Aiaag Oracle Fusion Middleware Administrator Guide For Access Management
User Manual:
Open the PDF directly: View PDF
Page Count: 1580 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Content
- List of Figures
- List of Tables
- List of Examples
- Preface
- What's New in This Guide?
- Part I Introduction to Oracle Access Management
- 1 Introducing Oracle Access Management
- 2 Getting Started with Oracle Access Management
- 2.1 Starting and Stopping Servers in Your Deployment
- 2.2 Specifying the Oracle Access Management Console Administrator
- 2.3 Using the New Oracle Access Management Console
- 2.4 Configuring with the Command-Line Tools
- 2.5 Logging, Auditing, Reporting and Monitoring Performance
- 2.6 Configuring Oracle Access Management Login Options
- Part II Managing Common and System Configurations
- 3 Managing Common Services and Certificate Validation
- 3.1 Configuring Oracle Access Management
- 3.2 Enabling or Disabling Available Services
- 3.3 Managing Common Settings
- 3.4 Managing Certificate Validation and Revocation
- 4 Delegating Administration
- 4.1 Understanding Delegated Administration
- 4.2 Defining the Administrator Roles
- 4.3 Delegating the Identity Store
- 4.4 Assigning Roles Using the Administration Console
- 4.5 Default Administrators, Roles and Groups
- 4.6 Using the Container Security Framework and MBeans
- 4.7 Using the Remote Registration Utility
- 4.8 Auditing Reports
- 5 Managing Data Sources
- 5.1 Introducing the Data Sources
- 5.2 Managing OAM Identity Stores
- 5.3 Managing the Identity Directory Service User Identity Stores
- 5.3.1 Using Identity Directory Services
- 5.3.2 Creating an Identity Directory Service Profile
- 5.3.3 Editing or Deleting an Identity Directory Service Profile
- 5.3.4 Creating a Form-fill Application Identity Directory Service Profile
- 5.3.5 Understanding the Pre-Configured Identity Directory Service Profile
- 5.3.6 Creating an Identity Directory Service Repository
- 5.4 Setting the Default Store and System Store
- 5.5 Managing the Administrators Role
- 5.6 Managing the Policy and Session Database
- 5.7 Introduction to Oracle Access Management Keystores
- 5.8 Integrating a Supported LDAP Directory with Oracle Access Manager
- 6 Managing Server Registration
- 7 Using Multi-Data Centers
- 7.1 Introducing Multi-Data Center
- 7.2 Understanding Multi-Data Center Deployments
- 7.2.1 Session Adoption Without Re-authentication, Session Invalidation or Session Data Retrieval
- 7.2.2 Session Adoption Without Re-authentication But With Session Invalidation & Session Data Retrieval
- 7.2.3 Session Adoption Without Re-authentication & Session Invalidation But With On-demand Session Data Retrieval
- 7.2.4 Authentication & Authorization Requests Served By Different Data Centers
- 7.2.5 Logout and Session Invalidation
- 7.3 Before Deploying Multi-Data Centers
- 7.4 Deploying Multi-Data Centers
- 7.5 Load Balancing Between Access Management Components
- 7.6 Setting Up A Multi-Data Center
- 7.7 Syncing Multi-Data Centers
- 7.8 Understanding Time Outs and Session Syncs
- 7.9 WLST Commands for Multi-Data Centers
- 7.10 Replicating Domains with Multi-Data Centers and Identity Manager
- 7.11 Multi-Data Center Recommendations
- 7.12 Cloning with T2P
- Part III Logging, Auditing, Reporting and Monitoring Performance
- 8 Logging Component Event Messages
- 9 Auditing Administrative and Run-time Events
- 9.1 Understanding Oracle Fusion Middleware Auditing
- 9.2 Introduction to Oracle Access Management Auditing
- 9.3 Access Manager Events You Can Audit
- 9.4 Mobile and Social Events You Can Audit
- 9.5 Identity Federation Events You Can Audit
- 9.6 Security Token Service Events You Can Audit
- 9.7 Setting Up Auditing for Oracle Access Management
- 9.8 Validating Auditing and Reports
- 10 Logging WebGate Event Messages
- 10.1 About Logging, Log Levels, and Log Output
- 10.2 About Log Configuration File Paths and Contents
- 10.3 About Directing Log Output to a File or the System File
- 10.4 Structure and Parameters of the Log Configuration File
- 10.5 About Activating and Suppressing Logging Levels
- 10.6 Mandatory Log-Handler Configuration Parameters
- 10.7 Configuring Different Threshold Levels for Different Types of Data
- 10.8 Filtering Sensitive Attributes
- 11 Reporting
- 12 Monitoring Performance and Health
- 13 Monitoring Performance and Logs with Fusion Middleware Control
- 13.1 Prerequisites
- 13.2 Introduction to Fusion Middleware Control
- 13.3 Logging In to and Out of Fusion Middleware Control
- 13.4 Displaying Menus and Pages in Fusion Middleware Control
- 13.5 Viewing Performance in Fusion Middleware Control
- 13.6 Managing Log Level Changes in Fusion Middleware Control
- 13.7 Managing Log File Configuration from Fusion Middleware Control
- 13.8 Viewing Log Messages in Fusion Middleware Control
- 13.9 Displaying MBeans in Fusion Middleware Control
- 13.10 Displaying Farm Routing Topology in Fusion Middleware Control
- Part IV Managing Access Manager Settings and Agents
- 14 Configuring Access Manager Settings
- 15 Introduction to Agents and Registration
- 16 Registering and Managing OAM 11g Agents
- 16.1 Prerequisites
- 16.2 Understanding OAM Agent Registration Parameters in the Console
