where your keystore is by going to the OAM console, Clicking “System Configuration”, “Identity Federation”, “Federation Settings” and scrolling down to the Keystore section.  If you do go there, you will notice that there is an Alias used for the Signing and Encryption Key called “stsprivatekeyalias”, this alias is the keystore reference to the certificate and we need this in order to export the certificate file.

Before you connect to the keystore though, you need to know what the keystore password is.  There is a way to recover the password by issuing the following commands:



listCred(map=”OAM_STORE”, key=”jks”)

Now that you have the password, you can export the certificate using the following command:

keytool -exportcert -alias “stsprivatekeyalias” -storetype JCEKS -keystore .oamkeystore >oam.cert

Now you can give the oam.cert to your IdP so that they can setup their end of the trust relationship.  Happy Federating!

No Results