- 16.3 Registering an OAM Agent Using the Console
- 16.4 Configuring and Managing Registered OAM Agents Using the Console
- 16.5 Understanding the Remote Registration Tool, Modes, and Process
- 16.6 Understanding Remote Registration Templates: OAM Agents
- 16.7 Performing Remote Registration for OAM Agents
- 16.8 Introduction to Updating Agents Remotely
- 16.9 Updating Agents Remotely
- 16.10 Validating Remote Registration and Resource Protection
- 16.11 Replacing the IAMSuiteAgent with an 11g WebGate
- 16.11.1 Registering a Replacement 11g WebGate for IAMSuiteAgent
- 16.11.2 Installing the Replacement 11g WebGate for IAMSuiteAgent
- 16.11.3 Updating the WebLogic Server Plug-in
- 16.11.4 Confirming the AutoLogin Host Identifier for an OAM / OIM Integration
- 16.11.5 Configuring OAM Security Providers for WebLogic
- 16.11.6 Disabling IAMSuiteAgent
- 16.11.7 Verification
- 16.12 Managing the Preferred Host in 10g WebGates
- 17 Maintaining Access Manager Sessions
- 17.1 Introducing Access Manager Session Management
- 17.2 Understanding Server-Side Session Management
- 17.2.1 Securing Access Manager Sessions
- 17.2.2 Understanding the Access Manager Session Lifecycle, States, and Enforcement
- 17.2.2.1 About Global Session Enforcement Checks
- 17.2.2.2 About Session Removal
- 17.2.2.3 About Step-Up and Step-Down Authentication and Credentials
- 17.2.2.4 About Optional Application-Specific Session Enforcement
- 17.2.2.5 About Timeout with Multiple-Agent Types: OSSO and OAM Agents
- 17.2.2.6 About OpenSSO Agents
- 17.2.3 Access Manager Sessions and the Role of Oracle Coherence
- 17.3 Server-Side Session Enforcement Examples
- 17.4 Configuring the Server-Side Session Lifecycle
- 17.5 Managing Active Server-Side Sessions
- 17.6 Verifying Server-Side Session Operations
- 17.7 Understanding Client-Side Session Management
- 17.8 Using WLST To Configure Session Management
- Part V Managing Access Manager SSO, Policies, and Testing
- 18 Understanding Single Sign-On with Access Manager
- 18.1 Introducing Access Manager Single Sign-On
- 18.2 Understanding the Access Manager Policy Model
- 18.3 Anatomy of an Application Domain and Policies
- 18.4 Introduction to Policy Conditions and Rules
- 18.5 Introducing Access Manager Credential Collection and Login
- 18.6 Understanding SSO Cookies
- 18.7 Introduction to Configuration Tasks for Single Sign-On
- 19 Managing Authentication and Shared Policy Components
- 19.1 Prerequisites
- 19.2 Understanding Authentication and Shared Policy Component Tasks
- 19.3 Managing Resource Types
- 19.4 Managing Host Identifiers
- 19.5 Understanding Authentication Methods and Credential Collectors
- 19.6 Managing Native Authentication Modules
- 19.7 Orchestrating Multi-Step Authentication with Plug-in Based Modules
- 19.7.1 Comparing Simple Form and Multi-Factor (Multi-Step) Authentication
- 19.7.2 About Plug-ins for Multi-Step Authentication Modules
- 19.7.3 About Plug-in Based Modules for Multi-Step Authentication
- 19.7.4 Example: Leveraging SubjectAltName Extension Data and Integrating with Multiple OCSP Endpoints
- 19.7.5 Creating and Orchestrating Plug-in Based Multi-Step Authentication Modules
- 19.7.6 Creating and Managing Step-Up Authentication
- 19.7.7 Configuring an HTTPToken Extractor Plug-in
- 19.7.8 Configuring a JSON Web Token Plug-in
- 19.8 Deploying and Managing Individual Plug-ins for Authentication
- 19.9 Managing Authentication Schemes
- 19.10 Extending Authentication Schemes with Advanced Rules
- 19.11 Configuring Challenge Parameters for Encrypted Cookies
- 19.12 Understanding Password Policy
- 19.13 Managing Global Password Policy
- 19.14 Configuring Password Policy Authentication
- 19.15 Configuring 11g WebGates and Authentication Policy for DCC
- 19.16 Completing Password Policy Configuration
- 19.17 Configuring Authentication POST Data Handling
- 19.18 Long URL Handling During Authentication
- 19.19 Using Application Initiated Authentication
- 19.20 Using the Adaptive Authentication Service
- 19.20.1 Understanding the Adaptive Authentication Service
- 19.20.2 Configuring Access Manager for Two-Factor Authentication
- 19.20.3 Configuring the Oracle Mobile Authenticator App
- 19.20.3.1 Understanding Oracle Mobile Authenticator Configuration
- 19.20.3.2 Configuring the Oracle Mobile Authenticator App on iOS
- 19.20.3.2.1 Configuring OMA on iOS Using the Online Option
- 19.20.3.2.2 Configuring OMA on iOS Using the Offline Option
- 19.20.3.2.3 Copying a One-Time Password from the Oracle Mobile Authenticator
- 19.20.3.2.4 Editing an Account on the Oracle Mobile Authenticator
- 19.20.3.2.5 Deleting an Account on the Oracle Mobile Authenticator
- 19.20.3.3 Configuring the Oracle Mobile Authenticator App on Android
- 19.20.3.3.1 Configuring OMA on Android Using the Online Option
- 19.20.3.3.2 Configuring OMA on Android Using the Offline Option
- 19.20.3.3.3 Copying a One-Time Password from the Oracle Mobile Authenticator
- 19.20.3.3.4 Editing an Account on the Oracle Mobile Authenticator
- 19.20.3.3.5 Deleting an Account on the Oracle Mobile Authenticator
- 19.20.4 Configuring the Google Authenticator App
- 20 Managing Policies to Protect Resources and Enable SSO
- 20.1 Prerequisites
- 20.2 Introduction to Application Domain and Policy Creation
- 20.3 Understanding Application Domain and Policy Management
- 20.4 Managing Application Domains and Policies Using the Console
- 20.5 Configuring Policy Ordering
- 20.6 Adding and Managing Policy Resource Definitions
- 20.6.1 Defining Resources in an Application Domain
- 20.6.1.1 About the Resource Type in a Resource Definition
- 20.6.1.2 About the Host Identifier in a Resource Definition
- 20.6.1.3 About the Resource URL, Prefixes, and Patterns
- 20.6.1.4 About Query String Name and Value Parameters for Resource Definitions
- 20.6.1.5 About Literal Query Strings in Resource Definitions
- 20.6.1.6 About Run Time Resource Evaluation
- 20.6.2 Defining Resources in an Application Domain
- 20.6.3 Searching for a Resource Definition
- 20.6.4 Viewing, Editing, or Deleting a Resource Definition
- 20.6.1 Defining Resources in an Application Domain
- 20.7 Defining Authentication Policies for Specific Resources
- 20.8 Defining Authorization Policies for Specific Resources
- 20.9 Introduction to Policy Responses for SSO
- 20.9.1 About Authentication and Authorization Policy Responses for SSO
- 20.9.2 About the Policy Response Language
- 20.9.3 About the Namespace and Variable Names for Policy Responses
- 20.9.4 About Constructing a Policy Response for SSO
- 20.9.5 About Policy Response Processing
- 20.9.6 About Assertion Claims and Processing
- 20.10 Adding and Managing Policy Responses for SSO
- 20.11 Introduction to Authorization Policy Rules and Conditions
- 20.12 Defining Authorization Policy Conditions
- 20.13 Defining Authorization Policy Rules
- 20.14 Validating Authentication and Authorization in an Application Domain
- 20.15 Understanding Remote Policy and Application Domain Management
- 20.16 Managing Policies and Application Domains Remotely
- 20.17 Defining an Application
- 21 Validating Connectivity and Policies Using the Access Tester
- 21.1 Prerequisites
- 21.2 Introduction to the Access Tester for Access Manager 11g
- 21.3 Installing and Starting the Access Tester
- 21.4 Introduction to the Access Tester Console and Navigation
- 21.5 Testing Connectivity and Policies from the Access Tester Console
- 21.5.1 Establishing a Connection Between the Access Tester and the OAM Server
- 21.5.2 Validating Resource Protection from the Access Tester Console
- 21.5.3 Testing User Authentication from the Access Tester Console
- 21.5.4 Testing User Authorization from the Access Tester Console
- 21.5.5 Observing Request Latency
- 21.6 Creating and Managing Test Cases and Scripts
- 21.7 Evaluating Scripts, Log File, and Statistics
- 22 Configuring Centralized Logout for Sessions Involving 11g WebGates
- Part VI Registering and Using Agents with Access Manager
- 23 Registering and Managing Legacy OpenSSO Agents
- 23.1 Introduction to OpenSSO, Agents, Migration and Co-existence
- 23.2 Runtime Processing Between OpenSSO Agents and Access Manager
- 23.3 Understanding OpenSSO Agent Registration Parameters
- 23.4 Registering and Managing OpenSSO Agents Using the Console
- 23.5 Performing Remote Registration for OpenSSO Agents
- 23.6 Updating Registered OpenSSO Agents Remotely
- 23.7 Locating Other OpenSSO Agent Information
- 24 Registering and Managing Legacy OSSO Agents
- 24.1 Understanding OSSO Agents with Access Manager
- 24.2 Registering OSSO Agents Using Oracle Access Management Console
- 24.3 Configuring and Managing Registered OSSO Agents Using the Console
- 24.4 Performing Remote Registration for OSSO Agents
- 24.5 Updating Registered OSSO Agents Remotely
- 24.6 Configuring Logout for OSSO Agents with Access Manager 11.1.2
- 24.7 Locating Other OSSO Agent Information
- 25 Registering and Managing 10g WebGates with Access Manager 11g
- 25.1 Prerequisites
- 25.2 Introduction to 10g OAM Agents for Access Manager 11g
- 25.2.1 About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access Manager
- 25.2.2 About Legacy Oracle Access Manager 10g Deployments and WebGates
- 25.2.3 About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2
- 25.2.4 About Centralized Logout with 10g OAM Agents and 11g OAM Servers
- 25.3 Comparing Access Manager 11.1.2 and 10g
- 25.4 Configuring Centralized Logout for IAMSuiteAgent
- 25.5 Registering a 10g WebGate with Access Manager 11g Remotely
- 25.6 Managing 10g OAM Agents Remotely
- 25.7 Locating and Installing the Latest 10g WebGate for Access Manager 11g
- 25.7.1 Preparing for a Fresh 10g WebGate Installation with Access Manager 11g
- 25.7.2 Locating and Downloading 10g WebGates for Use with Access Manager 11g
- 25.7.3 Starting WebGate 10g Installation
- 25.7.4 Specifying a Transport Security Mode
- 25.7.5 Requesting or Installing Certificates for Secure Communications
- 25.7.6 Specifying WebGate Configuration Details
- 25.7.7 Updating the WebGate Web Server Configuration
- 25.7.8 Finishing WebGate Installation
- 25.7.9 Installing Artifacts and Certificates
- 25.7.10 Confirming WebGate Installation
- 25.8 Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
- 25.9 Removing a 10g WebGate from the Access Manager 11g Deployment
- 26 Configuring Apache, OHS, IHS for 10g WebGates
- 26.1 Prerequisites
- 26.2 About Oracle HTTP Server and Access Manager
- 26.3 About Access Manager with Apache and IHS v2 Webgates
- 26.4 About Apache v2 Architecture and Access Manager
- 26.5 Requirements for Oracle HTTP Server, IHS, Apache v2 Web Servers
- 26.6 Preparing Your Web Server
- 26.6.1 Preparing the IHS v2 Web Server
- 26.6.2 Preparing Apache and Oracle HTTP Server Web Servers on Linux
- 26.6.3 Preparing Oracle HTTP Server Web Servers on Linux and Windows Platforms
- 26.6.4 Setting Oracle HTTP Server Client Certificates
- 26.6.5 Preparing the Apache v2 Web Server on UNIX
- 26.6.6 Preparing the Apache v2 SSL Web Server on AIX
- 26.6.7 Preparing the Apache v2 Web Server on Windows
- 26.7 Activating Reverse Proxy for Apache v2 and IHS v2
- 26.8 Verifying httpd.conf Updates for Webgates
- 26.9 Tuning Oracle HTTP Server Webgates for Access Manager
- 26.10 Tuning OHS /Apache Prefork and Worker MPM Modules for OAM
- 26.11 Starting and Stopping Oracle HTTP Server Web Servers
- 26.12 Tuning Apache/IHS v2 Webgates for Access Manager
- 26.13 Removing Web Server Configuration Changes After Uninstall
- 26.14 Helpful Information
- 27 Configuring the ISA Server for 10g WebGates
- 27.1 Prerequisites
- 27.2 About Access Manager and the ISA Server
- 27.3 Compatibility and Platform Support
- 27.4 Installing and Configuring Webgate for the ISA Server
- 27.5 Configuring the ISA Server for the ISAPI Webgate
- 27.6 Starting, Stopping, and Restarting the ISA Server
- 27.7 Removing Access Manager Filters Before Webgate Uninstall on ISA Server
- 28 Configuring the IIS Web Server for 10g WebGates
- 28.1 Prerequisites
- 28.2 Webgate Guidelines for IIS Web Servers
- 28.3 Prerequisite for Installing Webgate for IIS 7
- 28.4 Updating IIS 7 Web Server Configuration on Windows 2008
- 28.5 Completing Webgate Installation with IIS
- 28.5.1 Enabling Client Certificate Authentication on the IIS Web Server
- 28.5.2 Ordering the ISAPI Filters
- 28.5.3 Enabling Pass-Through Functionality for POST Data
- 28.5.4 Protecting a Web Site When the Default Site is Not Setup
- 28.6 Installing and Configuring Multiple 10g Webgates for a Single IIS 7 Instance
- 28.6.1 Installing Each IIS 7 Webgate in a Multiple Webgate Scenario
- 28.6.2 Setting the Impersonation DLL for Multiple IIS 7 Webgates
- 28.6.3 Enabling Client Certification for Multiple IIS 7 Webgates
- 28.6.4 Configuring IIS 7 Webgates for Pass Through Functionality
- 28.6.5 Confirming IIS 7 Webgate Installation
- 28.7 Installing and Configuring Multiple Webgates for a Single IIS 6 Instance
- 28.8 Finishing 64-bit Webgate Installation
- 28.9 Confirming Webgate Installation on IIS
- 28.10 Starting, Stopping, and Restarting the IIS Web Server
- 28.11 Removing Web Server Configuration Changes Before Uninstall
- 29 Configuring Lotus Domino Web Servers for 10g WebGates
- Part VII Managing Oracle Access Management Identity Federation
- 30 Introducing Identity Federation in Oracle Access Management
- 30.1 Understanding Identity Federation Concepts
- 30.2 Integrating Identity Federation with Access Manager
- 30.3 Deploying Identity Federation with Oracle Access Management
- 30.4 Exchanging Identity Federation Data
- 30.5 Understanding How Identity Federation Works
- 30.6 Using Identity Federation
- 30.7 Administrating Identity Federation
- 30.8 Enabling Identity Federation
- 31 Managing Identity Federation Partners
- 31.1 Understanding Federation And Partners
- 31.2 Managing Federation Partners
- 31.3 Administering Identity Federation As A Service Provider
- 31.4 Administering Identity Federation As An Identity Provider
- 31.5 Using Attribute Mapping Profiles
- 31.6 Mapping Federation Authentication Methods to Access Manager Authentication Schemes
- 31.7 Using the Attribute Sharing Plug-in for the Attribute Query Service
- 31.8 Using the Federation Proxy
- 31.9 Using WLST for Identity Federation Administration
- 32 Managing Settings for Identity Federation
- 32.1 Prerequisites
- 32.2 Introduction to Federation Settings
- 32.3 Managing General Federation Settings
- 32.4 Managing Proxy Settings for Federation
- 32.5 Defining Keystore Settings for Federation
- 32.6 Exporting Metadata
- 33 Managing Federation-related Schemes and Policies
- 33.1 Prerequisites
- 33.2 Using Identity Federation and Access Manager in Concert Together
- 33.3 Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.2)
- 33.4 Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1
- 33.5 Managing Access Manager Policies for Use with Identity Federation
- 33.6 Testing Identity Federation Configuration
- 33.7 Using the Default Identity Provisioning Plug-in
- 33.8 Configuring the Identity Provider Discovery Service
- 33.9 Configuring the Federation User Self-Registration Module
- Part VIII Managing Oracle Access Management Security Token Service
- 34 Introducing the Oracle Access Management Security Token Service
- 34.1 Understanding the Security Token Service
- 34.2 Using the Security Token Service
- 34.3 Security Token Service Key Terms and Concepts
- 34.4 Integrating the Oracle Web Services Manager
- 34.5 Architecting the Security Token Service
- 34.6 Security Token Service Supported Token Matrix
- 34.7 Deploying Security Token Service
- 34.8 Installing Security Token Service
- 34.8.1 Security Token Service Cluster in Single WLS Domain
- 34.8.2 Endpoint Exposure through a Web Server Proxy
- 34.8.3 Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients
- 34.8.4 Security Token Service Installation Overview
- 34.8.5 Post-Installation Tasks: Security Token Service
- 34.9 Administrating the Security Token Service
- 35 Security Token Service Implementation Scenarios
- 36 Configuring Security Token Service Settings
- 36.1 Prerequisites
- 36.2 Introduction to Security Token Service Configuration
- 36.3 Enabling and Disabling Security Token Service
- 36.4 Defining Security Token Service Settings
- 36.5 Using and Managing WSS Policies for Oracle WSM Agents
- 36.6 Configuring OWSM for WSS Protocol Communication
- 36.6.1 About Oracle WSM Agent WS-Security Policies for Security Token Service
- 36.6.2 Retrieving the Oracle WSM Keystore Password
- 36.6.3 Extracting the Oracle STS/Oracle WSM Signing and Encryption Certificate
- 36.6.4 Adding Trusted Certificates to the Oracle WSM Keystore
- 36.6.5 Validating Trusted Certificates in the Oracle WSM Keystore
- 36.6.6 Configuring Oracle WSM Agent for WSS Kerberos Policies
- 36.7 Managing and Migrating Security Token Service Policies
- 36.8 Logging Security Token Service Messages
- 36.9 Auditing the Security Token Service
- 37 Managing Security Token Service Certificates and Keys
- 37.1 Prerequisites
- 37.2 Introducing the Security Token Service Certificates and Keys
- 37.3 Managing Security Token Service Encryption/Signing Keys
- 37.4 Managing Partner Keys for WS-Trust Communications
- 37.5 Managing Certificate Validation
- 38 Managing Templates, Endpoints, and Policies
- 38.1 Introduction
- 38.2 Searching for an Existing Template
- 38.3 Managing Token Issuance Templates
- 38.4 Managing Token Validation Templates
- 38.5 Managing Security Token Service Endpoints
- 38.6 Managing Token Issuance Policies, Conditions, and Rules
- 38.7 Managing TokenServiceRP Type Resources
- 38.8 Making Custom Classes Available
- 38.9 Managing a Custom Security Token Service Configuration
- 39 Managing Token Service Partners and Partner Profiles
- 40 Troubleshooting Security Token Service
- Part IX Managing Oracle Access Management Mobile and Social
- 41 Understanding Mobile and Social
- 42 Configuring Mobile Services
- 42.1 Opening the Mobile Services Configuration Page
- 42.2 Understanding Mobile Services Configuration
- 42.3 Defining Service Providers
- 42.3.1 Defining, Modifying or Deleting an Authentication Service Provider
- 42.3.1.1 Understanding the Pre-Configured Authentication Service Providers
- 42.3.1.2 Understanding the JWT-OAM Token Authentication Service Provider
- 42.3.1.3 Creating an Authentication Service Provider
- 42.3.1.4 Editing or Deleting an Authentication Service Provider
- 42.3.1.5 Requiring User Credentials to Exchange a JWT Token for an OAM Token
- 42.3.1.6 Configuring OAM to use the JWT-OAM + PIN Token Service Provider
- 42.3.2 Defining, Modifying or Deleting an Authorization Service Provider
- 42.3.3 Defining, Modifying or Deleting a User Profile Service Provider
- 42.3.1 Defining, Modifying or Deleting an Authentication Service Provider
- 42.4 Defining Service Profiles
- 42.5 Defining Security Handler Plug-ins
- 42.6 Defining Application Profiles
- 42.7 Defining Service Domains
- 42.8 Using the Jail Breaking Detection Policy
- 42.9 Configuring Mobile Services with Other Oracle Products
- 42.9.1 Configuring Mobile Services for Access Manager
- 42.9.1.1 Configuring Mobile Services to Work With Access Manager in Simple and Certificate Mode
- 42.9.1.2 Configuring an Authentication Service Provider for Remote Oracle Access Manager Server 10g
- 42.9.1.3 Configuring an Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1
- 42.9.2 Configuring Mobile Services for Oracle Adaptive Access Manager
- 42.9.2.1 Understanding OAAM Support in Mobile and Social
- 42.9.2.2 Configuring the WebLogic Administration Domain
- 42.9.2.3 Configuring OAAM if Social Identity Authentication is Enabled in Mobile Services
- 42.9.2.4 Setting up a Lost or Stolen Device Rule
- 42.9.2.5 Configuring Blacklisted Devices and Applications
- 42.9.2.6 Understanding the OAAM Sessions for Mobile Applications
- 42.9.2.7 Registering Users for OAAM Authentication
- 42.9.1 Configuring Mobile Services for Access Manager
- 43 Configuring Social Identity
- 43.1 Opening the Social Identity Configuration Page
- 43.2 Understanding Social Identity Configuration
- 43.3 Defining Social Identity Providers
- 43.3.1 Creating a Social Identity Provider
- 43.3.2 Editing or Deleting a Social Identity Provider
- 43.3.3 Generating the Consumer Key and Consumer Secret for OAuth Providers
- 43.3.3.1 Generating a Consumer Key and Consumer Secret for Facebook
- 43.3.3.2 Generating a Consumer Key and Consumer Secret for Twitter
- 43.3.3.3 Generating a Consumer Key and Consumer Secret for LinkedIn
- 43.3.3.4 Generating a Consumer Key and Consumer Secret for Foursquare
- 43.3.3.5 Generating a Consumer Key and Consumer Secret for Windows Live
- 43.3.3.6 Generating a Consumer Key and Consumer Secret for Google
- 43.3.4 Troubleshooting Facebook Social Identity Providers
- 43.4 Defining Service Provider Interfaces
- 43.5 Defining Application Profiles
- 43.6 Integrating Social Identity With Mobile Applications
- 43.7 Linking Social Identity Provider Accounts
- 44 Configuring Mobile and Social System Settings
- 44.1 Accessing the Mobile and Social Settings Interface
- 44.2 Logging and Auditing
- 44.3 Deploying Mobile and Social With Oracle Access Manager
- 44.4 Configuring Mobile and Social After Running Test-to-Production Scripts
- 44.5 Configuring Mobile and Social for High Availability (HA)
- 44.6 Enabling the REST Client to Specify the Tenant Name
- Part X Managing the Oracle Access Management OAuth Service
- 45 Understanding the OAuth Service
- 45.1 Introducing the OAuth Service
- 45.2 Understanding the OAuth Service
- 45.2.1 Understanding OAuth 2.0 Roles
- 45.2.2 Understanding the OAuth Service Components
- 45.2.3 Understanding the OAuth Service Supported Features
- 45.2.4 The Mobile OAuth Authorization Flow
- 45.2.5 Understanding the OAuth Service Authorization and Authentication Endpoints
- 45.2.6 Understanding Refresh Tokens
- 45.2.7 Understanding the Mobile OAuth Client UI Form Factor Options
- 45.2.8 Understanding Mobile OAuth Single Sign-on (SSO)
- 45.3 Understanding the OAuth Service Processes
- 46 Configuring OAuth Services
- 46.1 Enabling OAuth Services
- 46.2 Opening the OAuth Services Configuration Page
- 46.3 Understanding OAuth Services Configuration
- 46.3.1 Understanding OAuth Identity Domains Configuration
- 46.3.2 Understanding OAuth Service Provider Configuration
- 46.3.3 Understanding OAuth Service Profiles Configuration
- 46.3.4 Understanding OAuth Resource Servers Configuration
- 46.3.5 Understanding OAuth Client Profiles Configuration
- 46.3.6 Understanding OAuth Consent Management Service Configuration
- 46.3.7 Understanding OAuth Access Token Custom Attributes
- 46.3.8 Understanding OAuth Services Security
- 46.4 Configuring OAuth Services Settings
- 46.4.1 Configuring OAuth Identity Domains
- 46.4.2 Configuring OAuth Service Profiles
- 46.4.3 Configuring OAuth Clients
- 46.4.4 Configuring the OAuth Service Provider
- 46.4.5 Configuring OAuth Resource Servers
- 46.4.6 Configuring User Profile Services
- 46.4.7 Configuring OAuth Consent Management Services
- 46.4.8 Configuring OAuth Plug-Ins
- 46.4.9 Configuring OAuth Server Settings
- 46.4.10 Configuring the OAuth Services Jail Breaking Detection Policy
- 46.4.11 Configuring Token Life Cycle Management
- 46.5 Configuring OAuth to Accept Third-Party JWT Bearer Assertions
- 46.6 Configuring a WebGate to Support the OAuth Service
- Part XI Managing Oracle Access Management Oracle Access Portal
- 47 Configuring the Access Portal Service
- 47.1 Prerequisites for Deploying the Access Portal Service
- 47.2 Overview of the Access Portal Service Deployment Process
- 47.3 Deploying the Access Portal Service
- 47.3.1 Deploying the Java Cryptography Extension Policy Files
- 47.3.2 Creating the Identity Store Configuration File
- 47.3.3 Creating the Oracle Access Manager Configuration File
- 47.3.4 Understanding the Access Portal Service Repository Objects
- 47.3.5 Preparing and Enabling the Access Portal Service on an Oracle Repository
- 47.3.6 Preparing and Enabling the Access Portal Service on Microsoft Active Directory
- 47.3.7 (Active Directory Only) Deploying the OAMAgent Web Application
- 47.3.8 Setting the Policy Cache Refresh Interval
- 47.3.9 Integrating with Oracle Privilege Account Manager
- 47.3.10 Deploying the Oracle Traffic Director Administration Server
- 47.3.11 Deploying the Webgate Binaries and Secure Trust Artifacts
- 47.3.12 (Optional) Configuring the ESSOProvisioning Plugin
- 47.3.13 Creating an Oracle Traffic Director Configuration
- 47.3.14 Protecting the Oracle Traffic Director Instance with the Webgate and Access Proxy Plugins
- 47.3.15 (Optional) Enabling the Detached Credential Collector for the Target Webgate
- 47.3.16 Configuring Logon Manager for Compatibility with the Access Portal Service
- 47.4 Enabling Form-Fill Single Sign-On for an Application
- 47.5 Adding a Federated Partner Provider Application
- 47.6 Adding an Oracle SSO Agent Application
- 47.7 Common Interface Controls
- 47.8 Managing Password Generation Policies
- 47.9 Managing Credential Sharing Groups
- 47.10 Managing Global Agent Settings
- Part XII Using Identity Context
- 48 Using Identity Context
- 48.1 Introducing Identity Context
- 48.2 Understanding Identity Context
- 48.3 Working With the Identity Context Service
- 48.4 Using the Identity Context API
- 48.5 Configuring the Identity Context Service Components
- 48.5.1 Configuring Oracle Fusion Middleware
- 48.5.2 Configuring Access Manager
- 48.5.3 Configuring Oracle Adaptive Access Manager
- 48.5.4 Configuring Web Service Security Manager
- 48.5.5 Configuring Oracle Entitlements Server
- 48.5.6 Configuring Oracle Enterprise Single Sign On
- 48.5.7 Configuring Oracle Access Management Mobile and Social
- 48.6 Validating Identity Context
- Part XIII Integrating Access Manager with Other Products
- 49 Integrating RSA SecurID Authentication with Access Manager
- 50 Configuring Access Manager for Windows Native Authentication
- 50.1 Introducing Access Manager with Windows Native Authentication
- 50.2 Preparing Your Active Directory/Kerberos Topology
- 50.3 Performing Oracle-Specific Prerequisite Tasks
- 50.4 Enabling the Browser to Return Kerberos Tokens
- 50.5 Integrating KerberosPlugin with Oracle Virtual Directory
- 50.6 Integrating Access Manager KerberosPlugin with Search Failover
- 50.7 Configuring Access Manager for Windows Native Authentication
- 50.8 Validating WNA with Access Manager-Protected Resources
- 50.9 Configuring WNA For Use With DCC
- 50.10 Configuring Access for Multiple Untrusted Active Directory Forests
- 50.10.1 Create Service Principal Accounts
- 50.10.2 Generating a Master Keytab File
- 50.10.3 Configuring the krb5.conf File
- 50.10.4 Validating Access to the KDC Servers Using the Keytabs
- 50.10.5 Creating the Active Directory or Oracle Virtual Directory User Stores
- 50.10.6 Creating the Custom Kerberos Authentication Module
- 50.10.7 Configuring Integrated Windows Authentication
- 50.10.8 Testing the Configurations
- 50.10.9 Troubleshooting the Configurations
- 50.11 Troubleshooting WNA Configuration
- 51 Integrating JBoss with Access Manager
- 51.1 Introduction to JBoss with Access Manager
- 51.2 Integration Topology
- 51.3 Preparing Your Environment for JBoss Integration
- 51.4 Protecting JBoss-Specific Resources
- 51.5 Protecting Web Applications with the JBoss Agent
- 51.6 Configuring JBoss Server to Access a Host Name (not localhost)
- 51.7 Configuring the Login Module to Secure EJBs
- 51.8 Configuring the Login Module to Secure Web Service Access
- 51.9 Configuring Logging for the JBoss Agent and Login Module
- 51.10 Validating Your Configuration
- 52 Integrating Microsoft SharePoint Server with Access Manager
- 52.1 What is Supported in This Release?
- 52.2 Introduction to Integrating With the SharePoint Server
- 52.3 Integration Requirements
- 52.4 Preparing for Integration With SharePoint Server
- 52.5 Integrating With Microsoft SharePoint Server
- 52.6 Setting Up Microsoft Windows Impersonation
- 52.7 Completing the SharePoint Server Integration
- 52.8 Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider
- 52.8.1 About Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider
- 52.8.2 Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider
- 52.8.3 Configuring an Authentication Scheme for Use With LDAP Membership Provider
- 52.8.4 Updating the Application Domain Protecting the SharePoint Web Site
- 52.8.5 Creating an Authorization Response for Header Variable SP_SSO_UID
- 52.8.6 Creating an Authorization Response for the OAMAuthCookie
- 52.8.7 Configuring and Deploying OAMCustomMembershipProvider
- 52.8.8 Enabling Logging for CustomMemberShipProvider
- 52.8.9 Ensuring Directory Servers are Synchronized
- 52.8.10 Testing the Integration
- 52.9 Configuring Single Sign-On for Office Documents
- 52.10 Configuring Single Sign-off for Microsoft SharePoint Server
- 52.11 Setting Up Access Manager and Windows Native Authentication
- 52.12 Synchronizing User Profiles Between Directories
- 52.13 Testing Your Integration
- 52.14 Troubleshooting
- 53 Integrating Access Manager with Outlook Web Application
- 53.1 What is New in This Release?
- 53.2 Introduction to Integration with Outlook Web Application
- 53.3 Enabling Impersonation With a Header Variable
- 53.3.1 Requirements for Impersonation with a Header Variable
- 53.3.2 Creating an Impersonator as a Trusted User
- 53.3.3 Assigning Rights to the Trusted User
- 53.3.4 Binding the Trusted User to Your Webgate
- 53.3.5 Adding an Impersonation Response to An Application Domain
- 53.3.6 Adding an Impersonation DLL to IIS
- 53.3.7 Testing Impersonation
- 53.4 Setting Up Impersonation for Outlook Web Application (OWA)
- 53.4.1 Prerequisites to Setting Impersonation for Outlook Web Application
- 53.4.2 Creating a Trusted User Account for Outlook Web Application
- 53.4.3 Assigning Rights to the Outlook Web Application Trusted User
- 53.4.4 Binding the Trusted Outlook Web Application User to Your Webgate
- 53.4.5 Adding an Impersonation Action to an Application Domain for Outlook Web Application
- 53.4.6 Adding an Impersonation dll to IIS
- 53.4.7 Configuring IIS Security
- 53.4.8 Testing Impersonation for Outlook Web Application
- 53.5 Setting Up Access Manager WNA for Outlook Web Application
- 54 Integrating Microsoft Forefront Threat Management Gateway 2010 with Access Manager
- 54.1 What is New in This Release?
- 54.2 Introduction to Integration with TMG Server 2010
- 54.3 Creating a Forefront TMG Policy and Rules
- 54.4 Installing and Configuring 10g Webgate for Forefront TMG Server
- 54.5 Configuring the TMG 2010 Server for the ISAPI 10g Webgate
- 54.6 Starting, Stopping, and Restarting the TMG Server
- 54.7 Removing Access Manager Filters Before WebGate Uninstall on TMG Server
- 54.8 Troubleshooting
- 55 Integrating Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal
- 55.1 What is Supported in This Release?
- 55.2 Supported Versions and Platforms
- 55.3 Integration Architecture
- 55.4 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x
- 55.5 Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x
- 55.6 Testing the Integration
- 55.7 Troubleshooting the Integration
- 56 Integrating Oracle Access Manager 11.1.2 with SAP NetWeaver Enterprise Portal Using OpenSSO Policy Agent 2.2
- 56.1 What is Supported in This Release?
- 56.2 Registering the OpenSSO Agent
- 56.3 Installing the OpenSSO Policy Agent 2.2 on SAP Enterprise Portal
- 56.4 Deploying the Agent Software Delivery Archive
- 56.5 Making a Class Loader Reference to the Login Module
- 56.6 Modifying the SAP Enterprise Portal 7.0 / Web Application Server 7.0 Class Path
- 56.7 Deploying and Starting the Agentapp.war File
- 56.8 Using Telnet to Create a Reference Between agentapp and Library AmSAPAgent2.2
- 56.9 Adding the Login Module to the Stack
- 56.10 Modifying the Login Module Stack
- 56.11 Updating the ume.logoff.redirect.uri
- 56.12 Configuring the AMAgent.properties File
- 56.13 Testing the Integration
- Part XIV Appendixes
- A.1 Introducing Oracle Platform Security Services and Oracle Application Developer Framework
- A.2 Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
- A.3 Configuring Centralized Logout for Oracle ADF-Coded Applications
- A.4 Confirming Application-Driven Authentication During Runtime
- B.1 Introduction to Internationalization and Multibyte Data Support
- C.1 Prerequisites
- C.2 Securing Communication Between OAM Servers and WebGates
- C.3 Generating Client Keystores for OAM Tester in Cert Mode
- C.4 Configuring Cert Mode Communication for Access Manager
- C.4.1 About Cert Mode Encryption and Files
- C.4.2 Generating a Certificate Request and Private Key for OAM Server
- C.4.3 Retrieving the OAM Keystore Alias and Password
- C.4.4 Importing the Trusted, Signed Certificate Chain Into the Keystore
- C.4.5 Adding Certificate Details to Access Manager Settings
- C.4.6 Generating a Private Key and Certificate Request for WebGates
- C.4.7 Updating WebGate to Use Certificates
- C.5 Configuring Simple Mode Communication with Access Manager
- D.1 Bundled 10g IAMSuiteAgent Artifacts
- D.2 Generated Artifacts: OpenSSO
- D.2.1 Generated OpenSSOAgentAuthPlugin
- D.2.2 Generated Host Identifier: OpenSSOAgent
- D.2.3 Generated Application Domain: OpenSSOAgent
- D.2.4 Generated Resources: OpenSSOAgent
- D.2.5 Generated Authentication Policy: OpenSSOAgent Application Domain
- D.2.6 Generated Authorization Policy: OpenSSOAgent Application Domain
- D.3 Migrated Artifacts: OpenSSO
- D.3.1 Migrated User Identity Store: OpenSSO
- D.3.2 Migrated Agents: OpenSSO
- D.3.3 Migrated Authentication Module: OpenSSO
- D.3.4 Migrated Host Identifier: OpenSSO
- D.3.5 Migrated Application Domain: OpenSSO
- D.3.6 Migrated Resources: OpenSSO
- D.3.7 Migrated Authentication Policy: OpenSSO
- D.3.8 Migrated Authorization Policy: OpenSSO
- E.1 Introduction to Oracle Access Management Troubleshooting
- E.1.1 About System Analysis and Problem Scenarios
- E.1.2 About LDAP Server or Identity Store Issues
- E.1.3 About OAM Server or Host Issues
- E.1.4 About Agent-Side Configuration and Load Issues
- E.1.5 About Runtime Database (Audit or Session Data) Issues
- E.1.6 About Change Propagation or Activation Issues
- E.1.7 About Policy Store Database Issues
- E.2 Using My Oracle Support for Additional Troubleshooting Information
- E.3 Administrator Lockout
- E.4 Oracle Access Management Console Inconsistent State
- E.5 AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
- E.6 Agent Naming Not Unique
- E.7 Application URL Requirements
- E.8 Authentication Issues
- E.9 Authorization Issues
- E.10 Cannot Access Authentication LDAP or Database
- E.11 Cannot Find Configuration
- E.12 Co-existence Between OSSO and Access Manager
- E.13 Could Not Find Partial Trigger
- E.14 Denial of Service Attacks
- E.15 Deployments with Freshly Installed 10g Webgates
- E.16 Diagnosing Initialization and Performance Issues
- E.17 Disabling Windows Challenge/Response Authentication on IIS Web Servers
- E.18 Changing UserIdentityStore1 Type Can Lock Out Administrators
- E.19 IIS Web Server Issues
- E.20 Import and File Upload Limits
- E.21 jps Logger Class Instantiation Warning is Logged on Authentication
- E.22 Internationalization, Languages, and Translation
- E.23 Login Failure for a Protected Page
- E.24 OAM Metric Persistence Timer IllegalStateException: SafeCluster
- E.25 Partial Cluster Failure and Intermittent Login and Logout Failures
- E.26 RSA SecurID Issues and Logs
- E.27 Registration Issues
- E.28 Rowkey does not have any primary key attributes Error
- E.29 SELinux Issues
- E.30 Session Issues
- E.31 SSL versus Open Communication
- E.32 Start Up Issues
- E.33 Synchronizing OAM Server Clocks
- E.34 Using Coherence
- E.35 Validation Errors
- E.36 Web Server Issues
- E.36.1 Server Fails on an Apache Web Server
- E.36.2 Apache v2 on HP-UX
- E.36.3 Apache v2 Bundled with Red Hat Enterprise Linux 4
- E.36.4 Apache v2 Bundled with Security-Enhanced Linux
- E.36.5 Apache v2 on UNIX with the mpm_worker_module for Webgate
- E.36.6 Domino Web Server Issues
- E.36.7 Errors, Loss of Access, and Unpredictable Behavior
- E.36.8 Known Issues for ISA Web Server
- E.36.9 Oracle HTTP Server Fails to Start with LinuxThreads
- E.36.10 Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4
- E.36.11 Oracle HTTP Server Web Server Configuration File Issue
- E.36.12 Issues with IIS v6 Web Servers
- E.36.13 PCLOSE Error When Starting Sun Web Server
- E.36.14 Removing and Reinstalling IIS DLLs
- E.37 Windows Native Authentication